If we’re continuing with the original aim of creating a corporate NAS, one shared folder is not going to be enough. We’re going to need a shared folder which anyone can add files into, as well as individual password-protected folders for each person. It would also be handy to have group folders for each separate department.
In this article, we will focus on ‘access restrictions’, and carry out some customizations to make our corporate NAS more user-friendly!
Let’s Prepare SWAT!
We’re going to set all of the parameters for SWAT, the configuration tool for Samba (which we installed last time). We starts by entering the following URL in our browser http://localhost:901/ and log into SWAT.
Other users can log in too, but there the data that they can edit is limited. To begin with, let’s log in as a ‘root’ user.
Checking Global Parameters
The setting found under the ‘GLOBALS’ tab (second from the left) are the universal shared settings for Samba. Since some of the parameters are set to default initial values, we need to make sure that these are not impacting NAS.
The trickiest setting is ‘security’. Since we’re going to configure the individual settings for each directory using ‘SHARES’, it seems intuitive that we would select ‘share’, but this setting is not recommended. (This has caused me all sorts of difficulties in the past).
For working with NAS, it seems that the default setting, ‘USER’, is best.
When accessing from Windows, both ‘workgroup’ and ‘netbios name’ can be checked using Explorer. Looks like we can leave those on the default setting, too.
When creating directories which requiring logging in, we need to add users using Raspbian. We already saw how to create users when we created the ‘root’ user – using the Linux command ‘adduser’. As before, we’ll input the command through the LX Terminal.
I’m creating this user for me, so I gave him the name ‘maru’. Since I’m logged into the ‘root’ account, I don’t need to add ‘sudo’ this time.
This is what the actual screen looks like. After inputting the command, you’ll be asked for the password – make sure to type the same password twice. After entering the password, you’ll be asked for some other details such as full name and room number, but we don’t need to enter those at this point – just press enter to skip. Once you’re happy with what you’ve entered, press the ‘y’ key to finish.
Once user creation for Raspberry Pi has been completed, it’s time to create users for Samba. We’ll SWAT for this.
We’ll create users for Samba through the ‘PASSWORD’ screen.
In the ‘User Name’ field, input the name of the user we just created in Raspbian, and in the ‘New Password’ and ‘re-type New Password’ fields, input anything you like. Since we’re creating a new user this time, click the ‘Add New User’ button.
When the message ‘Added user maru’ appears under the button, user creation is complete!
Creating an Individual Directory
The folder will also be set up in the same way we did in the previous article.
Since we just created a user called ‘maru’, a folder with that name has been created in the ‘home’ directory. This time, we’re going to configure settings within this folder.
Since we want to set up a directory for personal use, we are going to leave the permissions setting as they are so that only the owner of the directory can access and change the directory’s contents.
Because we created the folder through the ‘root’ user, the owner is currently set to ‘root’. Let’s go ahead and change this to ‘maru’.
Now, we can configure the settings through SWAT. Let’s head to the ‘shares’ screen.
To the left of the ‘Create Share’ button there is a textbox – go ahead and input any directory name. I’ve gone for ‘maru_nas’ this time. Once you’ve input the name, click the ‘Create Share’ button.
The directory has been created and now we can input parameters! Since the parameters are currently empty, we’ll configure the necessary items.
Let’s start with what we already know! First of all, the ‘path’ – input the path of the directory we just created (/home/maru/nas/). Then, click the ‘Commit Changes’ button which is located in the upper part of the screen.
Now, we should be able to check this from another machine. So, I connect to the NAS from a Windows machine and… what’s this?! The directory doesn’t appear…?!
Difference Between SWAT and Commands
So, what’s the difference between inputting from the command line and configuring through SWAT?
Let’s check this out using SWAT’s ‘VIEW’ screen. First of all, click on the ‘VIEW’ icon located second from the right in the menu bar.
