Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate

 

 

Page 3 of 5:

 

 

Letís configure the FTP server (vsftpd)

 

Using the File Manager module, edit the file†† /etc/vsftpd.conf

 

 

 

 

 

You should see something like this.

 

 

 

 

 

You need to make the following changes to it

 

 

 

Remove the "#" and change the line that says #anonymous_enable =Yes to     anonymous_enable =NO

 

Remove the ď#Ē so that it reads local_enable=YES

 

Remove the ď#Ē so that it reads write_enable=YES

 

Remove the ď#Ē so that it reads local_umask=022

 

add the following entry      file_open_mode=0755

 

Remove the ď#Ē and change the Welcome string to something custom of your own

 

Remove the ď#Ē so that it reads chroot_local_user=YES

 

It's normal for that chroot_local_user=YES line to appear multiple times, you only have to remove one of the "#", just once is enough.

 

 

 

You should eventually see something like this, when you have made all the changes, click save and close.

 

 

 

The next time the computer is restarted, the FTP server will read the changes we made to its configuration file, but itís not ready to use yet. We havenít added any users for it yet, we will get to that later, there is also one last security setting we have to change, we will get to that later while creating the new users.

 

Thatís it for FTP for now, itís not working yet, we will come back to it later. Letís learn some troubleshooting now that can help us later. Letís see how to check local email messages and syslog. When something goes wrong with the system, or there is a change, or a scheduled job has failed, you can use one of these two messaging systems to check it. Similar to Windows Event Viewer, you can find a lot of helpful information here.

 

Using the Read User Mail module, you can see if you have any local email. Errors are often sent to you in this way. This is a great feature, as later we redirect these to a real email address, and get notified via our real external email accounts if something goes wrong.

 

 

 

As you can see I have messages here.

In this configuration you can send and receive local emails to users of this server, using this module. You wonít have much need for sending local emails, but this is an easy way to read them.

 

 

And you should often be checking the syslog and auth.log, using the System Logs module.

 

 

 

 

You can also find useful information in the View Module Logs module

 

 

 

A lot of the time the answer to your problems will be in one of those (3) places. Another great place to check is the homepage (also called the System Information module) does a good job of showing you your current usages, even drive temperature and SMART drive status. You can also see your Uptime and OS version, Disk-Space, and other important information.

 

 

 

 

 

 

As we can see above, even with everything we have added to the computer, itís still only using 34MB of ram, 0MB of the Pagefile, and 0.02 of the processor.    

This particular computer is a only a Pentium 3, 450Mhz  Ö a paper-weight at best. Isnít Linux amazing?   These awesomely low numbers are because we are using the command line version of Linux, not a GUI Operating System. 

 

Getting back to our FTP setup...

Letís add some user accounts, these would be people you would give access to your server and its resources.

 

We will create the accounts, and setup their home directories to be on the data drive, and exposed to the network\internet, and add the final security setting for FTP.

 

Using the Users and Groups module.

 

 

 

We are going to get a lot of use out of this module. It will allow us to make users, groups, set passwords, set home directories, and even setup their shell, where we can further restrict them if needed.

 

Click on ďCreate a new userĒ.

 

 

You should see something like this, make the following changes.

 

 

 

 

With the username jdoe and the real name jdoe.

 

The important one is the username, that will be the actual login name. You could set the real name to Mr. John Doe, or something more descriptive if you like.

 

Un-check ďAutomaticĒ and set the Home directory to

         /mymounts/vraid/users/xhomes/jdoe

If you arenít using raid, and are using d2p1, you would type    

        /mymounts/d2p1/users/xhomes/jdoe      

 

What these descriptive folder structures tell us is

-Itís a drive I mounted

-What drive itís on

-Its user data

-Its and exposed home directory ďxhomesĒ

-Its user jdoe

 

 

By exposed home directory, I mean that directory is exposed to the network or the internet. A constant reminder to me about security and confidentiality of what goes in there.

We are later going to change the web server (Apache) to listen in those directories, so these home directories will be folders that are exposed and viewable over the network or internet.

 

Thatís on purpose, to give them webspace, space on the web, which we know is exposed to the world (www).

 

After you have set the username and home directory, choose ďnormal passwordĒ and letís type in the password   jdabc123

 

Set the Group to ďNew Group With Same Name As UserĒ

 

Then click the ďCreateĒ  button.

 

If successful, you should see something like this

 

 

 

 

 

Little advice, careful if you ever click on a user after your done creating it, it will go into Edit User mode, and will try to reset the password. It wonít do it unless you hit apply, but try not to edit your users once they start using it, unless you know their password. See below, if you didnít know their password, editing that user a second time is going to reset their password.

 

 

 

 

You probably noticed I didnít have you put jdoe in a predefined group, like ďusersĒ, but instead created a brand new group with the same name of jdoe. Groups are awesome, so thatís a good question. We will cover groups later, but for now letís focus on users.

  

In our current configuration, every time you create an account the way we just did above. The users will have read access to other userís files, and shares, for downloading or viewing, but wonít have the rights to change or deleting anything they didnít create themselves. Which is usually what youíre trying to achieve with non-confidential data or website. But is easily tweak-able to fit any need you might have.

 

Now that you have a user with a password we donít care about, letís do the final FTP setting. Remember we NEVER type important passwords in FTP, these passwords will be sent in plain text, if there is a hacker on your network, he is about to see it, the data as it flows over the internet\network will actually say ďmy password isÖĒ so make sure you donít type any of your important passwords in FTP.

 

That final security setting to make FTP work is to make your root account the owner of everyoneís home directories. VSFTPD will abort and stop working if it finds any users that own their home directory.

To fix this we will make every user a "save_here" folder inside their home directory. They will have full access to the "save_here" folder and any sub-folders of that folder, just not their top level home folder.

 

We will use the Webmin File Manager Module to do this.

Using the File Manger module navigate to users jdoe home directory, click on jdoe and then click info.

 

 

You should see something like this, change both the User and the Group to   root    and then press ďSaveĒ.

 

 

And then inside of that folder, create a new folder called†† ďsave_hereĒ.

 

 

Use the info button to set   jdoe   as both the User and Group. And the press save.

 

Repeat these steps for any future users you create, or FTP will stop working.

 

Username root is already setup right, no change needed. But donít  forget username   wood    or whichever name you used during the install. That directory is probably here :  /home/wood    as the CD install would have put it there. Itís not our intention to have username wood using FTP, but remember if the FTP server finds any users that own their home directory, it will abort and stop working.

 

 

 

Once youíre sure all of the users on your system donít own their home directories, reboot the server, and FTP will be ready to use.

We are going to use Windows Explorer to test our FTP. Not to be confused with Internet Explorer. Windows Explorer is not the same thing as Internet Explorer.

 

If you donít know how to access Windows Explorer, open up ďmy computerĒ.

 

 

 

In that address bar, you can type FTP addressís, and hit the Go button or the Enter key on your keyboard.

 

Itís important you are not in browser like Internet Explorer or Firefox, those are for viewing, and are not fully functional FTP clients. Make sure youíre in a My Computer window or using a 3rd party FTP client, not a browser.

 

 

Type    ftp://     followed by your IP address

 

Mine would be   ftp://192.168.2.1

 

And would look like this, I would just Click go or press enter on my keyboard.

