Lab 7 mnjk: Difference between revisions
MikeTieden (talk | contribs) |
NateHaleen (talk | contribs) |
||
(67 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see '''[[Lab_1_mnjk#Installing_sudo_and_checking_your_IP_address | Lab 1]]''' and '''[[Lab_3_mnjk#Install_the_Webmin_Control_Panel | Lab 3]]'''. | |||
In this lab you will perform the following tasks: | In this lab you will perform the following tasks: | ||
Line 7: | Line 8: | ||
* Setup a group share | * Setup a group share | ||
You will | You will not be introduced to new commands. | ||
= Lab Procedure = | |||
=Lab Procedure= | |||
== Prerequisites == | == Prerequisites == | ||
<ol> | <ol> | ||
<li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li> | <li> Open an SSH console to your Linux system using the PuTTY software, login with your standard user account. </li> | ||
<li> Make sure that | <li> Make sure that Webmin is installed on your system. </li> | ||
<li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li> | <li> Make sure you have an up-to-date list of packages on your system using the '''apt update''' system. </li> | ||
<li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li> | <li> Make sure you have all the latest software upgrades on your system using the '''apt upgrade''' method. </li> | ||
</ol> | </ol> | ||
: ''NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.'' | |||
== Install Samba == | == Install Samba == | ||
'''''[https://www.youtube.com/watch?v=h15fXbqYx5Y&feature=youtu.be Video Tutorial - Install Samba]''''' <br> | |||
<ol> | <ol> | ||
<li> With your favorite package manager, install the ''samba'' package. </li> | <li> With your favorite package manager, install the '''samba''' package. </li> | ||
<li> After Samba is installed, login into Webmin on your local computer's web browser. </li> | <li> After Samba is installed, login into Webmin on your local computer's web browser. </li> | ||
<li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li> | <li> Under the servers tab, notice how Samba does not show up. This is because we just installed the package. </li> | ||
<li> On the bottom of the left toolbar, click refresh modules. After a minute, it should refresh the page. Now look under the servers tab again. Does | <li> On the bottom of the left toolbar, click '''refresh modules'''. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?</li> | ||
</ol> | </ol> | ||
== Setup a Guest Share== | == Setup a Guest Share == | ||
'''''[https://www.youtube.com/watch?v=BmgKPYIVaPY&feature=youtu.be Video Tutorial - Setup a Guest Share]''''' <br> | |||
The first thing we are going to do is we are going to create a guest share. | |||
This share will allow for all users, even those who have not authenticated, to read files.</li> | |||
To help you better understand samba, this first share will be configured from PuTTY and command line. | |||
<ol> | <ol> | ||
<li> | <li>Change into the '''/etc/samba/''' directory and view a directory listing. | ||
: In here we have one main file, '''smb.conf''', which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.</li> | |||
<li>With your favorite text editor, open up '''smb.conf''' with administrative permission.</li> | |||
<li>With your favorite text editor, open up ''smb.conf'' with administrative permission.</li> | |||
<li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as: | <li>Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as: | ||
<pre> | |||
< | [Share Name] | ||
[Share Name] | comment = Share Comment | ||
comment = Share Comment | options....</pre> | ||
options....</ | :'''options''' are the different configuration settings.</li> | ||
Let's try creating the guest share folder from the config file manually. | |||
<li>Exit out of the text editor, and create the folder '''/srv/Guest-Files''' as root. | |||
: This will be the folder we are sharing.</li> | |||
<li>Exit out of the text editor, and create the folder ''/srv/Guest-Files'' as root. | <li>Open up '''/etc/samba/smb.conf''' in a text editor again as root, and go to the bottom of the file.</li> | ||
<li>Open up ''/etc/samba/smb.conf'' in a text editor again as root, and go to the bottom of the file.</li> | |||
<li>Enter the following: | <li>Enter the following: | ||
<pre>[Guest Share] | <pre>[Guest Share] | ||
comment = Public File Share | comment = Public File Share | ||
public = yes | public = yes | ||
path = /srv/Guest-Files</pre> | path = /srv/Guest-Files</pre> | ||
You have now created the public share. | You have now created the public share. | ||
</li> | </li> | ||
<li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: | <li>In order to make the share take effect you need to restart the Samba service on your machine with the following command: | ||
<br> | |||
<code>service smbd restart</code> | |||
