Advanced file server on Linux. We are raising a file server on Samba under CentOS. File server for Windows network

Hello Habr!
After the activity of the Petya ransomware on June 27, 2017, I disabled SMB1, also known as CIFS, and received production equipment and network MFPs that cannot work on the “new” versions of the SMB protocol.

How then to receive data from “old” devices? As practice has shown, a separate “machine” with Windows is not an option; during the attack, in addition to domain “machines,” those not included in the domain were also damaged, for this, as well as for licensing reasons, I decided to use Linux.

Below the cut is step-by-step instruction for installation and configuration file server SAMBA based on CentOS 7:

Anonymous access
- Authentication and authorization
- Integration with Active Directory

Installing CentOS 7

The servers are running VMware ESXi, and therefore I installed CentOS 7 1611 on the VM, allocating 1 CPU, 1GB RAM and 3GB HDD.

I don’t use LVM, I don’t create a SWAP partition, I allocate 500MB for the boot partition, and put the rest under the root of the file system. I use ext4 as the file system.

I will not describe the installation process, even if you have never done it, it is not difficult, you will succeed. I assume that you have already installed everything, then you can get started.

If you are new to Linux, make copies of the original config files, use the command cp.

Cp /etc/somefile.conf /etc/somefile.conf.bak

Obtaining an IP address via DHCP

If for some reason there is no DHCP server on the network, you should install it. To Work with big amount VM without DHCP is not convenient.

To force update or obtain an IP address, run the command

Dhclient
Show ip address
ifconfig or nmcli device show

YUM

CentOS 7 uses the YUM package manager. You can find a cheat sheet for yum.

If Internet access is organized through a proxy server, add the proxy address to the configuration file /etc/yum.conf, use vi editor or the following command

Echo proxy=http://your.proxy:8888 >> /etc/yum.conf
If you use a login and password to access the proxy server, add the following parameters:

proxy_username=yum-user
proxy_password=qwerty

Installing agents on the VM to interact with the host server

For VMware ESXi you need to install open-vm-tools

Yum install open-vm-tools
For Hyper-V, hyperv-daemons

Yum install hyperv-daemons

Installing updates

It is very important to install all available updates

Yum update

Midnight Commander

Editing files without a normal editor is very inconvenient, and I suggest using mc and mcedit

Yum install mc

Network configuration

To configure a static IP address and host name, you can use the utility nmtui

On the command line, you can get a list of network adapters with the command

Nmcli device status
Static ip and gateway are set by the following command, where “ens192” is the name of the network adapter

Nmcli connection modify “ens192” ipv4.addresses “192.168.1.100/24 192.168.1.1”

Setting up FQDN

Let full name the host will be ls01.fqdn.com, execute the command

Hostnamectl set-hostname ls01.fqdn.com
Restarting the name service

Systemctl restart systemd-hostnamed
You can check the result with the following commands

Hostnamectl status hostname hostname -s hostname -f

ipv6

If the ipv6 protocol is not used, it is logical to disable it; to do this, you need to add two parameters to the file /etc/sysctl.conf, run the following commands or use an editor mcedit

Echo net.ipv6.conf.all.disable_ipv6 = 1 >> /etc/sysctl.conf echo net.ipv6.conf.default.disable_ipv6 = 1 >> /etc/sysctl.conf
Restart the network service

Service network restart

SELINUX

At this stage, the SELINUX service must be disabled; you can check the status of the SELINUX service with the command

Sestatus
Change the SELINUX value in the file /etc/selinux/config on SELINUX=disabled then reboot the server.

Reboot
I'll return to SELINUX at the end of the article.

SAMBA

Installation

Yum install samba
Adding a service to automatic startup

Chkconfig smb on
Starting the service and checking the status

Service smb start smbstatus

firewallD

By default, CentOS 7 uses firewallD, the service status can be found with the command

Firewall-cmd --state
To get a list of rules and services, use

Firewall-cmd --list-all firewall-cmd --list-services

Pay attention to the list of services; if you have disabled the ipv6 protocol, it is logical to do the same with dhcpv6-client

Firewall-cmd --permanent --remove-service=dhcpv6-client
Create a rule for SAMBA and reboot

Firewall-cmd --permanent --add-service=samba firewall-cmd --reload

Anonymous shared resource

Create a folder for the resource /samba/guest

Mkdir /samba mkdir /samba/guest
Change the owner and assign rights

Chown nobody:nobody /samba/guest chmod 777 /samba/guest
Editing the SAMBA configuration file /etc/samba/smb.conf

Mcedit /etc/samba/smb.conf
Change the contents of the original file to the following

workgroup = WORKGROUP
security = user
map to guest = bad user
min protocol = NT1

path = /samba/guest
guest ok = Yes
writable = Yes

Just in case, I indicated the minimum protocol version SMB=NT1. If you specify SMB2 or SMB3, clients running Windows XP and below will not be able to access the resources.