 

 

 

 

 

If your IP was 192.168.2.178, then you would type†††††† ftp://192.168.2.178

 

Hit go or enter, and you should be prompted for a username and password.

 

 

 

Use the username and password you created earlier.

Username:  jdoe

Password:   jdabc123

And click the ďLog onĒ button

 

 

It should login, and you should see something like this.

 

 

 

Double click on the ďsave_hereĒ† folder and you should find itís empty, because we havenít put anything in there yet. Uploading files this way is as easy as copy \ paste. You should be able to copy a file and or folder from your Windows Desktop and paste it right into the FTP window above. (make sure your inside the save_here folder before you press paste).

 

 

Copy something

 

 

 

And paste it inside the save_here folder.

 

 

 

 

 

And you should see something like this.

 

 

 

That folder or file that you pasted (uploaded) is now in on the server inside user jdoe home directory, inside his save_here folder.

 

You can see that in a more familiar view by using the File Manager module.

 

 

 

 

(If you donít see it, hit the refresh button)

 

 

 

 

Those files are now exposed to the network \ internet. We are going to make it even easier to get to by changing Apache (The Webserver) to listen in those xhomes folder. We will use the password protected FTP way you just did to upload files, we will use a no-password-needed webpage approach to view and download them. Same folder destination, using FTP to write or upload, and HTTP (Apache) to view and download.† Everyone will be able to view and download these files, but only user jdoe will be able to upload, modify, and delete.

 

WellÖ jdoe and you (root). Logged into the File Manager as root you can do anything you want.

 

 

Ok, next letís redirect the Apache to our external users home directories. By default Apache listens in /var/www, we are going to change that to xhomes.

 

Open the File Manager module and create the following folder in the xhomes folder†††††† no_auth

 

/mymounts/vraid/users/xhomes/no_auth

 

Or, if youíre not raided

 

/mymounts/d2p1/users/xhomes/no_auth

 

 

 

 

 

 

Then click once to highlight the newly created     no_auth     folder, and click the info button.

 

You should see something like this, make the following changes

 

 

 

 

 

Un-check all the boxes, make sure username root are the User and Group, and then click save.

 

 

 

We want this folder to be totally locked down, this is where apache is going to dump people if they donít know where they are going. And with these super strict permissions, they wonít be able to use the back button in their browser, or do anything we donít want them to.

 

Next, using the file manager, navigate to the folder.

 

/etc/apache2/sites-available

 

Highlight the file    default    by clicking on it once.

 

And then click the     edit     button.

 

 

 

 

 

 

You should see something like this, make the following changes.

 

 

 

 

That third line can be a little hard to type, if you want to copy and paste it, here it is below.

 

RedirectMatch ^/$ /no_auth/

 

 

 

 

 

 

Make those three changes and click save.

 

 

We have to restart apache for it to realize the changes we just made.

 

 

Using the Bootup and Shutdown module, restart apache2. Put a checkmark next to the word††† apache2†††

Or you could reboot the entire server, either way is fine. Either way will restart apache.

 

 

 

Now when you try to go to your webpage, you should get what looks like an error. This is what we want.

 

Open Internet Explorer, and navigate to your Linux box IP address.

 

Mine is 192.168.2.111

 

So I would type    http://192.168.2.111

 

You should see something like this

 

 

 

 

This would be an example of someone who didnít know where they were going. We are creating Webspace on the internet for people who know where they going. Notice there is no back button or Parent Directory buttons above the word forbidden, this keeps people from easily browsing your directories. There is still a back button at the top left of the page, but that back button is ok, it takes them back to the last page they visited. The back button we prevented is the one that is used to move back and forth through your directories. This isnít a security feature, the xhomes folder is exposed to the internet, and can be viewed, this just makes it a little less obvious that there are more folders here. Remember nothing confidential goes in the xhomes folder.

 

So unless someone knows where they are going, your website would seem down, or not available to them.

 

ButÖ if you were a user of the system, (like jdoe) you would know where you were going, you would know that your homepage or your web space is

 

http://192.168.2.111/jdoe

 

 

Type that into internet explorer, and you will arrive at user jdoes home directory.

 

You should see something like this.

 

 

 

Notice if jdoe had files he wanted to share over the internet, people could download them from this page. Or if user jdoe uploaded a file called         index.html

Then he would have a webpage, that people could visit.

 

And if someone gets snoopy, and clicks on that Parent Directory button, they get dumped back to the no_auth folder. This is not for security, itís just makes it a tiny bit harder to see the folders in xhomes via a browser. This is just smoke and mirrors, its very easy to see and or download EVERYTHING in the xhomes folder.

 

Now you can start providing webspace and or webpages to people. All you have to do is make them an account. Make sure to put their home directory in folder

/mymounts/vraid/users/xhomes/

 

Or

 

/mymounts/d2p1/users/xhomes/                  depending on your setup.

 

Make root the owner, and create one folder deeper "save_here" for that user to own.

And that user can now ftp files to their webspace, requiring a password. And share them with the world via their webpage (http) without a password.

 

 

The secret behind all of that is.

 

 

 

We told apache to listen in the folder    xhomes

Then we told apache, if anyone lands here, immediately redirect them to the no_auth folder

 

jdoe would never land in xhomes, because he knows to specify the full path†† /jdoe†† when sending people links.†† http://192.168.2.111/jdoe  

 

Therefore skipping the redirect to no_auth, because he never actually landed in xhomes, he landed deeper in the jdoe folder, where he wanted.

 

If you made a new user account called        kevin

Kevin could do the same thing.

 

http://192.168.2.111/kevin

 

And so on and so on, for all your exposed users. Hence the name   xhomes

 

Teach your users that these files are in no way confidential and are in no way safe from being manipulated, copied and or deleted. Even though a password is needed to upload them, that password is sent out over the internet in plain text, so it would be easy to watch for that password. And easy to download all their files, because the web server exposes the xhomes folder to the entire world.

 

 

You can also make yourself folders in here, without needing to keep making new accounts. Because anything you put inside the xhomes folder will be exposed to the web. As root you can make folders in the xhomes directory using the File Manager module.

 

So if you made a few new folders like

 

/mymounts/vraid/users/xhomes/public

 

/mymounts/vraid/users/xhomes/vegas09pix

 

/mymounts/vraid/users/xhomes/rex-the-dog

 

/mymounts/vraid/users/xhomes/website-for-mom

 

 

You could send internal people links like these, and later when we setup port forwarding you can send them to external users as well

 

http://192.168.2.111/public                                (internally)   or     http://your-public-ip-address/public                 (externally)

 

http://192.168.2.111/vegas09pix                        (internally)   or     http://your-public-ip-address/vegas09pix         (externally)

 

http://192.168.2.111/rex-the-dog                       (internally)   or     http://your-public-ip-address/rex-the-dog        (externally)

 

http://192.168.2.111/website-for-mom              (internally)   or     http://your-public-ip-address/website-for-mom            (externally)

 

 

And people could access the files and or your webpages.

 

And later on in the how-to, when we give your server a public hostname, you can send people links that look like.

 

http://MyWebsite.com/vegas09pix

 

 

That has a name, that makes sense, instead of those confusing numbers. But they couldnít look at your other users folders, unless they knew where they were going. This isnít a very secure way of keeping people out, but these are not confidential files, so it works great!