When we scroll down, we can see the ‘all’ directory which we created last time, and the ‘maru_nas’ directory which we just created, next to each other.
Compare that with…
When we take a look at our records from last time, we see that in ‘all’, only the parameters we had input were displayed. In ‘maru_nas’, we have only configured ‘path’. But…
Now we can see this string ‘available=NO’, which we are seeing for the first time. It seems that there is a difference in default value recognition depending on whether we use SWAT, or use the command line to configure the settings. We can solve this by returning to the ‘SHARES’ screen and setting ‘available=YES’. Before we access from Windows again, let’s restart Samba.
It is necessary to restart Samba whenever the settings have been changed. Samba can be restarted using ‘STATUS’, which is located 3rd from the right of the menu bar.
This is easy! Just click the ‘Restart All’ button. The program does everything that needs to be done following just one click, which is really handy.
We can make sure that the settings have been applied by taking a look through Windows.
It works! The new directory has appeared!
At the moment, this directory is accessible by anybody, just like last time.
Applying Access Restriction to the Directory
Next, I’m going to add a password restriction so that only I can access this folder. There are lots of parameters which contain the word ‘user’, but the one we’re after is ‘valid users’.
valid users (S) – Samba
This is a list of users that should be allowed to login to this service. Names starting with ‘@’, ‘+’ and ‘&’ are interpreted using the same rules as described in the invalid users parameter.
Default: valid users = # No valid users list (anyone can login)
In the ‘valid users’ parameter on the ‘SHARES’ screen, I’m going to input the user ‘maru’ which I just set up. If you ever want to add multiple users, just separate the user names using commas.
The password input box has appeared!
I played around by inputting the ‘root’ user’s login information, inputting the wrong password, etc.. in order to check that everything had worked correctly, and it seems that it has – I could only access the folder using the information I set up in Samba.
I adjusted the ‘write list’ and ‘read only’ parameters so that I would be able to write to the directory as well. This is what the final parameters looked like:
We’ve finished setting up personal NAS!
Creating a group directory using user groups!
Wouldn’t it be handy to have directories for each department, as well as individual directories? But configuring one user name at a time is very time consuming? That’s where ‘user groups’ come into play!
Let’s begin with the Raspbian settings. We’ll create a user group, and then add users to the group.
groupadd: this command adds a new group.
gpasswd: this command is used to manage the group. The option ‘-a’ is used to add users to the group.
The commands are input through LX Terminal. I created a group called ‘developer’ and tried adding the user I just created, ‘maru’. This process took no time at all.
Next, it’s time to configure Samba. Unlike when we were creating users, there is no need to register our groups in Samba. All we need to do is create the directories.
First of all, setting up the folder. I did it like this:
Through ‘SHARES’ in SWAT, we create the group ‘developer’. Since the process is exactly the same as that we used to create the personal directories previously, I have left it out here.
Here are the complete settings!
The important difference is the ‘valid users’ and ‘write list’ parameters. They begin with the string ‘+’. In UNIX, this signifies group name.
The ‘write list’ is the list of users who are able to write to the directory. In this case, I specify the ‘developer’ group in addition to ‘valid users’.
smb.conf – invalid users (Samba)
‘Invalid users’ are the opposite of ‘valid users’. This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.
smb.conf – write list (Samba)
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can include group names using the @group syntax.
We have finished creating a group directory to which only members of the group can write! If you need to add users, you can do so at any time using the ‘gpasswd’ command.
We have successfully created three types of directory: a universal directory which anyone can use, a shared group directory, and a personal directory. Once directories have been created for each individual and each department in the company, we’ll be set to start using in-house NAS.
As a special bonus prize (?) for using NAS, we got a new Raspberry Pi!
This is Raspberry Pi model B+!
In the next article, we’re going to play around using the new version of Raspberry Pi. This will be a review of the things we’ve learned, taking records as we did so. Since we’ll be doing this for the second time, things will go smoothly!(?)