: ''NOTE: Restarting services requires administrative permission.''</li> | |||
<li>To test this share, go into '''/srv/Guest-Files''' and create a text file and enter some information. | |||
: We will use this file to test the read-only settings of the share. | |||
<li>To test this share, go into ''/srv/Guest-Files'' and create a text file and enter some information. | : At this point, we should be ready to test out our configuration. </li> | ||
<li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (The IP you setup for the static address of your VM), and press enter. | |||
: You should see a share folder called Guest Share. | |||
<li>On your Local Computer, open up the run dialog box, and enter \\172.17.50.xx (The IP you setup for the static address of your VM), and press enter. | :[[file:Samba-windows-guest.png | link= https://wiki.ihitc.net/mediawiki/images/d/d4/Samba-windows-guest.png | 500px]] | ||
:[[media:Samba-windows-guest.png | Click for Larger Image]]</li> | |||
: ''NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: [https://www.bitdefender.com/consumer/support/answer/2397/ https://www.bitdefender.com/consumer/support/answer/2397/]'' | |||
<li>Open the Guest Share folder and see if your text file is in the share.</li> | |||
<li>Open up the file, and try to edit and save the file. What error do you get?</li> | <li>Open up the file, and try to edit and save the file. What error do you get?</li> | ||
: '''''SPECIAL NOTE for Windows 10 Client PCs:''' If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later [https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016 Microsoft has disabled SMB guest share access] You have a few different options for completing this:'' | |||
:* Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share. | |||
* | :* Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise) | ||
* | :* Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing) | ||
* | : '''''SPECIAL NOTE for Personal Windows PCs:''' If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.'' | ||
</ol> | </ol> | ||
== Share Home Directories== | == Share Home Directories == | ||
'''''[https://www.youtube.com/watch?v=MOJ6wwiQ1mk&feature=youtu.be Video Tutorial - Share Home Directories]''''' <br> | |||
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup. | |||
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account. | |||
<ol> | <ol> | ||
<li> To do this, we are now going to use Webmin to configure the shares. | <li> To do this, we are now going to use Webmin to configure the shares. | ||
: Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba. </li> | |||
[[ | :[[file:Webmin-samba-dashboard.png | link= https://wiki.ihitc.net/mediawiki/images/9/9d/Webmin-samba-dashboard.png | 500px]] | ||
:[[media:Webmin-samba-dashboard.png | Click for Larger Image]] | |||
<li> On the Webmin Samba configuration page, click '''Samba Users'''. | <li> On the Webmin Samba configuration page, click '''Samba Users'''. | ||
: Notice how none are currently defined.</li> | |||
<li>Go back and click '''Convert Users'''. | <li>Go back and click '''Convert Users'''. | ||
: This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts. | |||
<li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li> | <li>Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.</li> | ||
: This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like ''www-data'') who should not have Samba permissions. </li> | |||
<li> On the bottom, select '''No password'''. | <li> On the bottom, select '''No password'''. | ||
: We are doing this as we will define unique passwords for each user.</li> | |||
<li>Click '''Convert Users''' when ready. </li> | <li>Click '''Convert Users''' when ready. </li> | ||
<li> When you are done, go to the Samba Users page again. | <li> When you are done, go to the '''Samba Users''' page again. | ||
: Notice how your user account is now listed.</li> | |||
<li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li> | <li>From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. </li> | ||
<li> On the Samba config page, under ''Shares'', click the ''home share''.</li> | Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba. | ||
<li> Click ''Security and Access Control''.</li> | |||
<li> Set the ''Writable'' option to ''Yes'', and then click save. </li> | <li> On the Samba config page, under '''Shares''', click the '''home share'''.</li> | ||
<li> Go back to the Samba config page, and click the Restart Samba Servers option at the bottom. | <li> Click '''Security and Access Control'''.</li> | ||
<li> Set the '''Writable''' option to '''Yes''', and then click save. </li> | |||
<li> Go back to the Samba config page, and click the '''Restart Samba Servers''' option at the bottom. | |||