 

Optionally you could add an HTTP password to††† /mymounts/vraid/users/xhomes/vegas09pix   directory using the Protetced Web Directories module, like you did earlier, and limit who could access those links. With the same disclaimer though, HTTP and FTP send those passwords in plain text. You will want to instead use HTTPS or SFTP to keep your passwords from being sent in plain text. Its all about the ďSĒ.

  

Thatís about it for apache and vsftpd.

 

Next we are going to make another user, whoís password we donít care about, and whoís home directory is not inside the website listening folder. Because right now, anything we upload is instantly exposed to the webserver because their home directories are in xhomes. And sometimes we will want to upload files without them being exposed to the web. We donít want to use user wood, as he probably has an important password.

 

The Upload and Download module you have been using in Webmin is awesome, itís easy to use and keeps your passwords safe via HTTPSÖ but at a price. Because of the https encryption itís really slow and sometimes it has problems with really large files.

 

So we will us FTP or Samba for those needs, large files, when speed is an issue.

  

Same steps as before.

 

Using the Users and Groups module.

 

 

 

 

 

Click on      Create a new user

 

You should see something like this, make the following changes.

 

 

 

 

 

Name the user             uploadman

Do not change the Home directory option, leave it at Automatic this time

Set the password to     umabc123

 

 

Click ďCreateĒ

 

 

This users home directory can now be found under

/home/uploadman/

 

 

 

 

 

 

 

(If you donít see it, hit the refresh button)

 

Make root the owner, and make him a "save_here" folder one folder deeper.

 

Now you should be able to ftp in as user      uploadman

 

Remember to use Windows Explorer, not Internet Explorer, when FTPíing

 

 

 

 

Using copy \ paste, letís upload a large file

Copy something big, like a CD\DVD iso

 

 

And paste it

 

 

 

 

 

Close the FTP window, and go look at it in the Webmin File Manager

(If you donít see it, hit the refresh button)

 

 

 

 

 

 

Then using the buttons at the top, you could cut that file, and paste it into the

/options/   directory

 

And that would be an example of how to get huge files uploaded to your server, and put into the /options folder.

 

Or even easier, if the file youíre after is on the internet, you could just use the wget command you learned earlier. By using the ssh2 module or putty, login as root, then change directory to the options directory

 

cd /options

 

Then type           wget http://the-website-that-has-it/debian503.iso

 

That would accomplish the same thing, but the file would have to be on the internet or a web-server for that option to work.

 

Either way, now you have a couple work-arounds, for large files, if the Upload and Download Webmin module gives you problems.

 

 

And now you have an ftp account  ďuploadmanĒ  whoís home directory isnít exposed to the web-server. And a user   ďjdoeĒ whoís home directory is exposed to the web-server.

Now letís setup disk space restrictions, called Quotas. These are very important, because without them, there isnít anything stopping your users from uploading too many files, eating up your bandwidth, filling up your disk space, and ultimately crashing your server.

 

Letís think of user uploadman as an account probably only you, the administrator would use. And letís think of jdoe and an account you made for your friend or your client

(John Doe)

 

You most likely wouldnít put a quota restriction on yourself (uploadman) but you should restrict jdoe. And because of the way we have been mounting the hard drives, quota is almost already setup.

 

Just go into Webmin, and click on System in the left menu, and then click on the Disk Quotas module

 

 

 

 

Notice mine says   Filesystem   /mymounts/vraid

 

Yours will either say that or    /mymounts/d2p1/

 

Depending on if you followed the raid how-to, or not.

 

I will continue to call it   /mymounts/vraid     but you will know I mean either one.

 

Click on Enable Quotas

 

 

 

 

Donít get clicky, this can take a good 10 minutes or longer to respond.

 

And you should finally see something like thisÖ

 

 

 

 

  

Click on ďUsersĒ   not groups

 

 

 

 

 

 

You should see something like this

 

 

 

 

There is a lot of good info here. Notice username uploadman is not listed here.

Thatís because he doesnít live on this hard drive, and hasnít been given any access to it.

uploadman lives on     /home/uploadman         which is the main hard drive. This is drive number 2. So only jdoe shows up, and of course root, because root has access to everything.

 

 

Letís setup a quota for user    jode   

To limit the amount of space he can use on     /mymounts/vraid

 

 

Click on jdoe

 

 

 

You should see something like this.

 

 

 

 

Make the following changes.

 

 

 

 

 

Soft Limit  = 2GB    

Hard Limit = 3GB

 

 

Then click the       ďUpdateĒ        button.

 

Thatís it.

 

This means the user (jdoe) has 3 Gigs of storage space he can use.

You will start to get warned above 2GB, and he will get cut off after 3GB.

 

We donít change the file limit, just the overall size limits. I donít really care how many individual files he puts on there, just as long as the overall size of his home directory doesnít exceed 3GB.

 

 

When you get back to the main quota screen, you should see something like this.

 

 

 

There is all the information you need right there. You can see user   jdoe    is using 26MB. He is allowed to use 3GB. You will be warned when he reaches above 2GB. And I put red xís through the file limits, because I donít care how many individual files he puts on there.

 

 

You donít want to set a quota for root, because root is un-stoppable, and root is you. And you donít want to set a limit for users wood or uploadman because that probably is also you.

 

But always set quotas for your users.

 

Letís make another user called  testuser     with a password of      abc123

With a home directory of   /mymounts/vraid/users/xhomes/testuser

 

*or   /mymounts/d2p1/users/xhomes/testuser   depending on your setup

 

 

We will use this user to test things your setup for your users. Because once you go live with this and start giving people access, you wonít know their passwords, and will need an account of your own to test user settings with.

 

So navigate to the Webmin Users and Groups module, and create a new user.

 

 

 

 

And very similar to what you did for user    jdoe     

 

setup user      testuser

 

 

 

Click the Create button

Don't forget to make root the owner of his home directory and make a "save_here" folder.

And using the Disk Quotas module, give him a limit of 5GB, warned at 4GB.

 

Similar to what you did earlier.

 

 

 

Click on           testuser

 

 

 

 

Setup the quota, and click update.

 

Thatís it for quotas, and now you have a user name    testuser   you can use for testing.

 

Now... after all that work I would recommend you uninstall FTP and replace it with SFTP. I thought it was important we learn FTP, there are some good uses for it, but SFTP is superior in every single way, at this point I recommend if SFTP can be used in place of FTP, that you uninstall FTP using the command below. The only need i still have for FTP is a webcam I have that only has FTP embedded, and a printer that uses FTP for scanned images, so i have two uses for FTP over SFTP, but what I really should do is buy a new webcam and a new printer. If you can choose SFTP over FTP for your needs, you should stop using FTP.

 

Run the following (3) commands from putty if youíre ready to ditch FTP.

apt-get remove vsftpd

apt-get purge vsftpd

apt-get update

And then reboot the server.

 

See my Do more section for my SFTP how to.

 

Welcome back, you have either decided to keep FTP or have successfully switched to SFTP, moving on, next we are going to setup Usermin. The rest of the guide is written assuming all home directories are owned by root, and all users have a "save_here" folder. When referring to home, I now mean /WhereEverTheirHomeIs/username/save_here

 

Usermin, is a restricted Webmin like interface you can give your users access to. Remember, you never want to give them Webmin access, thatís for you, the admin.

