Using authd with Samba¶

The user identifiers (UIDs) and group identifiers (GIDs) assigned by authd are unique to each machine. This means that when using authd with Samba, the UIDs and GIDs of users and groups on the Samba server will not match those on the client machines, which leads to permission issues.

To avoid these issues, you can use Samba with ID mapping. This ensures that the UIDs and GIDs are mapped correctly across all machines.

Setting up Samba with ID mapping¶

This guide will walk you through setting up a Samba server with ID mapping. By following the steps outlined below, a user alice will be able to access a shared directory on the server from a client machine.

Steps for the server¶

Install Samba: Install the Samba server package:
```
sudo apt update
sudo apt install samba
```
Create the shared directory: Create the directory to be shared and set ownership to the alice user:
```
sudo mkdir -p /srv/samba/alice
sudo chown alice:alice /srv/samba/alice
```
Edit Samba configuration: Open the Samba configuration file:
```
sudo editor /etc/samba/smb.conf
```
Add the following section at the end of the file:
```
[alice]
path = /srv/samba/alice
browsable = yes
writable = yes
valid users = alice
```
Explanation

This section defines a Samba share named alice located at /srv/samba/alice. It is visible to users on the network (browsable), allows writing (writable), and restricts access to the alice user (valid users).
Create a Samba user for alice: Add the alice user to the Samba database and set a password:
```
sudo smbpasswd -a alice
```
Follow the prompts to set the Samba password for the user.
Restart Samba service: Restart the Samba service to apply the changes:
```
sudo systemctl restart smbd
```

Steps for the client¶

Install Samba client: Install the required packages for connecting to Samba shares:
```
sudo apt update
sudo apt install smbclient cifs-utils
```
Test access to the share: Test connectivity using smbclient, making sure to replace $SERVER with the Samba server’s hostname or IP address:
```
smbclient //$SERVER/alice -U alice
```
Enter the Samba password for alice when prompted. If successful, a smb: \> prompt appears.

Mount the share: Create a mount point for the share:

mkdir -p /home/alice/samba

Mount the share using the cifs filesystem type:

sudo mount -t cifs //$SERVER/alice /home/alice/samba -o user=alice,uid=$(id -u alice),gid=$(id -g alice)

Enter the Samba password for alice when prompted.

Optional: Add the share to /etc/fstab for persistent mounting: To automatically mount the share at boot, use a credentials file:
- Create a credentials file:
```
sudo editor /etc/samba/credentials
```
  Add the following lines:
```
username=alice
password=YOUR_PASSWORD
```
- Secure the credentials file:
```
sudo chmod 600 /etc/samba/credentials
```
- Update /etc/fstab:
```
//$SERVER/alice /home/alice/samba cifs credentials=/etc/samba/credentials,uid=alice,gid=alice 0 0
```
Verify the mount: As the user alice, try accessing the shared directory:
```
ls -la /home/alice/samba
```
Verify write access by creating a test file:
```
touch /home/alice/samba/test
```
Test enforced access control (optional):

Security note

Security Note: Files and directories in the share may appear as owned by alice on the client, but access control is enforced by the server.

For example, if alice does not have permission on the server, access will be denied even if ownership appears correct on the client.

To test this, you can create a restricted directory on the server and attempt to access it on the client:
- Create a restricted directory on the server:
```
sudo mkdir /srv/samba/alice/secrets
sudo chmod 700 /srv/samba/alice/secrets
```
- Attempt to access it on the client:
```
ls /home/alice/samba/secrets
```
  The terminal output will indicate that the user does not have access to the restricted directory:
```
ls: cannot open directory '/home/alice/samba/secrets': Permission denied
```

Cleanup¶

On the server¶

Delete the shared directory: Remove the directory used for the Samba share:
```
sudo rm -rf /srv/samba/alice
```
Purge installed Samba packages: If Samba is no longer needed, uninstall it completely:
```
sudo apt purge samba samba-common
sudo apt autoremove
```

On the client¶

Unmount the shared directory:
```
sudo umount /home/alice/samba
```
Delete the mount point:
```
rmdir /home/alice/samba
```
Remove fstab entry: If you added the share to /etc/fstab, remove its entry:
```
sudo editor /etc/fstab
```
Locate and delete the line referencing the Samba share, then save and close.
Delete credentials file: If a credentials file was used, remove it:
```
sudo rm /etc/samba/credentials
```
Purge installed Samba client packages: If Samba client tools are no longer needed, uninstall them:
```
sudo apt purge samba-common smbclient cifs-utils
sudo apt autoremove
```