<li>On your Local Computer, open up the run dialog box, and enter \\172.17.50.xx (Your IP you setup for the static address), and press enter. | : We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users. </li> | ||
: At this point, we should be ready to test out our configuration. | |||
<li>In the top URL window, add | <li>On your Local Computer, open up the run dialog box, and enter '''\\172.17.50.xx''' (Your IP you setup for the static address), and press enter. | ||
: Notice how you do not see a home directory share because you are connected without any authentication.</li> | |||
<li>In the top URL window, add '''\<username>''' to the path, e.g. '''\\172.17.50.xx\user'''. | |||
: You should now get a login popup.</li> | |||
<li>Login as your user, and you should be greeted with your home folder. | <li>Login as your user, and you should be greeted with your home folder. | ||
: ''NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.'' | |||
: ''NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.'' </li> | |||
<li> Test creating and deleting a file to verify write access is working.</li> | <li> Test creating and deleting a file to verify write access is working.</li> | ||
<li> Try to access a home share of another user that was added to | <li> Try to access a home share of another user that was added to Samba. | ||
: Notice how you do not have permissions.</li> | |||
<li>Try logging in with another user account to access a different home share. | <li>Try logging in with another user account to access a different home share. | ||
: ''NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.'' </li> | |||
</ol> | </ol> | ||
== Setup a Group Share == | == Setup a Group Share == | ||
'''''[https://www.youtube.com/watch?v=1C7BBUC_V3A&feature=youtu.be Video Tutorial - Setup a Group Share]''''' <br> | |||
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder. | |||
<ol> | <ol> | ||
<li>Go back to the Webmin Samba configuration panel. | |||
<li>Go back to the Webmin Samba configuration panel | : We are going to create a new share.</li> | ||
<li>Under '''shares''', select the '''Create a new file share''' link. Use the following base configuration: | |||
<li>Under ''shares'', select the '''Create a new file share''' link. Use the following base configuration: | <br> | ||
<code>Share Name: Share-Files<br> | |||
Directory to share: /srv/Group-Share<br> | |||
Automatically Create Directory: Yes<br> | |||
Create with owner: root<br> | |||
Create with permissions: 775<br> | |||
Create with group: users<br> | |||
Available: yes<br> | |||
Browsable: yes<br> | |||
Share Comment: group share folder | |||
</code></li> | |||
<li>Once the share is setup, click it to edit it.</li> | |||
<li>Once you are at the '''Edit File Share''' page, click '''File Permissions'''. | |||
: Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.</li> | |||
<li>Set the '''New Unix file''' and '''New Unix directory''' mode to 775, and set '''Force Unix group''' to '''users'''. You can now press '''save'''. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.</li> | |||
: Now we will need to enable write access to the folder. | |||
<li>On the '''Edit file share''' page again, click '''Security and Access Control'''.</li> | |||
<li>Set the '''Writable''' option to '''Yes''', and press '''save'''.</li> | |||
<li>At this point, you can test the share exactly the same way we did with the home folder share.</li> | |||
: Notice though how this share is set to '''browsable''', so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created. | |||
: It is important to note that even if a user has read or write permission in Samba they must ''also'' have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software ''or'' by the filesystem. | |||
<li>Look at your '''smb.conf''' file and see what changes Webmin made in order to setup your group share.</li> | |||
</ol> | |||
= Checking Your Work = | |||
< | <li> Automatically check your results by running this command:</li> | ||
<code><nowiki> | |||
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3 | |||
</nowiki></code> | |||
</ | |||
=Web App= | |||
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link: <br> | |||
[http://webcheck.itc2480.campus.ihitc.net webcheck.itc2480.campus.ihitc.net]<br> | |||
You must be logged into the campus VPN to use this application. | |||
Latest revision as of 16:08, 25 April 2021
Introduction
This lab assumes you know how to install a package from the Debian repository and you have Webmin installed. If you need help please see Lab 1 and Lab 3.
In this lab you will perform the following tasks:
- Install Samba
- Setup a Guest Share
- Share Home Directories
- Setup a group share
You will not be introduced to new commands.
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account.