 

After we install it, we have to do a lot to lock it down. Itís very powerful, so we have to configure to only allow access to the things we want your users to see.

 

First we need to download the Usermin installer from http://webmin.com

So letís navigate to our Upload and Download module, so we can download it.

 

Make sure you are on the   download from web    tab

 

 

 

Paste this link into the      URLs to download           field

 

http://prdownloads.sourceforge.net/webadmin/usermin_1.600_all.deb

 

 

Eventually these links will stop working due to new versions, if so just go to webmin.com, click on ďUserminĒ, click on ďDebĒ and find the newest link.

 

 

 

This will download the installer to the    /options    folder for you.

 

And we will install it using the     Software Packages    module

 

 

 

Choose From local file, provide the path, and click the install button.

 

 

You should see something like this.

 

 

 

 

Click the install button.

 

If successful, you should see something like this.

 

 

 


 

 

Ignore the fact itís telling you to login above, we are not ready for that yet.

 

 

Usermin is now installed, we have to lock it down now, because its default install give the user way more control than we want them to have.

 

You should have a        Usermin Configuration     module within your Webmin screen now, towards the top, under Webmin.

 

 

If you donít see it, you may have to hit     Refresh Modules   at the bottom on the screen. If you still donít see it, close all your browsers and login to Webmin again.

 

 

 

 

Usermin has a lot of features we need to disable for our users.

 

 

Starting from the top and working to the right lets click on User Interface

 

 

 

 

 

You should see something like this, make the following changes, and click save.

 

 

 

 

Here is an easy way to check for Usermin updates once itís installed. Click the Upgrade Usermin icon.

 

 

 

 

 

Next click on SSL Encryption.

 

 

 

 

 

And change              Enable SSL if available           to No

 

And click save.

 

This will disable HTTPS for Usermin, and force it run un-encrypted, using HTTP.

 

This is a horrible idea, HTTPS is awesome. Itís what keeps your passwords and transactions safe on the internet. We just disabled one of Usermins best features.

 

We will turn it back on later, turning it off for now will make this guide a littler smaller and easier to follow.

This only affects your users and Usermin, your Webmin is still HTTPS, so no worries there.

  

 

Next click on Usermin Module Configuration.

 

 

 

 

Then click on    Upload and Download.

 

 

And make the following changes.

 

 

 

 

 

 

Then click save

 

 

You should be returned to this screen, click on File Manager

 

 

 

 

 

Make the following changes.

 

 

 

 

 

 

Then click save.

 

You should be returned to this screen, click on File Manager again, there is another change we need to make to it.

 

 

 

 

 

 

Click on the    Default users preferences    tab, on the top right, and make the following changes.

 

 

 

 

Click save

 

 

You should be returned to this screen.

 

 

 

 

Click Return to Usermin Configuration

 

 

Then click on Available Modules

 

 

 

 

 

Make the following changes.

 

 

 

 

Make sure you un-check everything except

 

File Manager, Disk Quotas, Upload and Download, and Change Password.

 

Everything else needs should be unchecked. Then click save.

 

 

Next click on Allowed Users and Groups

 

 

 

And make the following changes.

 

 

 

 

 

Then click save.

 

 

Next click on Access Control Options.

 

 

And make the following changes.

 

 

 

 

 

Then click save.

 

 

Thatís it for Usermin, you can login as see the fruits of your labor.

 

To login, open your browser and type  http://your-linux-box-IP-address:20000

 

 

 

My IP address is 192.168.2.111

 

 

So I would type      http://192.168.2.111:20000

 

 

 

 

 

Login as     testuser     with password    abc123

 

 

You should see something like this

 

 

 

 

Here your users can use the Browse button to choose and upload files over the internet or network, directly to their home directories.

 

 

   

This Upload and Download module will load as the homepage for your users, but they can also click on the menu items on the left.

 

 

 

Here they can check their disk space usage and quota, use the File Manager module, and even change their own passwords.

 

 

 

 

 

 

 

 

 

 

============================= Optional Usermin changes †===========================

 

 

If you really wanted to spoil your users, you can make the Upload and Download module, the File Manager module, and the File Chooser default to the users ďsave_hereĒ folder so they donít have to browse to it each time. Just go back into the Usermin Module configuration for these three modules, and change the allowed path from home to this.

 

~/save_here

 

The variable†† ~†† means ďThe home directory of the logged in userĒ. So the path† ~/save_here† tells Usermin to go directly into the home directories save_here folder for whoever logs into Usermin. This is a great feature, your users will like this.

 

 

 

 

 

 

 

 

Another extremely useful variable is† $USER

 

The variable†† $USER†† means ďThe currently logged in users usernameĒ. So that tells Usermin to go into a folder which matched the users username. You could do something like.

 

/var/www/$USER

 

 

And if jdoe logged in, it would take him to /var/www/jdoe

Or if wood logged in, it would take him to /var/www/wood

 

 

If you combine these two variables, you can actually make your users a private area and a public area on your server. You could point apache back to listening /var/www, then change their save here folder from 755 permissions to 700 permissions, and viola, Things your users upload to their home directories ďsave_hereĒ folder would be totally private, their passwords would be protected, (assuming your using SFTP or Usermin, not using FTP) their files would be private, and if you make them a folder matching their username in /var/www† (/var/www/jdoe) they can via Usermin cut\copy\paste\move things from their private and secure home directories and expose them to the internet by cut\copy\paste\moving files to /var/www/their-user-name. A good example of this would be a user could upload all of their vacation photos to their home directory safely and securely and private, then using Usermin, could cut\copy\paste\move a few of those photos that they did want made public to their /var/www/their-user-name. Assuming you told apache to stop listening in xhomes and changed it back to /var/www. All you would have to do is edit the Upload and Download module, the File Manager module to include both† ~/save_here†† and†† /var/www/$USER†† as allowed directories, and then both locations will show up when they log into Usermin.

 

*Note,†† /var/www† lives on the first hard drive, if you do this not all your user data will be on disk 2. You may want to do something like†† /mymounts/vraid/users/www/their-user-name†† and change apache to look in† /mymounts/vraid/users/www†† this way all user data is still on disk 2.

 

 

Reminder, you would need to change each users ďsave_hereĒ folder to 700 permissions if you wanted them to truly be private. We talk about this in greater detail later on in the Samba section, but basically, you can see below, 700 permissions mean on that user can access those files. (and root, because root is unstoppable)

 

Whereas public folders exposed to apache should be 755 permissions

 

 

Your users will really like how easy and flexible it is. Just be sure to limit the file sizes they can upload, because Usermin uploads first upload to ram, and then are moved into place, if youíre not careful a user can crash your system by uploading a file so big that it fills up the servers ram, here is an example of limiting them to 800MB per upload. I like 800MB, big enough for a CD iso, but too small for them to be uploading huge DVDs or zip files. For that they can use FileZilla, FileZilla doesnít first store the file in ram, so instructor you users that extremely large uploads should be done that way.

 

 

You can purchase your own SSL certificate, and turn HTTPS back on for Usermin. In that same window you can upload the SSL cert you purchased and now your users will have a secure way of logging in.