Testparm service smb restart smbstatus

Congratulations, you have reached the first level of initiation. A shared resource with anonymous access is configured and will work for a long time and reliably. But you can and should configure a few more things.

Bows

By default, log files are located in the folder /var/log/samba. If you need to get detailed logs, you need to add the parameter log level = 2 or 3 to the section. The default value is 1, the value 0 disables logging.
As you may know, sharing files is only part of SAMBA's functionality. If the server has only file resources, it is logical to disable the print service. In the section, add the following parameters

load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spools = yes

The SAMBA configuration is located in the directory /etc/samba, and the logs are in the directory /var/log/samba
It’s more convenient for me to keep all the tools in my hand, so I mount the directories I need in /samba

We create directories in which everything will be mounted

Mkdir /samba/smbconf mkdir /samba/smblogs
Editing the config file /etc/fstab, I assume that you know what fstab is responsible for.

Mcedit /etc/fstab
Add the following lines

/etc/samba /samba/smbconf none bind 0 0
/var/log/samba /samba/smblogs none bind 0 0

Mount without rebooting
mount -a

Connecting a drive

Keep a shared resource on the system disk without a quota, do not the best choice. I decided not to mess with quotas; it’s easier for me to connect a separate “physical” disk.

To get a list of devices you can use the command lsblk

Lsblk
Creating a partition table on disk /dev/sdb

Parted /dev/sdb mklabel msdos
or

Parted /dev/sdb mklabel gpt
You can read more detailed information about gpt

Creating a partition for the entire sdb disk, in the best traditions of the genre, I decided to indent 1MiB at the beginning of the disk.

Parted /dev/sdb mkpart primary ext4 1MiB 100%
Creating an ext4 file system

Mkfs.ext4 /dev/sdb1
Editing fstab

Mcedit /etc/fstab
Add another line

/dev/sdb1 /samba/guest ext4 defaults 0 0

Mounting

Mount –a
Checking the result

Df -h
Assignment of rights

Chmod 777 /samba/guest

Mounting a disk image

If you do not need large volumes, and a resource of xxx MB is enough, you can mount a disk image from a file.

Create a directory for storing images

Mkdir /samba/smbimg
Create an image file of 100 MB in size

Dd if=/dev/zero of=/samba/smbimg/100M.img bs=100 count=1M
You can read a lot of interesting things about the dd command

In the version with the image, I decided not to create a partition table, just create an ext4 file system.

Mkfs.ext4 /samba/smbimg/100M.img
Editing fstab

Mcedit /etc/fstab
Config for mounting the image

/samba/smbimg/100M.img /samba/guest ext4 defaults 0 0

Mounting

Mount -a
Checking the result

Df -h
Assignment of rights

Chmod 777 /samba/guest

Connecting a RAM disk

For temporary resources where a large volume is not needed, it seems to me that a RAM disk is best option, is very quick and easy to set up, and the speed of operation is amazing.

Editing fstab

Mcedit /etc/fstab
Config for RAM disk

none /samba/guest tmpfs defaults,size=100M 0 0

Mounting

Mount -a
Checking the result

Deleting old files

In the case of file dumping, resources need to be freed somehow; for this you can use the crontab task scheduler

View assignments

Crontab –l
Editing tasks

Crontab –e
Example config:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=“”
HOME=/
#delete files and directories every hour
* 0-23 * * * rm –R /samba/guest/*
#Delete only files older than 1 day, run the command every 10 minutes
0-59/10 * * * * find /samba/guest/* -type f -mtime +1 -exec rm –f () \;
#delete files older than 50 minutes, run the command every 10 minutes
0-59/10 * * * * find /samba/guest/* -type f -mmin +50 -exec rm -f () \;

Exit vi

:wq
The crontab service logs are located in the file /var/log/cron

Restricting access to SAMBA by IP addresses

If you need to restrict access to all SAMBA resources, add your access lists in the global section, and if you need to restrict access only to a specific resource, in that resource section.

Example:

hosts allow = 192.168.1.100, 192.168.1.101
hosts deny = ALL

hosts allow = 192.168.0.0/255.255.0.0
hosts deny = 10. except 10.1.1.1

User Authentication and Authorization

Restricting access by IP addresses is not always convenient or possible; then you can use logins and passwords.

