Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente | |||
musee:infrastructure:bor:lxc_samba [15/10/2018 20:43] – ↷ Page déplacée de infrastructure:bor:lxc_samba à musee:infrastructure:bor:lxc_samba pnahoum | musee:infrastructure:bor:lxc_samba [16/10/2018 01:48] (Version actuelle) – ↷ Liens modifiés en raison d'un déplacement. 157.55.39.138 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ======[Bor] LXC Samba====== | ||
+ | La LXC Samba va nous permettre de proposer un service de stockage aux associations tout en isolant le service pour plus de sécurité et de cloisonnement. | ||
+ | |||
+ | ===== Présentation ===== | ||
+ | |||
+ | ^ Type | Linux Container (machine virtuelle) hébergée sur [[infrastructure: | ||
+ | ^ Utilité | Service de stockage du GINFO | | ||
+ | ^ Services | Stockage associatif | | ||
+ | ^ OS | Ubuntu Server 17.04 | | ||
+ | ^ Nom du LXC | bor_samba | | ||
+ | ^ IP | **10.61.15.24 ** (DMZ BOR) | | ||
+ | =====Création de la LXC sur BOR===== | ||
+ | Pour créer le Linux Container, je vous invite à suivre la seconde partie du tutoriel disponible sur cette page : [[musee: | ||
+ | |||
+ | La seule chose à respecter lors de la création du container est le nom que vous lui donnerez : **bor_samba** | ||
+ | |||
+ | ====Configuration de la LXC==== | ||
+ | En suivant le précédent tutoriel pensez à : | ||
+ | |||
+ | -> attribuer une IP fixe au LXC (cf tutoriel [[musee: | ||
+ | |||
+ | -> la mettre en démarrage automatique au démarrage de [[infrastructure: | ||
+ | |||
+ | -> [[musee: | ||
+ | =====Configuration du serveur Samba===== | ||
+ | |||
+ | Avant toute chose, mettez vous en root sur le LXC ://** su root**// | ||
+ | |||
+ | L' | ||
+ | |||
+ | On installe samba et ses dépendances : | ||
+ | $> apt-get install samba | ||
+ | $> apt-get install samba-common-bin | ||
+ | |||
+ | Chaque association aura accès à deux dossiers : | ||
+ | |||
+ | -> Son dossier personnel | ||
+ | |||
+ | -> Un dossier commun à toutes les assos | ||
+ | |||
+ | On commence par créer un groupe d' | ||
+ | $> groupadd associations | ||
+ | Ajoutons maintenant un utilisateur, | ||
+ | $> useradd -m -g associations fablab | ||
+ | //Le paramètre -m permet la création automatique du répertoire personnel de l' | ||
+ | |||
+ | Ensuite, on va lier l' | ||
+ | |||
+ | $> smbpasswd -a fablab | ||
+ | // | ||
+ | La commande va vous demander de rentrer un mot de passe (et de le confirmer). C'est ce mot de passe qui permettra au client de se connecter au serveur Samba.// | ||
+ | |||
+ | On crée maintenant le dossier commun aux // | ||
+ | |||
+ | $> mkdir / | ||
+ | |||
+ | On crée ensuite un utilisateur linux sambaadmin pour gérer les dossiers et on lui donne les droits. Aussi, on donne les droits au dossier association au priopriétaire (i.e : sambaadmin) et aux membres du groupe (ie : associations) | ||
+ | |||
+ | $> useradd -m -g associations sambaadmin | ||
+ | $> chown -R sambaadmin: | ||
+ | $> chmod -R 770 / | ||
+ | |||
+ | On passe maintenant à la configuration, | ||
+ | $> cd /etc/samba | ||
+ | $> cp / | ||
+ | $> nano smb.conf | ||
+ | |||
+ | En dessous de workgroup on écrit ceci : | ||
+ | |||
+ | workgroup = WORKGROUP | ||
+ | security = user | ||
+ | netbios name = SERVEUR-GInfo-BOR | ||
+ | Nous allons décommenter les parties qui nous intéressent comme ceci (//i.e// : enlever les ";" | ||
+ | et modifier //read only// à no : | ||
+ | |||
+ | {{images: | ||
+ | |||
+ | Les clients ont donc accès à leur répertoire personnel dans home, il ne nous reste plus qu'à configurer les répertoires partagés : | ||
+ | |||
+ | A la fin du fichier on ajoute : | ||
+ | |||
+ | < | ||
+ | path = / | ||
+ | comment = répertoire accessible uniquement pour le groupe associations | ||
+ | valid users = @associations | ||
+ | browseable = yes | ||
+ | read only = no | ||
+ | writable = yes | ||
+ | directory mask = 0770 | ||