  

 

 

============================= End, Optional Usermin changes †===========================

 

If you get permissioned denied errors while testing your Usermin accounts, that just means the temp folders for Usermin havenít been created yet. The easiest fix it to temporarily make that user owner of their own home directory, and login to Usermin as that user, click on each of their allowed modules one time, and that will make all the necessary temp folders. Just remember when youíre done to change their top level home directory back to owner root. If thatís not an option you can manually make these temp folders as root using the Webmin File manager Module. You would need to make the following folders for them, setting them and leaving them as the owners.

 

Notice the leading dot in the names.

These would be 755 permissions. With these two folders in place, Usermin can now make temporary files and remember user preferences.

 

~/.tmp

~/.usermin

 

Thatís about it for Usermin.

 

We continue on assuming xhomes folder name still means exposed to apache, that wouldnít be true if you did the optional changes above. The exposed folder would actually be /mymounts/vraid/users/www††

 

You could purchase a public hostname, often call a Domain name, instead of telling user jdoe this is his website† http://123.123.123.123/jdoe† which he will never remember.

 

 You can do a name, something easy to remember.†

 

 http://example.com†††††† or ††††††http://example.com/jdoe       or           http://jdoe.example.com††††††

 

And instead of telling jdoe this link to manage his account https://123.123.123.123:20000

 

You could do a webhop like this   http://members.example.com   or   http://my.example.com , that redirects them to††† https://123.123.123.123:20000

 

Your users are already accustom to website names like this, most of their other online accounts will start with members.example.com or cardholders.example.com† or my.example.com

 

In all of these examples, you would replace   example.com     with the unique name you chose as your dynamic public hostname. Itís dynamic because, your IP address will change over time, but the name will not.

 

There are many sites that will do this for you. In this example we will use is http://dyndns.org

 

I use them, and I think they do a great job.

 

You can go to their website, and chose either a paid dynamic hostname, like example.com.

 

Or you can choose a free dynamic hostname, but the free ones put a little advertisement in the name,  like  example.drink-beer.com

 

Itís a small price to pay, but every time you tell your users their link, youíre advertising for beer.

 

I would go with the paid version, the support is better, the names are shorter, and your users will take you more seriously.

 

http://dyndns.org  calls their paid version     Custom DNS

 

 

Start by going to their website http://dyndns.org    

 

 

 

Choose a free one, or a paid one.

 

 

I use the paid one, the names are easier to remember, itís more robust and the support is better. With the paid one you can email them, and a real tech will answer you. If you go with the free one, I think email is disabled and you have to use the knowledge base.

 

Both works great, I have a couple free ones I have never had a problem with as well.

 

Choose your poison, type the name you want in the example box, and click the add button. For example, we will say you selected    kevin.gotdns.org

*Donít really type kevin.gotdns.org, thatís just an example

 

If the name isnít available, it will ask you to pick a different name. Once you find one your happy with, click add. The website will walk you through everything you need to do, and you will leave with a dynamic public hostname and a username \ password for making changes.

 

 Then all you need to do is tell your router at home that information, so it can dynamically update the IP address at your house, to match the hostname you picked out. This way if your WAN IP address changes, the router can notify dyndns.org to update their info to match.

 

Your routers management interface should have a tab call DDNS. Log into your router and fill in the information.

 

You should see something like this, make the following changes.

 

 

 

*Donít use kevin.gotdns.org, thatís an example, use the name you picked at the dyndns website.

 

Now your router will tell the dyndns.org website if ever your home IP address changes, so that your hostname will always point back to your router at home, even if your IP address changes (and it will)

 

Now your router will always respond to the hostname you picked. Now all you have to do, is tell your router what computer, inside your house, to send the traffic to.

 

So far we have a need to port forward ports 20, 21, 22, 80, 10000, 20000  to be directed to the Linux box inside your house. 20\21 are FTP, if you have uninstalled VSFTPD you donít need those two.

 

Mine is IP address 192.168.2.111

That would look like this.

 

 

 

 

Now your router will send web traffic (thatís port 80) to 192.168.2.111 (your Linux box)

Now your router will send ftp traffic (thatís ports 20 and 21) to 192.168.2.111

Now your router will send ssh \ putty traffic (thatís port 22) to 192.168.2.111

Now your router will send webmin traffic (thatís port 10000) to 192.168.2.111

Now your router will send usermin traffic (thatís port 20000) to 192.168.2.111

 

This way your Linux box (192.168.2.111) isnít totally exposed to the internet, you control what traffic is allowed to get to it.

 

Now if a user types   http://kevin.gotdns.org    into a browser window, browsers talk on port 80, and you router will know where that is supposed to go.

 

Now if you type   kevin.gotdns.org   into a putty window, putty talks on port 22, and your router will know where that is supposed to go.

 

And so on and so on.

 

Thatís pretty much it for the dynamic hostname and the firewall \ port forwarding configuration. If everything is working except ftp, you could be having a min_passv, max_passv port numbering problem with your firewall. Or a modprobe  ip_conntrack_ftp problem. Or at NAT problem, those are advanced problems, and we will cover that much later in the how-to. SFTP doesnít have these issues, yet another reason to make the switch if you havenít already.

 

 

You should now be able to get to your Linux box from the internet. Meaning you should be able to get to it from work, a friendís house, etcÖ using your dynamic hostname.

 

 

Next we are going to setup Samba. This isnít something thatís going to benefit your internet users, but youíre going to love Samba for your network users. Meaning people inside your same small business network or home network. Itís basically File Shares for Linux.

 

It has very few limitations, and is really an all in one solution for your LAN. Once you go Samba you will never go back. Everything you do from a Samba share is streamed and or ran live, directly off the server, not downloaded to the userís PC. So when you play music or movies from the Samba share, you donít have to wait for them to download first, they play right off the server. Same with documents, they live on the server, and you work on them live, never downloading to your PC.

 

We need to disable one of Sambas coolest feature, the home shares. By default Samba shares every userís home directory, with the correct permissions, so only that user can see his or her files over the network.

 

Home shares are awesome, they work perfectly with very little configuration. But we need to disable them because we have ftp enabled on everyoneís home directories. We are going to consider the data in peoples Samba shares to be confidential. So we do not want them accessible via ftp.

 

We are even going to use Samba to put a users ďMy DocumentsĒ folder on the server, so when they save to their My Documents folder on the windows PC, it actually saves to the server. There will surely be confidential data in there, so we donít want FTP and Samba listening in the same folders.

 

FTP is not secure, and is provided for our external users. So we need to move our shares to a different directory, only accessible by our internal users. Plus once your internal users experience Sambaís awesomeness, they will never want to FTP again anyway.

 

Itís our fault for running both FTP and Samba on the same server. Realistically you would want two servers, one private, and one public. But this how-to assumes you have limited resources, and wish to run both FTP and Samba on the box.

 

So unfortunately, we will need to delete all the shareís listed below.

 

 

 

 

And then we are going to setup the defaults for all new shares. That way when we create new ones, they already have most the right settings, kind of like a template.

 

 

Click on Unix Networking

 

*Reminder, much earlier in this how to, I changed my IP address from 192.168.2.111  to   192.168.2.1    so when

You see me refer to 192.168.2.1    im just talking about the new local IP address of my Linux box.

 

 

 

 

 

 

 

Make the following changes

 

 

 

 

For the listen on address, use your local IP address.

 

Mine is 192.168.2.1    use your IP address of your Linux box

 

This is important later on in the how-to, we when add another network card.

 

 

Next click on Windows Networking

 

 

 

 

You should see something like this, make the following changes

 

 

 

Click Save.

