User Tools

Site Tools


samba

This is an old revision of the document!


Configuring Samba for Segolip

Segolip's unit has many customers who use the HPC to analyze data from the labs. Segolip has several administrative users who are in charge of copying data to/from the HPC and into the proper customers' folders. These administrators have read/write access to the root of the Segolip data, under which they will move data to the appropriate places for their customers to access. Customers are not allowed to write in these folders, so they must use the data where it is, or copy it somewhere else in order to use it.

Customers have shell accounts and samba accounts.

Add Samba config changes

Instruct Samba to keep samba passwords in sync with Unix passwords. That is, when a Samba user changes their password, their corresponding Unix password changes too.

Add or uncomment the following lines in the [global] section of Samba's config:

unix password sync = Yes 
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

Add groups

Add the groups first so we can add users directly to their groups when we create user accounts. We create the group then create their storage folder with the proper permissions.

# groupadd icipe
# mkdir /export/home/segoli/ICIPE

It is important to change the permissions so that other users cannot access the folder (o-rwx) and setgid (g+s) so that if anyone creates a file/folder there it will remain with the permissions of the group. This reduces confusion for lazy/inexperienced admins.

# chown -R segoliadmin:icipe /export/home/segoli/ICIPE
# chmod o-rwx,g+s /export/home/segoli/ICIPE

Add users

Add users using useradd, then edit their account information to list their group affiliation (for reference, since three years down the line we'll have too many users and have no clue who they are):

# useradd mkyalo

In /etc/passwd, add the real name and group to the user's entry. See before and after:

mkyalo:x:755:755::/export/home/mkyalo:/bin/bash
-- after --
mkyalo:x:755:755:Martina Kyalo,IITA:/export/home/mkyalo:/bin/bash

Add the user to the appropriate groups. For example, the above user is a part of the iita group (and that group already exists):

# gpasswd -a mkyalo iita
Adding user mkyalo to group iita
# id mkyalo
uid=755(mkyalo) gid=755(mkyalo) groups=755(mkyalo),10003(iita)

Sync users and groups

It is very important to synchronize the user and group information from the head node to the compute nodes. Rocks has a command for this:

# rocks sync users

This will, among other things:

  • Copy /etc/passwd, /etc/shadow to the compute nodes
  • Copy /etc/group, /etc/gshadow to the compute nodes
  • Add NFS automount information to /etc/auto.home

This is a good thing.

Set ACLs

Set the extended ACL so that anyone in the segoliadmin group can enter and modify the directory:

# setfacl -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/

Set the default ACL so that files/folders inside the folder inherit the same extended ACL as the parent (this is the -d):

# setfacl -d -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/

View the result on one folder:

# getfacl ICRISAT/
# file: ICRISAT
# owner: segoliadmin
# group: icrisat
user::rwx
group::r-x
group:segoliadmin:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:segoliadmin:rwx
default:mask::rwx
default:other::---

In addition to the minimum ACL (the "minimum" ACL is the normal Unix permissions of user, group, other), the extended ACLs include:

  • segoliadmin can read, write, and execute on the directory
  • files and folders inside inherit the read, write, execute permissions (the "default" ACL)

Understanding ACLs

Add Samba shares

Add the following share definitions to /etc/samba/smb.conf. One for Segolip and another one for each of their groups:

[segolip]
    comment = Segolip group data
    path = /export/home/segoli
    read-only = no
    valid users = @segoliadmin
    force user = segoliadmin

[icipe]
    comment = Segolip/ICIPE data
    path = /export/home/segoli/ICIPE
    read only = yes 
    valid users = @icipe

The forceuser directive tells Samba to treat anyone using that share as the 'segoliadmin' Unix user in the file system.

Configure SWAT

The Samba Web Administration Tool allows you to modify Samba settings from a web interface, including changing user passwords. We need to install and configure SWAT to allow users to log in and change their passwords.

Install SWAT using yum:

# yum install samba-swat

SWAT does not run as a daemon, instead it uses xinetd to launch it. xinetd listens on swat's behalf and launches swat when someone connects to it. Configure swat's xinetd configuration by modifying the default to look like this:

/etc/xinetd.d/swat:

# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
#              to configure your Samba server. To use SWAT, \
#              connect to port 901 with your favorite web browser.
service swat
{
        port            = 901
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/swat
        server_args = -P
        log_on_failure  += USERID
        disable         = no
}

Make sure you change the "server_args" and the "disable" lines! The "-P" makes it so non-root users can only see the password change page when they log into SWAT. Then restart xinetd:

# /etc/init.d/xinetd restart

SWAT can be accessed here: http://hpc.ilri.cgiar.org:901

Change the user's passwords by logging into Swat as root.

samba.1258007498.txt.gz · Last modified: 2010/05/22 14:19 (external edit)