+ | create mask = 0770 | ||
+ | </ | ||
+ | |||
+ | La configuration complète est disponible ici | ||
+ | |||
+ | <file bash / | ||
+ | # | ||
+ | # Sample configuration file for the Samba suite for Debian GNU/Linux. | ||
+ | # | ||
+ | # | ||
+ | # This is the main Samba configuration file. You should read the | ||
+ | # smb.conf(5) manual page in order to understand the options listed | ||
+ | # here. Samba has a huge number of configurable options most of which | ||
+ | # are not shown in this example | ||
+ | # | ||
+ | # Some options that are often worth tuning have been included as | ||
+ | # commented-out examples in this file. | ||
+ | # - When such options are commented with ";", | ||
+ | # differs from the default Samba behaviour | ||
+ | # - When commented with "#", | ||
+ | # behaviour of Samba but the option is considered important | ||
+ | # enough to be mentioned here | ||
+ | # | ||
+ | # NOTE: Whenever you modify this file you should run the command | ||
+ | # " | ||
+ | # errors. | ||
+ | |||
+ | # | ||
+ | |||
+ | [global] | ||
+ | |||
+ | ## Browsing/ | ||
+ | |||
+ | # Change this to the workgroup/ | ||
+ | | ||
+ | |||
+ | | ||
+ | # server string is the equivalent of the NT Description field | ||
+ | server string = Associatif | ||
+ | security = user | ||
+ | |||
+ | # Windows Internet Name Serving Support Section: | ||
+ | # WINS Support - Tells the NMBD component of Samba to enable its WINS Server | ||
+ | # wins support = no | ||
+ | |||
+ | # WINS Server - Tells the NMBD components of Samba to be a WINS Client | ||
+ | # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both | ||
+ | ; wins server = w.x.y.z | ||
+ | |||
+ | # This will prevent nmbd to search for NetBIOS names through DNS. | ||
+ | dns proxy = no | ||
+ | |||
+ | #### Networking #### | ||
+ | |||
+ | # The specific set of interfaces / networks to bind to | ||
+ | # This can be either the interface name or an IP address/ | ||
+ | # interface names are normally preferred | ||
+ | ; | ||
+ | |||
+ | # Only bind to the named interfaces and/or networks; you must use the | ||
+ | # ' | ||
+ | # It is recommended that you enable this feature if your Samba machine is | ||
+ | # not protected by a firewall or is a firewall itself. | ||
+ | # option cannot handle dynamic or non-broadcast interfaces correctly. | ||
+ | ; bind interfaces only = yes | ||
+ | |||
+ | |||
+ | |||
+ | #### Debugging/ | ||
+ | |||
+ | # This tells Samba to use a separate log file for each machine | ||
+ | # that connects | ||
+ | log file = / | ||
+ | |||
+ | # Cap the size of the individual log files (in KiB). | ||
+ | max log size = 1000 | ||
+ | |||
+ | # If you want Samba to only log through syslog then set the following | ||
+ | # parameter to ' | ||
+ | # | ||
+ | |||
+ | # We want Samba to log a minimum amount of information to syslog. Everything | ||
+ | # should go to / | ||
+ | # through syslog you should set the following parameter to something higher. | ||
+ | | ||
+ | |||
+ | # Do something sensible when Samba crashes: mail the admin a backtrace | ||
+ | panic action = / | ||
+ | |||
+ | |||
+ | ####### Authentication ####### | ||
+ | |||
+ | # Server role. Defines in which mode Samba will operate. Possible | ||
+ | # values are " | ||
+ | # domain controller", | ||
+ | # directory domain controller" | ||
+ | # | ||
+ | # Most people will want " | ||
+ | # Running as " | ||
+ | # running " | ||
+ | # new domain. | ||
+ | | ||
+ | |||
+ | # If you are using encrypted passwords, Samba will need to know what | ||
+ | # password database type you are using. | ||
+ | | ||
+ | |||
+ | obey pam restrictions = yes | ||
+ | |||
+ | # This boolean parameter controls whether Samba attempts to sync the Unix | ||
+ | # password with the SMB password when the encrypted SMB password in the | ||
+ | # passdb is changed. | ||