 

Next click on File Share Defaults.

 

 

 

There are a few sub menus under File Share Defaults, if you get lost, just click File Share Defaults again from this main screen.

 

 

 

The ďOther Share OptionsĒ are the sub menus I was talking about, if you get lost, just click the File Share Defaults icon on the main menu again.

 

Click the Security and Access Control icon, and make the following changes.

 

 

 

 

Under   Host to allow, allow only 127.0.0.1 and your subnet

 

If youíre on a 192.168.2.xxx network, then use the settings above

 

If youíre on a 192.168.1.xxx network, use 192.168.1.0/24

 

If youíre on a 192.168.0.xxx network, use 192.168.0.0/24

 

If youíre on a 10.10.10.xxx network, use 10.10.10.0/24

 

 

Donít be worried that we just set the default value to writeable. We are going to fix that later. All that will mean by the time we are done is that they are all writeable by their owner, and not really everyone, the way it appears now.

 

Setting up these defaults will save you a lot of steps, and pre-fill in some information for you when making new shares. So they come up as mostly done kind of like a template, where you just have to make a few changes, and it will make more sense later.

 

 

After you click save, you should be returned to the sub-menu, where you can click on†† File Permissions

 

 

 

 

Click on File Permissions

 

 

You should see something like this, make the following changes

 

 

 

 

There is a ton of good information right there, and I will explain what it all means as soon as we finish these sub menus.

 

Click save, and you should be returned to the sub menu

 

 

We donít need to change anything under the File Naming icon, so we will skip to the†† Miscellaneous Options††† icon.

 

 

 

 

Click on the Miscellaneous Options icon.

 

 

 You should see something like this, make the following changes.

 

 

 

This should return you to the sub menu, make the following changes.

 

 

 

 

And then click save.

 

 

This should finally return you to the main share menu.

 

 

 

Now that we are back at the main share menu, and are done with the confusing sub menus, I wanted to take a moment to explain these settings, knowledge of what these mean are pretty importantÖ

 

 

Here is what 700 permissions mean, we will be using 700 the most, and now is a good time to talk about it.

 

 

 

 

 

Its unlimited rights for the user. (wood)

In our setup the user is the owner of the file. The owner of the file is the person that uploaded it to the server. So when your users upload a file, they own it, because itís theirs.

 

There are no rights for anyone else, to others it would appear as if the file isnít there.

 

In the group field you see root, itís just filling a blank space for us. You have to put something there, we arenít using groups just yet, we will be covering that later. So putting root there just fills in the spot for us. All the rights are unchecked anyway, itís just filling the field for us.

 

 

There is one exception, root doesnít need rights. Root is too cool for that. Using the File Manager module, or being logged in as root, you can see and do anything you want. So as long as youíre logged in as root, or using the Webmin File Manager module, then these rules donít apply to you. But try to forget that, itís an exception to the rule. You should consider that 700 example above as only being accessible by user wood. And youíre the only one that can Webmin anyway. This isnít any less secure, itís just so you donít lock yourself out.

 

 

 

So if user     wood    uploads a file, he is the user, he owns it, he can do whatever he wants to it. This is pretty standard, itís his file, and he can do what he wishes to it.

 

 

Here is where we forced that all to happen by default when we create a share

 

 

 

 

Any files uploaded to the shares will get the 700 permissions we talked about. Meaning only that user can see and use those files.

 

We donít allow the following of shortcuts (symlinks)

 

And we allow deleting of read only files, because that user put that file there, they own it, they should be able to delete it if they want.

 

Most of the shares we are going to make will use this 700 setting.

 

 

We will be making a couple that use 755, that looks like this

 

 

 

Above you can see this folder would be usable by everyone, in a read only like mode. This is not the kind of permissions you would want on confidential files. They can download files, run files, view documents, they just canít add files or delete files, because they canít write. Only user wood can write, modify, and delete. This kind of access would be ideal for providing your users the ability to download files you put in there. But you donít want them to delete anything, add anything, or change anything. At home this may be your media share, with your playlist, music, pictures, moves, etc. In a small business this might be where users could download software instructions, pdf forms, maps and other non-confidential data, etc.

 

 

These permissions only pertain to files uploaded via Samba. If you interact with these folders using the File Manager (or some other module other than Samba) they wonít get the permission we specified, as this is a Samba function and Samba didnít put it there.

 

If you accidently mess up a file\folder permission, you can use the File Manager to fix it.

 

You just have to highlight the file or folder in question and hit the info button

 

 

 

 

Just be careful, youíre un-stoppable this way. You wonít be warned if youíre doing something wrong. Good rule of thumb is never do this to a file or folder that you didnít create. That way youíre not messing with system folders ever.

 

 

We had to go through all of this with Samba because we disabled the home directory shares. So we caused the problem :- ) but it was necessary for our particular setup, because we have internet exposed home directories. If this were a server only running Samba, and we didnít have so many different ways to access it, we could have avoided a lot of these lock downs as home directory shares are already setup this way by default.

 

 

Ok, back to work.

 

We are almost ready to start making shares, we just have to configure the server to automatically make a samba account every time you make a new user account.

 

Linux treats samba accounts and user accounts as two different accounts, so we need to tell it to stop doing that, thatís not going to work for us, so we will tell it ever time we make a new user account, also make a matching Samba account with a matching password.

 

Scroll down on the main share page until you see

Configure Automatic Unix and Samba user synchronization

 

 

 

 

You should see something like this, make the following changes

 

 

 

 

 

This will only work on newly added users, and only if you keep using the Webmin† ďUser and GroupsĒ module to add them. If you make a new user some other way, it wonít make the duplicate account for you.

 

 

 

 

 

 

I say that because at the end of the how-to, im going to encourage you to learn the command-line way of doing everything. This would be the exception. For adding users and groups, keep using this module.

 

So all of the users we add from here on out will automatically get a samba account.

 

Which means we missed user       wood

As he was created we back before we even installed Samba

 

 

This is really easy to fix, just launch putty or the ssh2 module, and run the following command

 

smbpasswd Ėa wood

 

 

 

 

Remember to replace wood with the name you picked during install

 

And use the same password

 

 

This will create him a Samba account, and you will be all set

 

 

You should see something like this, you can now exit the SSH2 module

 

 

 

That should be the only time you need to do that, as now they are being created automatically every time you make a new account. (using the Webmin module)

 

You might be wonderingÖ what about user jdoe and user testuserÖ

 

Those are internet users, they donít apply here, so you donít need to add them.

We donít want them to use Samba, because they are examples of people who are not on your local network, so they will need to stick with FTP, SFTP, and or Usermin for access.

 

Letís make (5) example users, these will be examples of people on your network, in the same business, house, building, network as you.

 

Using the Users and Groups module, create the following (5) users

                                                                                                                            

 

 

 

 

Username:        roommate1                   Password:        roommate1

 

Username:        roommate2                   Password:        roommate2

 

Username:        roommate3                   Password:        roommate3

 

Username:        roommate4                   Password:        roommate4

 

Username:        public                           Password:        public

                       

 

 

When creating them, leave their home directories at the default setting, donít specify a custom home directory for them.

 

 

 

 

I used roommate as an example, meaning that they are in the same building as you, meaning same internal network.

 

Continue on, and make all (5) accounts

 

 

You should see something like this, notice their home directories are in the default location.

