Provided there is a mechanism to prohibit installation on a publicly exposed server. This complicates things a bit (but it’s still doable with the remote diagnostics API).
I made a samba configuration, I think the setup is as follows:
Install samba
apt install samba
Create some groups
In the permissions section of the webadmin you have to create groups. If a person is in the group he will have access to this or that samba folder.
Create shared dir
mkdir -p /home/public/dir1
mkdir -p /home/public/dir2
mkdir -p /home/public/dir3
Prohibition to explore via sftp/ssh if you don’t have the rights:
chmod o=--- /home/public/dir*
Giving rights to groups
setfacl -R -m g:group1:rwx,d:g:group1:rwx /home/public/dir1
setfacl -R -m g:group2:rwx,d:g:group2:rwx /home/public/dir1
setfacl -R -m g:all_users:rwx,d:g:all_users:rwx /home/public/dir2
setfacl -R -m g:group1:rwx,d:g:group1:rwx /home/public/dir3
setfacl -R -m g:group2:rwx,d:g:group2:rwx /home/public/dir3
It may be possible to manage the transferability of rights differently with the setgid. To think about.
Create the configuration
/etc/samba/smb.conf
[global]
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[dir1]
comment = dir1 (D)
read only = no
path = /home/public/dir1
guest ok = no
browsable = yes
valid users = @group1, @group2
directory mask = 770
create mask = 0660
vfs objects = dfs_samba4 acl_xattr recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
[dir2]
comment = dir2 (E)
read only = no
path = /home/public/dir2
guest ok = no
browsable = yes
valid users = @all_users
directory mask = 770
create mask = 0660
[dir3]
comment = dir3 (Z)
read only = no
path = /home/public/dir3
guest ok = no
browsable = no
valid users = @group1, @group2
directory mask = 770
create mask = 0660
vfs objects = dfs_samba4 acl_xattr recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
Set the samba password for each user
One has to define for each user⋅ices a password with smbpasswd -a USER. It might be possible to link authentication to ldap, but that I haven’t done probably for a good reason.
/etc/yunohost/hooks.d/post_user_create/99-samba
#!/bin/bash
user=$1
password=$3
echo "${password}
${password}
" | sudo smbpasswd -a $user
/etc/yunohost/hooks.d/post_user_delete/99-samba
#!/bin/bash
user=$1
sudo smbpasswd -x $user
/etc/yunohost/hooks.d/post_user_update/99-samba
TODO
(Optionnel) Supprimer les fichiers de plus de 7 jours
/etc/cron.daily/clean-trash
#!/bin/bash
# Clean all empty directory inside .recycle and all files older than 7 days
#set -eux
find /home/public/dir3/.recycle/ -ctime +7 -type f -delete
find /home/public/dir3/.recycle/ -mindepth 1 -type d -empty -delete
find /home/public/dir1/.recycle/ -ctime +7 -type f -delete
find /home/public/dir1/.recycle/ -mindepth 1 -type d -empty -delete
Reload samba
systemctl reload smbd
Open the ports
You need to open the ports 445 in UDP and TCP
Backup Hook
/etc/yunohost/hooks.d/restore/99-conf_custom
#!/bin/bash
# Source YNH helpers
source /usr/share/yunohost/helpers
ynh_restore_dest (){
YNH_CWD="${YNH_BACKUP_DIR%/}/$1"
cd "$YNH_CWD"
}
# Exit hook on subcommand error or unset variable
ynh_abort_if_errors
# Samba
app="custom_samba" # Cette variable est importante pour le helper suivant
ynh_install_app_dependencies "samba"
ynh_restore_dest "data/custom/samba"
ynh_restore_file "/etc/samba"
ynh_restore_file "/var/lib/samba"
ynh_restore_file "/etc/yunohost/hooks.d/post_user_create/99-samba"
ynh_restore_file "/etc/yunohost/hooks.d/post_user_delete/99-samba"
ynh_restore_file --src_path="/etc/yunohost/hooks.d/post_user_update/99-samba" --not_mandatory
ynh_restore_file "/etc/cron.daily/clean-trash"
/etc/yunohost/hooks.d/backup/99-conf_custom
#!/bin/bash
# Source YNH helpers
source /usr/share/yunohost/helpers
ynh_backup_dest (){
YNH_CWD="${YNH_BACKUP_DIR%/}/$1"
mkdir -p $YNH_CWD
cd "$YNH_CWD"
}
# Exit hook on subcommand error or unset variable
ynh_abort_if_errors
# Samba
ynh_backup_dest "data/custom/samba"
ynh_backup "/etc/samba"
ynh_backup "/var/lib/samba"
ynh_backup "/etc/yunohost/hooks.d/post_user_create/99-samba"
ynh_backup "/etc/yunohost/hooks.d/post_user_delete/99-samba"
ynh_backup --src_path="/etc/yunohost/hooks.d/post_user_update/99-samba" --not_mandatory
ynh_backup "/etc/cron.daily/clean-trash"
De base j’utilise Samba via un VPN, et en réalité j’ai donc mis ça plutôt: