Rate this page del.icio.us  Digg slashdot StumbleUpon

How to build a dirt easy home NAS server using Samba

by

A huge problem in most digital households is a growing collection of data without an easy way to share it and store it in one spot. Music. Movies. Pictures. Documents, backups, operating system images. Wow! Where do you put all of this stuff?

You’re in luck, because it is quite simple to setup a Network Attached Storage (NAS) device that any operating system can mount and write to on the network. By using Samba, you can turn a Fedora server into a common shared storage medium for Mac OS X, Linux®, and Microsoft® Windows®. And it gets even better. With the lower cost of disk drives, it is quite possible to setup a 1-2 TB disk array as your Samba storage pool. How about that for a movie depot?!

If you’re a home user, you might only care about .001% of the configuration options of Samba. Basically, you would like a volume to mount on all of the computers in your house, and you would like to use it for file sharing. This share should only be accessible to a computer on your network. For home network security, you really only need an IP restricted share without authentication. Fortunately, this is one of the easiest possible configurations.

Keep in mind that this assumes you’re behind a firewall, although we will still be restricting the share to the local network. As a rule, all home networking should be done on a private network behind your firewall. The reason is simple; everyone makes mistakes and you may be in a hurry someday and skip a step and allow the whole world access to your home network.

With the security concerns behind us, let’s get to work.

Getting started

Configuring Samba can be daunting, but it doesn’t have to be. Ignore the default configuration file and start over from scratch. The trick to configuring Samba quickly is to use only the configuration options you really need. But first, let’s set up an account for all of your Samba users, create a “sharepoint,” and give it proper permissions.

Preparing your server for SMB hosting

1. Create an account just for your SMB user.
As root, issue the following commands:

useradd fileserver901
passwd fileserver901

(This is up to you. Give the account a secure password. Number and special characters are always a good combination.)

2. Create a share folder.

mkdir /sharepoint

3. Change permissions on the share.

chown -R fileserver901:fileserver901 /sharepoint
Tip
Samba uses the underlying UNIX® authorization and account mechanisms. In order to set up Samba, we have to create or reuse a directory and give our Samba user account access to it. If we did not set these permissions, then the volume would be mountable, but no one could write or read from the volume.

Setting up and configuring smb

Next we are going to set up and configure Samba to share out the directory we just set up and force all anonymous users to become the user fileserver901. It is important to note that the underlying Linux file permission structure must belong to our user, fileserver901.

1. Check to see if samba is installed.

rpm -q samba

You should get something back like:

samba-3.0.10-1.4E.11

If not, you need to install Samba:

yum install samba

2. Make a backup of your current samba configuration file.

cp /etc/samba/smb.conf /etc/samba/smb.conf.original

3. Delete everything in the file and paste in the below sample config file.

You can accomplish this by using your favorite text editor like vim or emacs:

vim /etc/samba/smb.conf

(note the only item to change will be your subnet value in the hosts allow line)

[global]
workgroup = home
netbios name = fedora
security = share
hosts allow = 192.168.0.0/24
[share]
comment = Home File Server
path = /sharepoint
force user = fileserver901
force group = fileserver901
guest ok = yes
read only = no

4. Test the syntax of the /etc/samba/smb.conf file.

Make sure you have your configuration correct:

testparm /etc/samba/smb.conf

You should see something similar to:

"Loaded services file OK."

5. Start the smb service and tell it to run on boot.

chkconfig smb on service smb start

Congrats, smb is now working!

Tip
In Step 3, we copied over an "anonymous read/write configuration" that will allow all machines on the 192.168.0.0/24 subnet to access the volume. Every account that connects to Samba will be "forced" to become user/group=fileserver901. As long as there is an external firewall in front of your home network, then this is a perfectly acceptable configuration as it offers two layers of security. Layer 1 is the firewall, which should not allow any incoming traffic. Layer 2 explicitly allows only your local subnet access. This is an ideal home network setup, but not acceptable for a small office or a corporation, obviously.

Let's quickly analyze the configuration file step by step:

[global] (signifies security parameters)
workgroup = home (names a windows workgroup name)
netbios name = fedora (our netbios name)
security = share (takes on permissions from the share, which we set earlier)
hosts allow = 192.168.0.0/24 (only allows this subnet to connect i.e. 192.168.0.1192.168.0.254)

[share] (Signifies the name of our share when mounted. You can change to anything you like.)
comment = Home File Server (creates share point comments)
path = /sharepoint (The full path the volume you want to share. Note if you want to share more than one volume, copy the "share" section and alter accordingly.)
force user = fileserver901 (forces all users of this mount to become this user and obtain access to whatever this user has access to)
force group = fileserver901 (forces all users of this mount to become this group and obtain access to whatever this group has access to)
guest ok = yes (allows anonymous accounts to access, which is how we can connect without a password)
read only = no (allows us to write to the volume. If you set this to yes, you could make this an anonymous "read" only volume)

Connect from Linux, Mac, and Windows

This is the fun part. Now that we have our server running, we should be able to mount this volume from any operating system that supports SMB, which is most. I will show you how to mount our volume on Linux, Mac OS X, and Windows 2003 Server.