 

 

 

Once you have all (5) accounts created, We are finally ready to start making some shares.

 

Open the File Manager Module, and navigate to /mymounts/vraid/users/

 

(Or /mymounts/d2p1/users/  depending on your setup)

 

 

 

Create a folder called    nshares

 

To me this means     internal shares

You should now have something like this

 

/mymounts/vraid/users/nshares

 

Your users folder now contains an   xusers     folder   and a    nshares     folder

 

This folder structure reminds you that

 

It was mounted by you  (mymounts)

Itís on a virtual raid        (vraid)

It contains user data       (data)

xhomes = exposed homes (exposed to the internet, unless you made them private in the earlier optional Usermin steps)

nshares = internal shares   (internal to your network)

 

 

Triple check youíre not making any shares inside the xhomes folder, you want to be at least one directory higher, in the nshares directory.

 

Like this

/mymounts/vraid/users/nshares/ Ö

 

Not this !

/mymounts/vraid/users/xusers/nshares/ Ö

 

 

 

 

We wonít be using the File Manager to make any folders deeper than

 

/mymounts/vraid/users/nshares/

 

Because the File Manager wonít make the file permissions the way we want. It can, it can do anything, itís just more clicks, we will instead let Samba make them for us.

 

 

Here is how you can tell, click on the nshares folder once to highlight it, then press the info button

 

 

 

As you can see, these are not the ideal file permissions for our shares.

 

It is the ideal set of permissions for the nshares folder. But not for the shares inside it, the deeper sub-folders we are going to make inside of them need to be created by Samba. And these sub-folders will be the actual shares.

 

So once you have create the nshares folder, you can exit out of the File Manager, and return to the      Samba Windows File Sharing             Module

 

 

 

 

 

And click on       Create a new file share

 

 

You should see something like this every time you create a new share

 

 

 

 

 

You were probably expecting that box to say 700

 

This screen is talking about creating the share. All that 700 template stuff we setup earlier was for the files that will be uploaded by your users, and eventually populate the share.

 

This screen is talking about something else, itís talking about creating the share.

 

Letís make the following changes, this will be the share for user roommate1

 

 

 

We are considering this a confidential share, as it will house roommate1 personal data.

 

Thatís why we need to change the permissions to 700

 

You probably noticed the directory /mymounts/vriad/users/nshares/roommate1    doesnít exist yet.

Thatís perfect, thatís what we want. This way Samba creates that folder, with the permissions we filled in here.

 

 

 

 

You probably feel like you have entered this information twice. Thatís not true. All that default share stuff we did pertains to the files roommate1 will later be uploading and using. This screen is setting up the correct permissions for his share.

 

For the directory put

/mymounts/vraid/users/nshares/roommate1

 

Click the Create button

 

 

You should be returned to the main screen, and see something like this.

 

 

 

 

 

 

Click on   Create a new file share

 

 

And make all of the following shares

 

 

 

Notice that the fields all say roommate2

 

 

Click Create

 

Create another one

 

 

 

Notice that the fields all say roommate3

 

Click Create.

 

 

Create another one.

 

 

Notice that the fields all say roommate4

 

 

Click Create.

 

 

Create another one.

 

 

Notice that the fields all say wood

 

 

Click Create.

 

Create another one.

 

 

Notice this one is a little different, this one is using 755.

 

As you can probably tell, this one is going to be readable by all, but only writable by you (wood)

 

 

Click Create.

 

Create another one.

 

 

 

 

Notice this one is a little different. Set the owner to username    nobody

 

That isnít an example, really use the name       nobody

 

And the permissions to 755

 

We are going to do something different with this one, make sure to type the word nobody in there, just as you see it.

 

This is going to be a publicly writable share, so your users can share files with each other.

Right now they probably email everything as an attachment, this will help cut that down a lot.

 

I will explain the username           nobody       later

 

Click create.

 

 

This should be returned to the main sharing screen, and you should see all the shares you just made listed.

 

 

 

 

 

Because of all the defaults you setup, roommates 1 through 4 are done.

 

We have to make a small change to media, and a few changes to public.

 

 

Click on media, and make the following changes

 

 

 

At the media sub-menu, click on  File Permissions

 

 

Make sure youíre at the sub-menu for the media share, and not in the defaults for all shares.

It should say   Edit File Share    at the top, and not  File Share Defaults.

 

Then click on File Permissions and make the following changes.

 

 

Click save.

 

You will have to click save at the next screen too.

 

Do these exact same steps for the public share too, and click save.

 

 

There are a couple more changes we need to make to the public share.

 

Click on public and make the following few changes

 

 

You will see a sub menu

 

 

 

Click on    Security and Access Control.

 

Make the following two changes.

 

 

 

And click save

 

User nobody isnít an example, really use the name    nobody

 

 

You will be returned to the sub-menu, where you need to click save again.

 

 

 

You will be returned to the main screen, scroll down to the very bottom and click

 

Restart Samba Server      (If youíre using Ubuntu you may need to reboot, as Ubuntu uses a different command to restart services, rebooting the server is a way to be sure everything gets restarted)

 

 

 

 

 

 

Now all (7) shares are setup and ready to use, you now have a fully functional file server.

 

You can connect to them from your Windows PC now by typing

 

\\your-linux-box-IP-address\

 

Mine is   192.168.2.1

 

So I would type    \\192.168.2.1\

 

 

Do this in an explorer window, like the ďmy computerĒ window.

 

 

 

 

You can click go or hit the enter key on your keyboard

 

You should be prompted to login

 

Letís use       

 

username:   roommate1         

password:    roommate1

 

 

 

 

 

 

 

If successful, you should see something like this

 

 

 

 

Your logged in as username  roommate1

 

So you should be able to do anything you want inside of the roommate1 folder

 

 

Here you are in the roommate1 folder, making a new folder

 

 

 

 

 

And you should be able to do anything inside of the public folder

 

 

 

 

 

If you double-click on any of the other roommates folders, you should get an error, and not be allowed in. This is what we want. Thatís their confidential folders. Not yours.

 

 

 

 

You should also be able to see inside the media folder, there isnít anything there yet, but you should be able to double-click it.

 

You shouldnít be able to add or delete anything.

 

Only user      wood        can do that.

 

 

 

 

Once user    wood    uploads some files into there, your users should be able to access them, but not change or delete them.

 

 

That user    nobody     stuff we did is pretty cool.

Itís going to force all users as a ďguest userĒ anytime you enter that folder.

Thatís the magic behind everyone being able to edit that folder, even though itís got 755 permissions. Because it thinks anyone inside that folder is user nobody, and user nobody is the owner.

 

 

The username   public     might never be used, but is needed because we require an account from anyone wanting to access a share. This would be one you could give to someone wanting temporary access to your shares.

 

It would be for someone on your network who doesnít have an account.

You could tell them ďjust login as username public password public

 

And they would be able to access the media and public shares, but none of the confidential roommateís shares.

 

This is extremely helpful at home, when you have LAN parties. Someone always has a patch or a cd key they need to share, you can tell all of them to use username public, and they can put the needed files up in the public folder for everyone to access.

 

Or in a small business, you might have a vendor stop by to show off a product, and they need share access. Just tell them to use username public password public, and they are in, with no work for you to do, and they canít get to anything confidential.