+ | unix password sync = yes | ||
+ | |||
+ | # For Unix password sync to work on a Debian GNU/Linux system, the following | ||
+ | # parameters must be set (thanks to Ian Kahan << | ||
+ | # sending the correct chat script for the passwd program in Debian Sarge). | ||
+ | | ||
+ | | ||
+ | |||
+ | # This boolean controls whether PAM will be used for password changes | ||
+ | # when requested by an SMB client instead of the program listed in | ||
+ | # ' | ||
+ | pam password change = yes | ||
+ | |||
+ | # This option controls how unsuccessful authentication attempts are mapped | ||
+ | # to anonymous connections | ||
+ | map to guest = bad user | ||
+ | |||
+ | ########## Domains ########### | ||
+ | |||
+ | # | ||
+ | # The following settings only takes effect if ' | ||
+ | # classic domain controller', | ||
+ | # or ' | ||
+ | # | ||
+ | |||
+ | # It specifies the location of the user's | ||
+ | # profile directory from the client point of view) The following | ||
+ | # required a [profiles] share to be setup on the samba server (see | ||
+ | # below) | ||
+ | ; logon path = \\%N\profiles\%U | ||
+ | # Another common choice is storing the profile in the user's home directory | ||
+ | # (this is Samba' | ||
+ | # logon path = \\%N\%U\profile | ||
+ | |||
+ | # The following setting only takes effect if ' | ||
+ | # It specifies the location of a user's home directory (from the client | ||
+ | # point of view) | ||
+ | ; logon drive = H: | ||
+ | # logon home = \\%N\%U | ||
+ | |||
+ | # The following setting only takes effect if ' | ||
+ | # It specifies the script to run during logon. The script must be stored | ||
+ | # in the [netlogon] share | ||
+ | # NOTE: Must be store in ' | ||
+ | ; logon script = logon.cmd | ||
+ | |||
+ | # This allows Unix users to be created on the domain controller via the SAMR | ||
+ | # RPC pipe. The example command creates a user account with a disabled Unix | ||
+ | # password; please adapt to your needs | ||
+ | ; add user script = / | ||
+ | |||
+ | # This allows machine accounts to be created on the domain controller via the | ||
+ | # SAMR RPC pipe. | ||
+ | # The following assumes a " | ||
+ | ; add machine script | ||
+ | |||
+ | # This allows Unix groups to be created on the domain controller via the SAMR | ||
+ | # RPC pipe. | ||
+ | ; add group script = / | ||
+ | |||
+ | ############ | ||
+ | |||
+ | # Using the following line enables you to customise your configuration | ||
+ | # on a per machine basis. The %m gets replaced with the netbios name | ||
+ | # of the machine that is connecting | ||
+ | ; | ||
+ | |||
+ | # Some defaults for winbind (make sure you're not using the ranges | ||
+ | # for something else.) | ||
+ | ; idmap uid = 10000-20000 | ||
+ | ; idmap gid = 10000-20000 | ||
+ | ; | ||
+ | |||
+ | # Setup usershare options to enable non-root users to share folders | ||
+ | # with the net usershare command. | ||
+ | |||
+ | # Maximum number of usershare. 0 (default) means that usershare is disabled. | ||
+ | ; | ||
+ | |||
+ | # Allow users who've been granted usershare privileges to create | ||
+ | # public shares, not just authenticated ones | ||
+ | | ||
+ | |||
+ | # | ||
+ | |||
+ | # Un-comment the following (and tweak the other settings below to suit) | ||
+ | # to enable the default home directory shares. This will share each | ||
+ | # user's home directory as \\server\username | ||
+ | [Homes] | ||
+ | | ||
+ | | ||
+ | |||
+ | # By default, the home directories are exported read-only. Change the | ||
+ | # next parameter to ' | ||
+ | read only = no | ||
+ | |||
+ | # File creation mask is set to 0700 for security reasons. If you want to | ||
+ | # create files with group=rw permissions, | ||
+ | | ||
+ | |||
+ | # Directory creation mask is set to 0700 for security reasons. If you want to | ||
+ | # create dirs. with group=rw permissions, | ||
+ | | ||