Mac OS X Tiger

  1. Go to the Finder menu and select "Connect to Server" or press Apple key + "k".
  2. In the server address bar, type in smb://192.168.0.101 (or whatever the address is of your home smb server).
  3. Select connect. When the dialog box appears, click on "Ok" for the "share."
  4. A dialog box will appear with a workgroup, name, and password. Just ignore it and press ok again.
  5. A volume named share will appear on your desktop.

Windows 2003 Server

(Note: this should be almost identical for most other Windows versions.)

  1. Open the Windows Explorer.
  2. Type in: \\192.168.0.101\share (or whatever the address is of your home smb server).
  3. You now have read/write access to the volume.

Red Hat® Enterprise Linux 5

(Note: this should be identical for any newer Gnome installation.)

  1. Go to Places and select "Connect to Server."
  2. Under Service Type, select "Windows Share."
  3. In the server address box, type in 192.168.0.101 (or whatever the address is of your home smb server).
  4. In the share box, type share
  5. A volume named share will appear on your desktop.

Summary

Getting cross platform file sharing working with Samba can be incredibly complicated, unless you focus on just the components of Samba you need. Most of Linux is like a swiss army knife, it can do just about anything. The trick to mastering Linux is to have the ability to ignore 99% of the options and to focus on the task at hand. We wanted to set up cross-platform file sharing via smb, not set up a Samba Domain Controller. The next step for the home user is to ponder how big of a NAS to set up. If you plan ahead, you could buy several large disks and stripe them together for redundancy and speed, and store all of your music and videos on it. The possibilities are endless.

17 responses to “How to build a dirt easy home NAS server using Samba”

  1. niko says:

    I believe the formatting in the samba sample conf provided has been messed up. “rn” exists instead of a carriage return.

  2. Noah Gift says:

    Good catch. We should be fixing it shortly.

  3. Smitty says:

    It would be better to use iSCSI. SMB is a tired old hack to interoperate with MS Windows networked machines using *their* protocol.

    iSCSIs advantages are overwhelming, with the only drawbacks being that not all MS products have initiators built for them (who is still running anything older than Win98 anyway ?). MS makes their iSCSI initiator available for free (http://www.microsoft.com/downloads/details.aspx?familyid=12cb3c1a-15d6-4585-b385-befd1319f825&displaylang=en)

  4. Jitendra morya says:

    very good effort, but security is metter

  5. Noah Gift says:

    This is specifically designed to be “unsecure”. For home’s behind a firewall this should be adequate, as the share is also subnet restricted. This is not a solution for a corporation, but home users shouldn’t be forced into arbitrarily complex situations if it isn’t needed.

  6. Tim Cagle says:

    The block for the /etc/samba/smb.conf is still broken.
    The word ending the fourth line: hosts
    should actually be the first word on
    the fifth line that begins with:
    allow. If you paste as it stands now
    expect the testparm to gag.

  7. Noah Gift says:

    Tim, awesome grab…I am glad YOUR paying attention. That was a really subtle formatting error and could have really tripped people up. We should fix that shortly.

  8. Todd Lewis says:

    This only works for me if I turn off SELinux. How do you make smb shares work like this with SELinux?

  9. Hal Burns says:

    I think SELinux prevents using a folder in the Home dir as a samba share. I got an error back from SELinux when I tried it. You can turn that part of security off.

  10. Noah Gift says:

    SELinux was designed by the NSA, so in a nutshell it won’t be “Dirt Easy”. I would strongly advise not enabled SELinux on a home network as it will be quite a pain. On the other hand if you are running a machine in a data center, it is probably a good idea.

  11. sas says:

    To bypass SELinux restriction you must relabel your share to samba_var_t. Under root use command:

    # chcon -R -t samba_var_t /your_share

  12. sas says:

    To make share from your home dir:

    #setsebool samba_enable_home_dirs 1
    #setsebool use_samba_home_dirs 1

  13. Harjit says:

    Fat Finger:
    hosts allow = 192.168.0.0/24 (only allows this subnet to connect i.e. 192.168.0.1192.168.0.254)

    Should be:
    hosts allow = 192.168.0.0/24 (only allows this subnet to connect i.e. 192.168.0.1-192.168.0.254)

  14. Noah Gift says:

    Nice Catch Harjit. You guys are obviously paying attention to the fine details which is great! Anyone using this setup and like it? FYI, this should theoretically work on OS X Leopard and Windows Vista as well, but I can neither confirm or deny.

  15. Carl says:

    “Most of Linux is like a swiss army knife,……”

    Cited as quotable metaphors-analogies in Metaphor-Analogy Archive”.
    Thank you.
    http://gistout.com

  16. Stefan Murariu says:

    I used this setup and I love it.
    Just did the missing part (`chcon -t samba_share_t /my_sharepoint/`) and restarted manualy the smbd. Didn’t worked with `chkconfig smb on service smb start`. This newbie guide forgot to mention that nmb should be up.
    But overall, if you don’t use linux just for kopete this article is a very good start for samba newbies.
    Btw, which is the difference between samba_share_t and samba_var_t (as sas says)?

  17. Jon says:

    Can you run this on Fedora?