- Make sure that Webmin is installed on your system.
- Make sure you have an up-to-date list of packages on your system using the apt update system.
- Make sure you have all the latest software upgrades on your system using the apt upgrade method.
- NOTE: This lab sets up Samba with anonymous guest access which is not supported by Windows 10 anymore. You can work around this (directions for doing so are below) but you can't work around it on IHCC campus managed PCs so this lab really requires access to a PC which you have full administrative control over.
Install Samba
Video Tutorial - Install Samba
- With your favorite package manager, install the samba package.
- After Samba is installed, login into Webmin on your local computer's web browser.
- Under the servers tab, notice how Samba does not show up. This is because we just installed the package.
- On the bottom of the left toolbar, click refresh modules. After a minute, it should refresh the page. Now look under the servers tab again. Does Samba now show up?
Video Tutorial - Setup a Guest Share
The first thing we are going to do is we are going to create a guest share.
This share will allow for all users, even those who have not authenticated, to read files. To help you better understand samba, this first share will be configured from PuTTY and command line.
- Change into the /etc/samba/ directory and view a directory listing.
- In here we have one main file, smb.conf, which holds all of the Samba share and authentication settings. There may also be a few other files and directories which can be used for more advanced Samba features such as TLS certificate based authentication.
- With your favorite text editor, open up smb.conf with administrative permission.
- Scroll to the bottom of the file, and notice how shares are defined. They all have a similar format such as:
[Share Name] comment = Share Comment options....
- options are the different configuration settings.
- Exit out of the text editor, and create the folder /srv/Guest-Files as root.
- This will be the folder we are sharing.
- Open up /etc/samba/smb.conf in a text editor again as root, and go to the bottom of the file.
- Enter the following:
[Guest Share] comment = Public File Share public = yes path = /srv/Guest-Files
You have now created the public share.
- In order to make the share take effect you need to restart the Samba service on your machine with the following command:
service smbd restart
- NOTE: Restarting services requires administrative permission.
- To test this share, go into /srv/Guest-Files and create a text file and enter some information.
- We will use this file to test the read-only settings of the share.
- At this point, we should be ready to test out our configuration.
- On your Local Computer, open up the run dialog box, and enter \\172.17.50.xx (The IP you setup for the static address of your VM), and press enter.
- You should see a share folder called Guest Share.
- Click for Larger Image
- NOTE: If you receive an error on your local system and can't access the Samba share, it might be your firewall blocking the connection. This has been the case with non-Windows Firewalls such as BitDefender. If you are using one of these firewalls you may have to make a rule to allow traffic. This link might help: https://www.bitdefender.com/consumer/support/answer/2397/
- Open the Guest Share folder and see if your text file is in the share.
- Open up the file, and try to edit and save the file. What error do you get?
- SPECIAL NOTE for Windows 10 Client PCs: If the computer your are using to try and connect to this share is running Windows 10 version 1709 or later Microsoft has disabled SMB guest share access You have a few different options for completing this:
- Use an earlier version of Windows (remember you'll need to install OpenVPN and be connected to ITCnet) such as Windows 10 before version 1709, Windows 8, or Windows 7 to attempt to connect to the share.
- Follow the instruction on the above Microsoft page to re-enable guest share access on your Windows 10 version 1709 or later system using the group policy editor (requires Windows 10 Professional or Enterprise)
- Use the registry editor to set the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth" to dword:1 (Note: editing your registry can cause your system not to boot and other unexpected behavior, so be careful and be sure of what you are doing)
- SPECIAL NOTE for Personal Windows PCs: If you are getting an error after hitting enter in the run dialog box, try either disabling your firewall or making a firewall exception for the IP address of your server.
Let's try creating the guest share folder from the config file manually.
Video Tutorial - Share Home Directories
Now we are going to setup Home Directory Sharing. By default this is enabled, but write access is not and no users are setup.
First it must be noted that Samba requires separate user accounts from the system, just like MySQL. So first, we are going to add your user account.
- To do this, we are now going to use Webmin to configure the shares.
- Notice also what other shares are enabled in Samba by default when looking at the Webmin page for Samba.
- Click for Larger Image
- On the Webmin Samba configuration page, click Samba Users.