+ | |||
+ | # By default, \\server\username shares can be connected to by anyone | ||
+ | # with access to the samba server. | ||
+ | # Un-comment the following parameter to make sure that only " | ||
+ | # can connect to \\server\username | ||
+ | # This might need tweaking when using external authentication schemes | ||
+ | valid users = %S | ||
+ | |||
+ | # Un-comment the following and create the netlogon directory for Domain Logons | ||
+ | # (you need to configure Samba to act as a domain controller too.) | ||
+ | ;[netlogon] | ||
+ | ; | ||
+ | ; path = / | ||
+ | ; guest ok = yes | ||
+ | ; read only = yes | ||
+ | |||
+ | # Un-comment the following and create the profiles directory to store | ||
+ | # users profiles (see the "logon path" option above) | ||
+ | # (you need to configure Samba to act as a domain controller too.) | ||
+ | # The path below should be writable by all users so that their | ||
+ | # profile directory may be created the first time they log on | ||
+ | ;[profiles] | ||
+ | ; | ||
+ | ; path = / | ||
+ | ; guest ok = no | ||
+ | ; | ||
+ | ; | ||
+ | ; | ||
+ | |||
+ | [printers] | ||
+ | | ||
+ | | ||
+ | path = / | ||
+ | | ||
+ | guest ok = no | ||
+ | read only = yes | ||
+ | | ||
+ | |||
+ | # Windows clients look for this share name as a source of downloadable | ||
+ | # printer drivers | ||
+ | [print$] | ||
+ | | ||
+ | path = / | ||
+ | | ||
+ | read only = yes | ||
+ | guest ok = no | ||
+ | # Uncomment to allow remote administration of Windows print drivers. | ||
+ | # You may need to replace ' | ||
+ | # admin users are members of. | ||
+ | # Please note that you also need to set appropriate Unix permissions | ||
+ | # to the drivers directory for these users to have write rights in it | ||
+ | ; write list = root, @lpadmin | ||
+ | |||
+ | [Associations] | ||
+ | path = / | ||
+ | comment = repertoire accessible uniquement pour le groupe associations | ||
+ | valid users = @associations | ||
+ | browseable = yes | ||
+ | read only = no | ||
+ | writable = yes | ||
+ | directory mask = 0770 | ||
+ | create mask = 0770 | ||
+ | </ | ||
+ | |||
+ | <note warning> | ||
+ | Enfin, on redémarre : | ||
+ | |||
+ | $> service smbd restart | ||
+ | |||
+ | ====Ajouter un utilisateur (sur l' | ||
+ | Un dossier / | ||
+ | $> useradd -m -g associations utilisateurtest | ||
+ | $> smbpasswd -a utilisateurtest | ||
+ | | ||
+ | ===== Ajout du stockage du PhyTV ===== | ||
+ | Afin que le PhyTv ai accès a son stockage (4To en raid 1), on va monter leur disque dans leur dossier home. | ||
+ | Si ce n'est pas déjà fait, on ajoute l' | ||
+ | $> sudo useradd -m -g associations phytv | ||
+ | $> sudo smbpasswd -a phytv | ||
+ | | ||
+ | Ensuite, **on sort du LXC** pour formater et monter le disque : '' | ||
+ | |||
+ | $> sudo fdisk -l | ||
+ | {{ : | ||
+ | |||
+ | **Sur BOR**, on repère que '' | ||
+ | |||
+ | $> sudo mkfs.btrfs /dev/sdb | ||
+ | |||
+ | Puis **sur BOR** on monte le volume à la place de leur dossier home dans la lxc : | ||
+ | |||
+ | $> sudo mount /dev/sdb / | ||
+ | |||
+ | Et enfin, **sur BOR**, on donne les bonnes permissions pour que le LXC (dont l' | ||
+ | |||
+ | $> sudo chown 1005:1002 / | ||
+ | |||
+ | Maintenant, si sur BOR, vous tapez '' | ||
+ | |||
+ | {{ : | ||
+ | Maintenant, le Phy aura accès a son second disque mais il faut fixer ça au redémarrage donc sur BOR, on repère l'uuid du disque : | ||
+ | |||
+ | $> blkid /dev/sdb | ||
+ | |||
+ | Puis on ajoute le disque pour qu'il soit monté au démarrage via '' | ||
+ | On ajoute la ligne suivante avec le bon UUID : | ||
+ | <file bash Ajouter cette ligne dans / | ||
+ | UUID=c613fcb2-789f-462b-acc1-3cd58c2959bb / | ||
+ | </ | ||
+ | |||
+ | On **redémarre** et si le disque est bien monté on devrait le voir avec la commande '' | ||
+ | |||
+ | |||
+ | ===== Références ===== | ||
+ | |||
+ | * [[https:// |