First you need to create a local user on the system

Adduser user1
If the user will work only with SAMBA resources, there is no need to set him a password for the system. The password for the system and for SAMBA are stored in different files and may differ.

Then you need to add the system user to the samba users and give him a password

Smbpasswd -a user1
By default, a tdb file is used to store passwords, which is located in the /var/lib/samba/private/ directory.

You can change the file location directory using the global parameter passdb backend

passdb backend=tdbsam:/etc/samba/smbpassdb.tdb

tdb files were created to replace the "legacy" text files, if you want to use text files, use the option to do so passdb backend=smbpasswd in the global section
passdb backend=smbpasswd:/etc/samba/smbpasswd

Then specify lists of users and groups to access resources

path = /samba/guest
writable = no
read list = user1, @group2
write list = user2, user3

Active Directory Integration

It is also possible to obtain information about users from LDAP, but this option is not interesting to me and I go straight to AD. detailed instructions from Microsoft is located.

Time synchronization is very important for AD, so it's worth starting with this.

Installing the appropriate service

Yum install ntp
Add to the config file /etc/ntp.conf the server performing the role of domain controllers

Mcedit /etc/ntp.conf
Example:

server 192.168.1.10
server 192.168.1.20
server someserver.contoso.com

Adding the ntp service to automatic startup

Chkconfig ntpd on
Starting the service

Service ntpd start
Checking time synchronization

Ntpq –p

winbind

To obtain information about users from AD, you need to install the package samba-winbind

Yum install samba-winbind
Adding a service to automatic startup

Chkconfig winbind on
Starting the service

Service winbind start

Adding a host to AD

Let me remind you that at the beginning of this instruction we set the host name ls01.fqdn.com. We will assume that the full domain name fqdn.com, but let it be short fqdn_com

To enter all the necessary parameters into the configuration files, you can use the utility authconfig-tui, check the Use Winbind checkbox, then go to the next window

Select the ADS security model and enter your domain names. In the domain controller field, enter “*”, this is necessary to automatically search for an available domain controller. Then click OK and close the utility.

To add a host to AD use the command net ads join –U %username%, the user must have permission to create account PC in a domain

Net ads join –U youruser

If the machine is not being added to the domain, add the FQDN hostname to the file /etc/hosts.
I checked everything several times, and I made changes to the hosts file when, at the network setup stage, I specified an incomplete host name.

To remove a host from the domain, use the command net ads leave –U %username%

What does the authconfig-tui utility do?

The utility adds parameters for connecting to AD in the following files, there are not many parameters and, if desired, you can enter everything manually.

/etc/krb5.conf

Default_realm = FQDN.COM

FQDN.COM = (
kdc = *
}

/etc/nsswitch.conf

passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind

/etc/samba/smb.conf

workgroup = FQDN_COM
password server = *
realm = FQDN.COM
security = ads
idmap config *: range = 16777216-33554431
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = false
winbind pffline logon = false

You may have noticed that this utility introduces noticeably fewer parameters than written in the instructions from Microsoft or other instructions, but if it works like this, then why not?

From the Microsoft instructions I add the following parameters to the config

domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no

Setting access rights to a resource
As an example and for clarity, I recommend setting up resources with different rights for one folder

path = /samba/guest

force create mode = 777
directory mask = 777

path = /samba/guest
read list = "@fqdn_com\domain users"
write list = "@fqdn_com\domain users"
force create mode = 777
directory mask = 777

Restarting the samba service

Service smb restart
Checking

Smbstatus
The screenshot shows a domain user who is located in one of the public folders

List of useful links.

Samba is software for organizing file exchange and working with shared resources between computers running Linux/Unix and the Windows operating system. Samba consists of a client and server part. The client part allows you to access network folders and Windows resources, and the server part, in turn, opens general access to the Ubuntu folder for other machines, including Windows.

This short instruction will cover the simplest setup of Samba Ubuntu 18.04, as well as how to set up shared access to the Ubuntu folder with several levels of privileges.

We will create three shared folders with different permission levels. A folder with anonymous access, with access for users belonging to a specific group and access only for a specific user.

Both Linux and Windows machines can access shared folders in Ubuntu, using any program running over the SMB protocol.

In order for everything to work correctly, all machines must be in the same workgroup specified on the Samba server. By default, for Windows, Linux, and MacOS, the workgroup is called Workgroup. To find out which workgroup is used in your Windows, open the command line (Win+R, then cmd) and run the following command:

net config workstation

We see the parameter we need in the line Workstation domain. This is the working group.

