Table of Contents
Configuring Samba for Segolip
Segolip's unit has many customers who use the HPC to analyze data from the labs. Segolip has several administrative users who are in charge of copying data to/from the HPC and into the proper customers' folders. These administrators have read/write access to the root of the Segolip data, under which they will move data to the appropriate places for their customers to access. Customers are not allowed to write in these folders, so they must use the data where it is, or copy it somewhere else in order to use it.
Customers have shell accounts and samba accounts.
Add Samba config changes
Instruct Samba to keep samba passwords in sync with Unix passwords. That is, when a Samba user changes their password, their corresponding Unix password changes too.
Add or uncomment the following lines in the [global]
section of Samba's config:
unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
Add groups
Add the groups first so we can add users directly to their groups when we create user accounts. We create the group then create their storage folder with the proper permissions.
# groupadd icipe # mkdir /export/home/segoli/ICIPE
It is important to change the permissions so that other users cannot access the folder (o-rwx
) and setgid (g+s
) so that if anyone creates a file/folder there it will remain with the permissions of the group. This reduces confusion for lazy/inexperienced admins.
# chown -R segoliadmin:icipe /export/home/segoli/ICIPE # chmod o-rwx,g+s /export/home/segoli/ICIPE
Add users
To use Samba a user must also have a Unix account. Create the Unix account and add the user to any required groups before you attempt to create the Samba account.
Add the user:
# useradd mkyalo
In /etc/passwd
, add the real name and group to the user's entry. See before and after:
mkyalo:x:755:755::/export/home/mkyalo:/bin/bash -- after -- mkyalo:x:755:755:Martina Kyalo,IITA:/export/home/mkyalo:/bin/bash
Add the user to the appropriate groups. For example, the above user is a part of the iita
group (and that group already exists):
# gpasswd -a mkyalo iita Adding user mkyalo to group iita # id mkyalo uid=755(mkyalo) gid=755(mkyalo) groups=755(mkyalo),10003(iita)
Set the user's Unix and Samba passwords:
# passwd mkyalo # smbpasswd -a mkyalo
Sync users and groups
It is very important to synchronize the user and group information from the head node to the compute nodes. Rocks has a command for this:
# rocks sync users
This will automatically:
- Copy
/etc/passwd
,/etc/shadow
to the compute nodes - Copy
/etc/group
,/etc/gshadow
to the compute nodes - Add NFS automount information to
/etc/auto.home
Set ACLs
Set the extended ACL so that anyone in the segoliadmin group can enter and modify the directory:
# setfacl -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/
Set the default ACL so that files/folders inside the folder inherit the same extended ACL as the parent (this is the -d):
# setfacl -d -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/
View the result on one folder:
# getfacl ICRISAT/ # file: ICRISAT # owner: segoliadmin # group: icrisat user::rwx group::r-x group:segoliadmin:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:segoliadmin:rwx default:mask::rwx default:other::---
In addition to the minimum ACL (the "minimum" ACL is the normal Unix permissions of user, group, other), the extended ACLs include:
segoliadmin
can read, write, and execute on the directory- files and folders inside inherit the read, write, execute permissions (the "default" ACL)
Understanding ACLs
Add Samba shares
Add the following share definitions to /etc/samba/smb.conf
. One for Segolip and another one for each of their groups:
[segolip] comment = Segolip group data path = /export/home/segoli read-only = no valid users = @segoliadmin force user = segoliadmin [icipe] comment = Segolip/ICIPE data path = /export/home/segoli/ICIPE read only = yes valid users = @icipe
The forceuser
directive tells Samba to treat anyone using that share as the 'segoliadmin' Unix user in the file system.
Configure SWAT
The Samba Web Administration Tool allows you to modify Samba settings from a web interface, including changing user passwords. We need to install and configure SWAT to allow users to log in and change their passwords.
Install SWAT using yum:
# yum install samba-swat
SWAT does not run as a daemon, instead it uses xinetd to launch it. xinetd listens on swat's behalf and launches swat when someone connects to it. Configure swat's xinetd configuration by modifying the default to look like this:
/etc/xinetd.d/swat:
# default: off # description: SWAT is the Samba Web Admin Tool. Use swat \ # to configure your Samba server. To use SWAT, \ # connect to port 901 with your favorite web browser. service swat { port = 901 socket_type = stream wait = no user = root server = /usr/sbin/swat server_args = -P log_on_failure += USERID disable = no }
Make sure you change the "server_args" and the "disable" lines! The "-P" makes it so non-root users can only see the password change page when they log into SWAT. Then restart xinetd:
# /etc/init.d/xinetd restart
SWAT can be accessed here: http://hpc.ilri.cgiar.org:901
Change the user's passwords by logging into Swat as root.
Standard Operating Procedure
In order to access Segolip storage on the HPC a user first needs an account on the HPC (user/password created by the system administrator). After that the procedure is as follows:
In Windows:
- Click Start → Run and type: \\hpc.ilri.cgiar.org\groupname (where "groupname" is the group you've been given access to, such as iita, cimmyt, etc.
- A message will appear asking for a username and password; enter the details you were given and press enter.
- If your account information is correct you will see a folder appear with your files inside.
- Your connection will remain active until the computer is shut down, restarted, or logged off.
On a Macintosh
- Click Go → Connect to Server and type: smb://hpc.ilri.cgiar.org/groupname (where "groupname" is the group you've been given access to, such as iita, cimmyt, etc.
- A message will appear asking for a username and password; enter the details you were given and make sure Domain is ILRI, then press enter.
- If your account information is correct you will see a folder appear with your files inside.
- Your connection will remain active until the computer is shut down, restarted, or logged off.