- Notice how none are currently defined.
- Go back and click Convert Users.
- This is the tool we will use to convert/copy the local Unix user accounts to Samba accounts.
- Leave the Unix users to convert option set to all except listed users and UID ranges with the option of -499.
- This will add all user accounts with a UID of 500 or more to Samba. Lower UID values are typically used on Debian systems as service accounts (like www-data) who should not have Samba permissions.
- On the bottom, select No password.
- We are doing this as we will define unique passwords for each user.
- Click Convert Users when ready.
- When you are done, go to the Samba Users page again.
- Notice how your user account is now listed.
- From here you can now add passwords to the different user accounts you added in the last step. Be sure to set the passwords for each user you intend to connect with. Lastly we are going to setup write access to home folders, so you will be able to add files to your home directory over Samba.
- On the Samba config page, under Shares, click the home share.
- Click Security and Access Control.
- Set the Writable option to Yes, and then click save.
- Go back to the Samba config page, and click the Restart Samba Servers option at the bottom.
- We do this to force samba to load the new configuration. You can also wait a minute or two if you don't want to disconnect any connected users.
- At this point, we should be ready to test out our configuration.
- On your Local Computer, open up the run dialog box, and enter \\172.17.50.xx (Your IP you setup for the static address), and press enter.
- Notice how you do not see a home directory share because you are connected without any authentication.
- In the top URL window, add \<username> to the path, e.g. \\172.17.50.xx\user.
- You should now get a login popup.
- Login as your user, and you should be greeted with your home folder.
- NOTE: If your user is unable to login you may have forgotten to set a Samba password for the user as directed above. You need to set a password for each user within Samba.
- NOTE: On local systems running an operating system other than Windows follow whatever process you would normally use to connect to a Windows file share using the IP address of your VM as the server name.
- Test creating and deleting a file to verify write access is working.
- Try to access a home share of another user that was added to Samba.
- Notice how you do not have permissions.
- Try logging in with another user account to access a different home share.
- NOTE: To use another user account in a samba share, you may have to logout and then back in on your local machine.
Video Tutorial - Setup a Group Share
Now we are going to setup a group folder share that will allow for all samba users to read and write to the folder.
- Go back to the Webmin Samba configuration panel.
- We are going to create a new share.
- Under shares, select the Create a new file share link. Use the following base configuration:
Share Name: Share-Files
Directory to share: /srv/Group-Share
Automatically Create Directory: Yes
Create with owner: root
Create with permissions: 775
Create with group: users
Available: yes
Browsable: yes
Share Comment: group share folder - Once the share is setup, click it to edit it.
- Once you are at the Edit File Share page, click File Permissions.
- Notice how the New Unix file and New Unix directory are set to 755 by default, even though we set the share to use 775 to create the directory. This is done for security purposes as it would only allow the owner to have modification privileges for the files and directories they create. We need to modify this so that all users on the system have full access to files in this share.
- Set the New Unix file and New Unix directory mode to 775, and set Force Unix group to users. You can now press save. We do this to allow all authenticated users permission to modify and edit files that may have been added by other users.
- Now we will need to enable write access to the folder.
- On the Edit file share page again, click Security and Access Control.
- Set the Writable option to Yes, and press save.
- At this point, you can test the share exactly the same way we did with the home folder share.
- Notice though how this share is set to browsable, so it shows up in the root share folder. Go ahead and create a file through your host computer. Then use PuTTY to look at the user and group assigned to the files you created.
- It is important to note that even if a user has read or write permission in Samba they must also have permission to read or write the file/directory on the underlying Linux filesystem. Many problems with making Samba work can be traced to permissions errors where a user does not have correct permission to work with a file or directory either by the Samba software or by the filesystem.
- Look at your smb.conf file and see what changes Webmin made in order to setup your group share.
Checking Your Work
curl https://raw.githubusercontent.com/mnjk-inver/Linux-2480-Rebuild/main/lab_07_test.py | python3
Web App
You can check your progress on any of the labs in the ITC-2480 course from a webapp from this link:
webcheck.itc2480.campus.ihitc.net
You must be logged into the campus VPN to use this application.