Now, if a computer with a Samba server on your network has a permanent IP address, it is advisable to enter it in the hosts file. To do this, run the command line as an administrator:

And run the command:

notepad C:\Windows\System32\drivers\etc\hosts

In the file that opens, add a line with the IP address of the computer on which Samba will be installed:

192.168.0.1 srvr1.domain.com srvr1

Now you can move on to the question of how to share the Ubuntu folder.

Setting up Samba on Ubuntu 16.04

Let's start, as usual, with installation. Installing Samba Ubuntu along with all the necessary components is done with the command:

sudo apt-get install -y samba samba-common python-glade2 system-config-samba

Once everything is installed, you can proceed to configuration. First, create a backup of your original Samba configuration file:

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

After creating the backup, create your configuration file with this command:

sudo vi /etc/samba/smb.conf

First, let's specify the global file server settings. To do this, insert the following lines into the file:

workgroup = WORKGROUP

netbios name = Ubuntu Share
dns proxy = no

max log size = 1000
passdb backend = tdbsam
unix password sync = yes

pam password change = yes
map to guest = bad user
usershare allow guests = yes

Let's take a closer look at what these lines mean.

workgroup- the working group, as already mentioned, should be the same on all machines
netbios name- computer name that will be displayed in Windows;
log file- the address of the file where error messages and other information will be stored;
security- Perform user-level authentication by default;
name resolve order- order of resolution of IP addresses by NetBIOS name. bcast - means send to local network broadcast request. If all the computers between which interaction is planned are on the same network, this option is optimal;
passdb backend- method of storing user passwords;
unix password sync- synchronization of samba user passwords with local Unix passwords;
map to guest- indicates when the user will be granted guest access. Three values are available - never- never, bad user- when such user does not exist, bad password- when the password is entered incorrectly,

When you complete creating the configuration file, we move on to the question of how to share the Ubuntu folder for Windows.

Ubuntu Folder Sharing

First, let's create a shared folder accessible to everyone. That is, with anonymous access, without samba authorization.

Create a folder to which we will share access, for example:

sudo mkdir -p /samba/allaccess

After the folder is created, you need to set the correct access rights for it. The following commands allow access to the folder to everyone and make the owner nobody:

cd /samba
sudo chmod -R 0755 allaccess
sudo chown -R nobody:nogroup allaccess/

The next step is to describe the allaccess folder in the samba configuration file:

path = /samba/allaccess
browsable = yes
writable = yes
guest ok = yes
read only = no

Your configuration file should now look like this:

workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
netbios name = Ubuntu Share
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
pam password change = yes
map to guest = bad user
usershare allow guests = yes
#==============
path = /samba/allaccess
browsable = yes
writable = yes
guest ok = yes
read only = no

Let's take a closer look at the options that were used here:

path- path to the folder that needs to be shared;
browsable- whether the folder will be displayed in the list of available shares;
writable- whether the folder will be writable;
read only- the folder is read-only;
guest ok, public- whether guest access will be allowed;
only guest- if set to yes, then the folder will be accessible only to guests;
hosts allow- IP addresses from which you can access this server;
valid users- by default, all users can log in; if you pass a list of users in this parameter, then only they can log in;
create mask- rights mask for created files.

To apply the changes, restart the Samba server:

sudo systemctl restart samba

Setting up Samba Ubuntu 16.04 for anonymous access is complete. Now you can check the availability of the allaccess shared folder from Windows, to do this, press Win+R and run:

\\srvr1\allaccess

You will see our folder. If you don't see it, check your configuration again. The folder can be accessed without samba authorization. Setting up Samba shares with access without authorization is complete.

You can also connect to this server from Linux using Nautilus; just type the address smb://ip-server, in the section other places:

Secure Folder Sharing Ubuntu

To share a folder for Windows Ubuntu, to which only users from a certain group will have access, we will create a separate folder and describe it in the Samba configuration file in Ubuntu.

First we create a folder:

sudo mkdir -p /samba/allaccess/secured

Create a group:

sudo addgroup securedgroup

Setting up rights:

cd /samba/allaccess
$ sudo chown -R richard:securedgroup secured
$ sudo chmod -R 0770 secured/

The last step is to add settings to the samba configuration file:

sudo vi /etc/samba/smb.conf

path = /samba/allaccess/secured
valid users = @securegroup
guest ok = no
writable = yes
browsable = yes

Restart the Samba server. Now only users of the securegroup can access the shared folder in Ubuntu.

