caharkness.com

Conner Harkness, Software Engineer
Home | Contact | Donate | Directory | Login

Debian Samba Shares Done The Right Way

Debian Samba Shares Done The Right Way

It’s pretty important for me to be able to do Linux things in a Windows environment, but I shouldn’t have to install Apple software (notably Bonjour Print Services) to access a Debian-based Linux server by its host name. This write-up will discuss exactly which packages I install — and in what order — to prepare a Linux virtual machine for getting serious work done on a Windows PC.

As a preface, we will be using a minimal Debian installation via the Debian Netinst disc image found here. We will be installing Debian to an Oracle VirtualBox Virtual Machine, their software can be downloaded from their official site located here. Upon booting from the optical media, I prefer selecting the graphical expert install option from the list of menu options. Please note that we will be opting out of installing a desktop environment and that we will be doing everything from the root user in a command-line interface, so no “sudo” commands will be issued.

The Setup

The first order of business is to prepare SSH connectivity. If you forget to install the SSH server via the expert install, you can issue these commands to set up what you need:

# apt-get install openssh-server
# apt-get install openssh-client

Because I know that this VM will only ever be used in a development environment locally, I like to enable signing in as root with a password. For that, you have to enable the option and alter the default configuration:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# nano /etc/ssh/sshd_config

It’s always in good measure to make back-up copies. Proceed to edit the sshd_config file and find the line beginning with #PermitRootLogin and ensure its value is “yes”. This will require removing the hash symbol at the beginning of the line if there is one.

# The file at /etc/ssh/sshd_config

...
PermitRootLogin yes
...

Save your changes by issuing the keyboard shortcut ^O (a combination of the Control key and O), pressing Enter to confirm its file destination, and then finally, issuing ^X to exit the Nano editor. From this point on, assume that all instructions regarding keyboard shortcuts expect you to know ^ refers to a keyboard shortcut of Control (or Ctrl) and the following letter.

Connectivity

I prefer to get all of my serious work done via PuTTY, so it’s important we are able to quickly access our virtual machine by its host name in Windows. To do that, we are going to need to turn off our virtual machine (the correct way) by issuing shutdown now from the command line and changing how our virtual machine’s network adapter works:

By default, our network adapter is set to NAT, or Network Address Translation. We want to set this to Bridged Adapter. This effectively attaches our VM to the local area network our host Windows PC is connected to, as if it were another device connected to our wireless router.

Go ahead and confirm your changes, boot the Debian virtual machine, and sign in as root. From here, we are going to be installing a key package that makes this host name magic work and we will ensure it is working correctly. From the command line (and assuming your VM and host PC is connected to the Internet), issue:

# apt-get update
# apt-get install llmnrd

This will install the Link-Local Multicast Name Resolution daemon. This is essentially a background service that periodically notifies other Windows machines on the network of its “Windows” host name and local IP address. Follow that by issuing:

# hostname debian-vm

Where debian-vm is your desired virtual machine’s host name. You will also need to issue nano /etc/hostname and change the text in that file to match your specified host name. The contents of the file in this case should only read debian-vm. Save the file with ^O, confirm the file name with Enter, and then leave the editor with ^X. You will then want to reboot the VM by issuing a reboot command at the prompt.

You should then be able to ping your Debian virtual machine from your Windows command prompt. Disregard the conner-i8550u-vm-debian-002 name for this example and assume that it’s debian-vm and that you should be able to ping the machine with success.

File Sharing

I should start off by mentioning that what we will be doing is considered a huge no-no for a server administrator to be doing to a live Linux server attached to the Internet containing access to sensitive data. This write-up is geared only towards development environments where you are absolutely confident that uninvited individuals do not have network access to this VM.

I will continue by recommending a quick installation of Samba, the star of our show, that will enable us to use our favorite Windows software to modify files that exist on our Debian VM. You can install Samba by issuing:

# apt-get install samba

This will install the background service that negotiates file sharing within the Windows Explorer (and other SMB-protocol capable file sharing software) so that our lives can be that much easier.

We are going to need to modify the Samba configuration to meet our needs. To do that, edit the file at /etc/samba/smb.conf and have it read:

[global]
workgroup = WORKGROUP
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
pam password change = yes
map to guest = bad user
usershare allow guests = yes

[System Root]
comment = Root Directory
path = /
valid users = root 
force user = root
force group = root
browseable = yes
writeable = yes
public = yes
create mask = 0777
directory mask = 0777

[Web Root]
comment = Web Root Directory
path = /var/www
valid users = root 
force user = www-data
force group = www-data
browseable = yes
writeable = yes
public = yes
create mask = 0777
directory mask = 0777

Quick Note

This configuration assumes you already have a web server installed and actively serving content from /var/www. I will not cover how to install and configure Apache completely, but the least I can do is suggest that you run apt-get install apache2 from the command line.

Samba Continued

A quick way to make these changes is to issue cp /etc/samba/smb.conf /etc/samba/smb.conf.bak and rm /etc/samba/smb.conf so that we can copy and paste the contents above into a brand-new, empty file made with touch /etc/samba/smb.conf. Using PuTTY will allow you to paste the contents in by right-clicking on the terminal window, otherwise, you might be stuck typing this in by hand in the Oracle VirtualBox VM window.

There are two .ini-like sections to this file I would like to explain line-by-line that are essential to understanding why Samba is desirable in this scenario, and not SFTP transfers alone. See [Web Root]:

The problem I have come across with actively writing PHP software in the /var/www directory is that files created and saved by root are potentially inaccessible to the www-data user, which is the default user Apache uses to read, write, and access the scripts. If you save source code as any other user and fail to subsequently update the permissions, users accessing the script via HTTP may be presented with a 403 Forbidden response.

By adding the section [Web Root], we are telling Samba to create a share called “Web Root”. Everything we modify via this share will be done so as the www-data user (and group), denoted by the lines:

force user = www-data
force group = www-data

Meaning that if we were to create a new text document from the Windows Explorer, the file would effectively be owned by www-data and its group, thus accessible by the Apache web server. It’s actually unnecessary to have the create mask and directory mask both set to 0777, however, this just ensures that every Debian user has full access to these files. Considering we are doing all of our work as root, we should not be concerned. The options browseable, writeable, and public all set to yes just ensures that the share: is visible to the Windows Explorer via \\debian-vm in the address bar, able to be written to, and accessed by all of our Windows users.

What’s important is the valid users = root line. This enforces our share to only be accessible by a Samba user by the name of root. This can be anything you like, but you are required to add this user via the command line:

# smbpasswd -a root

Issuing this command will ask you for a new password, twice for verification. You will then be told that the user has been added. These are the login credentials you will need to use from within Windows (and other SMB-equipped file sharing software).

When you access this share specifically as root, you will effectively be working as the Debian user www-data. Just make sure that www-data has access to write to the /var/www folder from within Debian. I like to do this by issuing:

# chown -R www-data:www-data /var/www

The above command recursively assigns /var/www and all of its contents to the www-data user (and group).

Ignore the host name of zero for now and assume it’s debian-vm. This example was taken from my Raspberry Pi Zero W, and it has already been through this process. For those who are wondering, this entire process works on a Raspberry Pi, as its “Raspbian” distribution is essentially a fork of Debian.

As we can see, opening up a directory from within Sublime Text 3 allows us to work on and develop contents in our Debian machine’s /var/www folder with ease and style.

Although the setup is long and tedious, this will dramatically save time (and headache) in our existing Windows workflow.

by caharkness on May 25th, 2019
Permalink Raw