To check how this works, let's add the user richard to our group:

sudo usermod -a -G securedgroup richard

Deploying a file server for Windows machines on Ubuntu is quite simple. Typically, such a server is used to organize file storage within an Active Directory domain.

At the same time, you can easily create file servers on a domainless network, including for home use.

In any case, use Samba - install it using the Synaptic package manager or the following command:

sudoapt-get install samba

FileserverVcompositiondomainActive Directory

To create a file server integrated into an Active Directory domain, you first need to join your Ubuntu machine to the domain.

To create a file server, you do not need to configure PAM; you just need to add domain users and groups via Winbind to the system.

After logging into the domain, configure shared resources on your computer. Please note that Samba will map Windows file permissions to Unix permissions, but fundamental differences in the permissions mechanisms will likely prevent it from doing so. File rights are always and in any case managed by your file system on a computer running Ubuntu, and Samba can only adapt to them, but not change their behavior.

So by default, shared resources will have modest access control capabilities, including assignment different rights for the user, group and everyone else. But you can easily fix this by adding POSIX ACL support to the FS. Then you can assign different rights to different users and groups, much like in Windows.

POSIX ACL support can be found in ext3/4, and to activate it you only need to add the acl parameter to the mount options of the desired partition.

Important! The directory that needs to be shared via Samba must be on a disk mounted with the acl option. Otherwise, it will be impossible to properly apply the mechanism for delimiting access rights to files on the shares.

Another thing to keep in mind is that POSIX ACLs do not support inheritance of access rights from parent directories, while Windows does have this feature. So Samba has an additional mechanism for storing permission inheritance information using extended file system attributes. In order for Samba to correctly handle inheritance of rights, in addition to acl, add the user_xattr parameter to the file system mounting options, which is responsible for enabling support for extended attributes.

For example, it is convenient to use separate LVM disks to organize shared resources. In this case, the lines in fstab for them look like this:

/dev/mapper/data-profiles /var/data/profiles ext3defaults,noexec,acl,user_xattr 0 2

The noexec option is needed to be on the safe side: there should be 100% no Linux executable files on Windows shares.

Install the package of necessary utilities for working with acl on Ubuntu:

Sudo aptitude install acl

Now view the extended rights (i.e. ACL) on a file or directory with the following command:

Getfacl file

Install with this command:

Setfacl file

Don't forget that the POSIX ACL mechanism has nothing to do with Samba - it's just an add-on to the standard Linux permissions mechanism. So Samba can use it, but cannot change or bypass it in any way.

To use extended FS attributes, a utility package similar to acl - attr - is useful, install it with the following command:

Sudo aptitude install attr

To view extended attributes, use the command:

Getfattr file

And to install do:

Setfattr file

Remember that Samba stores all inheritance information in binary form in a single extended attribute, user.SAMBA_PAI. So changing something using setfattr will not work, only complete removal of extended attributes is possible (in some cases this becomes necessary).

It is possible to control the inheritance of rights from a Windows machine using the standard tools of this system, or the smbcacls utility.

Extended file system attributes allow Samba to enable full support for DOS file attributes (for example, hidden, archive, etc.).

If your system has a directory that needs to be shared via Samba (and it is located on a disk mounted with acl and user_xattr support), configure its sharing - enter the necessary information in the /etc/samba/smb.conf file.

First of all, take care of the general settings for adding to the section of this file:

# Disable printer sharing. Unless, of course, you really want to share them. # To completely disable you need to specify all 4 lines below load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes # Make it hidden when viewed from Windows files with the following names hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/ # Use the next UNIX user as Guest for the public share guest account = nobody # Treat unregistered users as guest map to guest = Bad User ## Settings that use extended file system attributes # Handle inheritance of rights using extended FS attributes map acl inherit = yes # Use extended FS attributes to store DOS attributes store dos attributes = yes # Disable DOS attribute mapping on UNIX rights, enabled by default # According to man smb.conf, when using extended attributes, these options must be disabled map archive = no map system = no map hidden = no map readonly = no

Then configure the shared resource itself. In the example it is indicated as profiles, and physically on an Ubuntu machine it is located at /var/data/profiles:

# Comment comment = User Profiles # Path to the folder we are sharing path = /var/data/profiles/ # Users with unlimited access rights to the share # I have a Domain Administrators group. # These users are treated as local root when working with files admin users = "@DOMAIN\ Domain Administrators " # Hide folders that the user does not have access to hide unreadable = yes # Access is not read only read only = no # Masks for created files - can be set as desired#create mask = 0600 #directory mask = 0700 # Disabling locks - it's better to disable locking = no

There are a number of other options - all detailed information is in the Samba documentation.

Be sure to set the correct owner and access rights to the shared folder, otherwise writing to it may be prohibited at the Linux permission level. You can do this:

Sudo chmod ug + rwx /var/data/profiles sudo chown root :"domain users" / var/data/profiles

Attention! Since your Ubuntu machine is joined to a domain, you can use domain users and groups as file owners directly in Ubuntu.

Check that Samba is configured correctly with the following command:

Sudo /etc/init. d/samba restart

Now you can access the shared resource from any machine in the domain. But don’t forget about the SGID and Sticky bits for directories, designed to inherit the owning group and prevent users from deleting files that are not theirs - this is especially true for multi-user storages. At the same time, unlike editing rights from Windows, it is impossible to change these bits on folders on a shared resource - only manually directly on the Ubuntu computer.

Samba allows you to store previous versions files, which can be useful when creating shares with user data.

Standalone file server

Not everyone has an Active Directory domain. Therefore, there is often a need to organize Linux machine independent file storage with its own authorization system. It is not difficult.

In this case, all information about users will be stored in the Samba database, and users will have to be added and deleted manually.

The main thing is to decide on the method of access to the resource used. You should correctly set the value of the security parameter in the section of the /etc/samba/smb.conf file.

The default value is share or user.

And do not forget to change the value of the workgroup parameter to the appropriate one, and all other settings will directly depend on specific goals.

At home it is convenient when everyone can see everyone. To do this, simply add 4 lines to the section of the /etc/samba/smb.conf file (some may already be present):

[ global ] workgroup = WORKGROUP map to guest = Bad User netbios name = NOTEBOOK security = user

NOTEBOOK - the name of the computer that will be on the network. Also install additional programs:

Then add the following lines to the end of the /etc/samba/smb.conf file, and replace “yuraku1504” with the username of the Samba computer:

[MyShareWork] comment = Anonymous Samba Share path=/home/yuraku1504/share guest ok= yes browsable = yes writable = yes read only = no force user = yuraku1504 force group = yuraku1504

The folder will be opened for reading and writing.

When creating a file server, the question of choice inevitably arises operating system. There is something to think about here: spend money on Windows Server or look at free Linux and BSD? In the second case, you will still have to decide on the choice of file system, of which there are quite a few in Linux. It is impossible to give a definite answer to the questions posed; we need comprehensive testing, which we conducted in our test laboratory.

How we tested

It is impossible to embrace the immensity. So it is in our case. It is not possible to test all file server options. Therefore, we decided to limit ourselves to the most common ones. For Windows Server, these are versions 2003 and 2008 R2, since the former is still widely used, and the latter is interesting for its technical innovations, in particular support for the SMB2 protocol and the NTFS file system.

For the Linux platform, Ubuntu 10.04 LTS was chosen. After conducting a series of additional tests, we found that the performance of file servers is practically independent of the Linux distribution, while at the same time there is a certain dependence on the version of Samba (in our case, 3.4.7). From the variety of file systems, we chose the most common and popular: ext3, ext4, reiserfs, XFS, JFS. The FreeNAS distribution was also tested, as a representative of the BSD family (built on the basis of FreeBSD 7.2) with UFS.

Windows 7 32-bit was used as the client. Let us immediately upset XP fans, whether you like it or not, Windows 7 will become the default corporate OS in the coming years.

Two PCs were used for the test platform Core2 Duo E8400 - P45 - 2 GB PC2-8500 connected by a gigabit network. One of them had Windows 7 installed, the second one had server OS installed and an additional hard drive was connected 750 Gb Western Digital RE3 used exclusively for testing. This disk was formatted into the desired file system and configured as a shared resource.

Testing was carried out using the Intel NASPT 1.0.7 package; you can learn more about the tests included in it. For each configuration, we performed 5 test runs, using the average result as the final result.

File operations

Working with files

In write operations, Windows Server is confidently in the lead, more than twice as fast as Linux; in read operations, the gap between Linux and Windows Server 2003 is practically narrowing, but Windows Server 2008 R2 holds high positions, significantly ahead of both Linux and Windows Server 2003.

In the file family Linux systems when working with large files, reiserfs unexpectedly takes the lead, ext4 showed rather poor results when writing, and ext 3 when reading. JFS is a testing underdog and has problems writing large files, producing unacceptably low scores. FreeNAS showed a very modest result, according to the lower bar of Linux systems.

Working with folders

When working with a large number of small files distributed in folders of varying degrees of nesting, the result is more uniform. Windows systems are again in the lead, although not by such an impressive margin. SMB2 makes itself felt here too, making Windows Server 2008 R2 the undisputed leader with a 40% advantage over Linux.

In Linux, the results are quite even, reiserfs and JFS are slightly in the lead for writing, there is no clear leader for reading, JFS is a clear outsider. FreeNAS has comparable results, being slightly ahead on reads and slightly behind on writes.

Working with applications

So, the absolute leader today is Windows Server 2008 R2; the SMB2 protocol shows a significant advantage, leaving no chance for competitors. If you are faced with the task of creating a high-performance file server to work in a modern infrastructure, then there is no choice as such. The new server OS from Microsoft will certainly be worth the money spent on it.

Windows Server 2003 in the overall ranking takes second place with 76.31%, given that in some tasks it showed rather low results and a small gap from Linux solutions (10-15%) does not seem advisable to deploy new servers under this OS. The same should be taken into account when legalizing software; in this case, it is advisable to upgrade to Windows Server 2008 R2 or switch to a Linux solution.

Among Linux solutions, with the exception of JFS, the result is quite uniform, with XFS and reiserfs ahead by a small margin (3-5%). JFS is a clear outsider and is categorically not recommended for use. Solutions based on FreeBSD also cannot be recommended for serious use; they are inferior to Linux by 10-15%, not to mention the much more serious lag behind Windows systems.

We hope that our testing will help you make the right decision in choosing the operating and file systems for your file server.

One of the most common uses of servers in general is file storage. Such storages may contain backup copies of user files and databases, and storages are also used to store information that needs to be shared among employees of a company or a certain department of the company. Within the framework of this material - setting up a Samba server.

Samba is the most popular software package used for creating file storage, ( SMB/CIFS storage that allows you to organize a file server, to which clients using machines based on both Linux and Windows OS will have access).

Also applicable NFS(“Network File Systems”) and iSCSI storages based on data blocks (partitions, LVM) to which remote access. iSCSI “exports” not the file system, but the device itself; you can work with it remotely as with a local disk.

This article will look at an example of building a file storage using Samba.

Setting up a Samba server on Ubuntu

Samba is widely used precisely because of its ability to work with clients using different operating systems. It can be integrated with Active Directory, which, however, is not common practice.

The file server that will be configured is designed to serve 30-50 clients.

Two basic configurations will be configured sequentially: a file storage to which all users of the organization have access (“ file dump") and storage that has certain access restrictions.

We read the package description and check the dependencies:

apt-cache show samba | less

If a 404 error occurs during the installation process, this means that any files necessary for correct installation were not found in the repositories.

We update the lists of repositories (if necessary, adding the necessary ones in advance and install the package; && means that the second part of the command will be executed only if the first is executed successfully).

apt-get update && apt-get install samba

workgroup = remote-tech-support

We bring the value of the workgroup parameter in accordance with the recommendations contained in the commented out lines of the config - we indicate our domain - setting this parameter, by the way, is not at all necessary.

The package will work using the default options, but to ensure minimum level security one value needs to be adjusted:

Remove the comment mark before the parameter

security = user

Setting up a basic file server configuration

Samba's function now is to provide minimal functionality - the ability to freely exchange files.

Go to the bottom of the config and add a “ball”:

read only = no
path = /mnt/fileserver
guest ok = no

The main ones are the directives with the name of the shares, the access level and the path to the directory to which shared access is provided.

read only determines the ability to write to shared files

Restarting the service

/etc/init.d/smbd restart

Creates a directory for the file server

Now the logical volume is 10 GB in size, let's call it vg0

lvcreate -L 10G -n samba vg0

Add to fstab so that the volume is mounted every time the computer is rebooted

/dev/vg0/samba /mnt/fileserver ext4 defaults 0 0

Updating information about mounted devices

Checking whether the ball is visible in the file system

Passwords for accessing the file server

User passwords for working with smbd differ from system user passwords (which are set in /etc/passwd).

Passwords for working with Samba are set using the smbpasswd command

Create test directories

We see that the owner of TestA is student

TestB owner is root

The goal now is to allow all users to write information to files in both directories.

We create new group fileserver and add the student user to it

adduser student fileserver

We see that the test directories have the owner group root.

Removing directories

We install the group ID bit balls on the directory.

chgrp fileserver fileserver/

chmod g+rws fileserver/

Due to +s, rights (user ownership) will be inherited by all files created within the shared

catalogue.

Checking that the fileserver user group is listed

We add a line to the config, due to which all users accessing the share will be temporarily added to the fileserver group

mcedit /etc/samba/smb.conf

comment = Everybody can use that share
read only = no
path = /mnt/fileserver
guest ok = no
force group = fileserver
force create mode = 666
force create mode = 777

Open another terminal and log in as user student

ALT+F2

Let's create files whose owner will be student

drwxr-sr-x student fileserver TestA
drwxr-sr-x student fileserver TestB

The owner of the directories is student, the owner group is fileserver. The security bit(s) installed earlier is present.

We turn on a Windows PC located on the same subnet. Log in using the student user details.

At the command line, type //server01 (or any other name previously given to the server)
We see the Public share directory, which contains the TestA and TestB directories

We create a text document in Public share and make sure that no errors occur.
We look at the properties of TestB - we see that the owner of the directory is root, the group is fileserver. For TestA - fileserver and student, respectively.

In TestA you can create and edit any files, TestB can be viewed through the fileserver group, you cannot create or edit files here.

User or group write rights are sufficient. There is no need to use both user and group for the same directory.

Setting up a more secure configuration and differentiating rights

Now we will change the Samba configuration by providing each user with a directory for storing personal information

mcedit /etc/samba/smb.conf

remove comment marks from the lines related to the section. After restarting Samba, upon authorization, each user will see a directory whose name will coincide with the user name; personal data can be stored in this directory, to which only the user who owns the directory (and root) will have access.

We set the value of the read only parameter in the section to no, and also edit the values of other parameters:

read only = no
create mask = 0700
directory mask = 0700
valid users = %S

/etc/init.d/samba reload

Let's go to Windows. It is necessary to update the list of shared directories because the OS caches data - one way is to go directly to the user directory, type \\server01 in the command line, then in the address field \\server01\student

We find ourselves in the user’s home directory, where we can create files and directories. Creating a directory

Back to Linux. We look at the rights and see that the owner and group of the owner are student

comment = Share for accounting department
read only = no
path = /mnt/fileserver/Accounting
guest ok = no
force group = +accounting
force create mode = 660
force directory mode = 770

Here we add security by setting +accounting; in contrast to the previously configured configuration, users are not added to the group, but only use it to gain access to the share. By setting rights, users who are not members of the owner’s group are prevented from even reading files created by Samba.

Accordingly, in order for a user to be assigned the rights of the accounting user group, he must already be a member of it.

comment = IT department
read only = no
path = /mnt/fileserver/IT
guest ok = no
force group = +IT
force create mode = 660
force directory mode = 770

Create directories:

mkdir /mnt/fileserver/Accounting

mkdir /mnt/fileserver/IT

Add groups and an existing user to one of the groups. All user and group names in Linux are case sensitive.

Reading the configuration

Specify users and user groups:

chmod root.fileserver fileserver

chmod root.accounting Accounting

Checking whether directory ownership is configured correctly

Removing test directories:

We return to Windows. Since student is a member of the IT group, he should only have access to the directory related to the IT department. He must not have access to other directories (he can view the contents of the Accounting directory, but cannot create or edit files). Let us make sure that this is indeed the case.

Let's make the settings according to the last scenario. Let's create a group with limited access.

adduser student internet_dev

chown www-data.internet_dev internet/

mcedit /etc/samba/smb.conf

comment = IT department
read only = no
path = /var/www/internet
guest ok = no
valid users = @internet_dev
force group = internet_dev
force create mode = 664
force directory mode = 775

The valid users value here assumes the presence of users in the internet_dev group, and you can also specify a list of users here.
Other rights are set because not only users will work with the /var/www/internet directory, but also, in this case, Apache

In Windows, refresh the information on the screen (F5) and try to open the internet directory. If the settings made are correct, these attempts will not be successful - the password entry window will be displayed endlessly.

adduser student internet_dev

Let's create and open a document in Windows - we don't save it.

On Linux we run smbstatus

smbstatus- a command showing the shared shares, the files opened in them and the users using them.

We find the ID of the process responsible for maintaining the connection with the share (let's say 2456) and kill it

Let's do ps aux and among the processes we see a newly spawned process of the same kind, but with a different ID - it was recreated by Samba

We go back to Windows and see that the open but not saved document is in the same state in which we left it, we can continue to edit it, then save it.

Our experience confirms that if the file server is interrupted, the data being worked with will not be lost.