 

 

Itís just a complete solution, once you have it you wonít be able to live without it.

You can combine these shares with this awesome backup utility. Cobian backup

 

Itís free, and amazing. You will throw away your paid backup software and use this one, itís the best.

 

http://cobiansoft.com/cobianbackup.htm

 

 

Just install this on your userís windows computers, and tell the backup destination to be the share on the server, and youíre done. Itís beautiful.

 

 

File permissions vs. share permissions, and why to do it the hard way.

 

There are both File Permissions, and Share Permissions at work whenever you access a share. File Permissions are the granddaddy of them all, if the File Permissions donít allow it, itís not going to happen, no matter what you tell the Share Permissions to do.

 

On the flip side, you could loosen up the File Permissions, (something greater than 700) and control access using the Share Permissions. There is a great amount of flexibility here, itís always tempting, you can pretty much achieve anything this way, but letís talk about why you shouldnít use them, and why you should rely on File Permissions instead. (whenever possible)

 

As seen in the screen below, there are some very tempting choices

 

 

You probably see a ton of flexibility there. But donít rely too heavily on share permissions, as these only apply to Samba access, and in this how-to our Linux box has several different access methods. If someone logs in a different way, via FTP or SSH. They can explore all files and folder that are set to 755, completely ignoring the Samba rules \ checkboxes above. We are of course going to tighten this up later, but you see the point. Limiting users this way is only respected by Samba, and not any of the other modules. Whereas limiting access by Files Permissions keeps everybody out, no matter what access method they try.

 

I always try to make the Share Permissions match the File Permissions, because Iím telling myself this is the maximum access anyone could have, no matter what method they use to access it. And always keep confidential directories 700 or below. This wonít always be possible for all of your Samba needs, you may need more flexibility that this, but itís a good rule of thumb.

 

Itís more work, and less flexible, but itís better to make a mistake and not let the right user in, then to make a mistake and let the wrong user in.

 

I always consider permissions on the bottom row to be public. Thatís horribly inaccurate, but itís a good rule of thumb, I hardly ever use that bottom row, except for webservers. Again, horribly inaccurate for me to call that bottom row public, but I treat it so, I try and have a user or a group for every need, so I can make the file permissions match the share permissions.

 

 

 

Other is basically everyone, not requiring an account on the server to access the file.†

 

We used it on a couple of our public shares, just give that bottom row a lot of thought, make sure you really need it. (and you will)

 

If you donít want the Printers and Faxes folder to show up

 

 

Add these three entries to the Samba configuration file  /etc/samba/smb.conf

 

# In the section that talks about printer

 

load printers = no

 

disable spools = yes

 

show add printer wizard = no

 

 

# These have to be in the printers section

 

You can do that with either the File Manger or the Edit Config button on the Samba screen below.

 

 

 

 

 

Click on Edit Config File       

 

You should see something like this.

 

 

 

 

Scroll down to the printerís area, and add these three lines

 

load printers = no

disable spoolss = yes

show add printer wizard = no

 

 

You should have something like this

 

 

 

 

And while youíre in there, scroll up and find the line that says    include =

And comment it out with a    #  

 

 

 

Webmin doesnít seem to like that include statement in there, so just comment it out if itís there.

(it probably wonít be there, but look just in case)

 

Click Save.

 

Then just restart the Samba service, or restart the server and you should be good to go.

 

 

Sometimes the computer will prepend your domain name to your login, if youíre having that problem, use† 127.0.0.1\username    or     .\username      as your username should fix that. Also make sure all your

Windows computers are in the same workgroup of   ďDIY.LANĒ   or whatever you used on page one during the samba install.

  

You probably wonít have that problem, but here is what the solution would look like.

 

 

 

 

Samba is cross-platform, MAC, Unix, Windows. Windows boxes use     \\ip-address   and or       \\server-name

 

GUI Linux clients and Macintosh use      smb://ip-address    and or        smb://server-name

 

 

 

In Ubuntu, thatís under    Go   \   Location

 

In MAC I think under Go† \† Server† (or something like that)

 

Then just hit enter, and you should see a list of shares, Just as you did in Windows.

 

 

 

You want your Workgroup to match on all your computers if possible. On your Windows computers, you can change the workgroup in the same screen where you change the computer name. Just right-click on the ďMy ComputerĒ icon, and select properties.

 

In the advanced tab, computer name, you can change the Workgroup to ďDIY.LANĒ

 

workgroup

 

Say OK, and reboot.

 

At this point SAMBA should be totally working, looking and behaving how you want it to.

 

 

============================= Troubleshooting ===========================

 

If you can access your Samba shares via the IP address, but not via the computer name, check these.

I will move fast through this because these settings are not the defaults, if you have these setting in place then you already know what Iím talking about.

 

Make sure youíre getting your DNS info from your local DHCP server.

 

dns wrong

 

 

dns 1

 

 

Or better yet

 

 

dns 2

 

 

If you have given your Linux box a static IP address. Edit the file /etc/hosts and replace the line that reads 127.0.1.1 with your new static IP address.

 

Should look something like this.

 

 

tshootsamba 1

 

 

Your /etc/resolv.conf should look something like this

 

 

tshootsamba 2

 

 

Also, reboot a few times, and make sure /etc/resolv.conf isnít being changed by your dhcp client.

 

And double-check your computer name is right it /etc/hostname

 

 

tshootsamba 3

 

 

And reboot

 

Iím purposely going to keep moving fast through these next parts, using red font, because I donít recommend you do it unless you have a real need for browsing by name, and arenít planning on setting up a local DNS server. This is a manual band aid for not having a local DNS server, which is the real fix to all of this, and is covered later in the advanced section.

 

First, on your Windows computer, edit the file c:\windows\system32\drivers\etc\hosts

And add the IP address and name of your Linux box (there are examples in that file that make it easy to understand) 

 

Second, on your Windows computers, if youíre using static IP addresses, youíre probably not getting the right DNS suffix for your local network. If you right-click on your network card, and choose properties. Then double-click on TCP\IP

(TCP\IP version 4 if you have two choices)

 

Then click on advanced, and click on the DNS tab at the top. Add the suffix   diy.lan   (or whatever you picked on page 1) to the field that says ďDNS suffix for this connectionĒ

 

Apply and reboot, and now your windows machines will add .diy.lan to the end of everything youíre searching for, which should fix any name resolution problems you may be having.

This is a manual band aid for not having a local DNS server and DHCP feeding the machines information about your local network. I donít recommend doing it because itís really easy to forget those setting are there, and will cause major headaches if you change your network setup and forget that itís still hard coded at each machine.

 

Third, sometimes the following two settings can interfere with name browsing.

If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Unix Networking.

Setting the top one back to ďAutomaticĒ and the listen on address back to ďAllĒ can sometimes help. Just a warning though, these settings are needed later if you know youíre going to continue onto the advanced section where we add another network card and turn it into a router \ DDNS server. So you really shouldnít change it if youíre going onto the advanced section.

 

third samba

 

 

The fourth fix is pretty extreme. If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Windows Networking. You should see a field that says ďRemote announce toĒ Just click the button that says ďfrom listĒ  and enter an IP address on the left. And your workgroup name on the right (DIY.LAN)

 

You can play around with what IP address works best for you. You can put the IP address of your router, so the Samba server announces its name to the router. Most routers will block directed broadcasts like this, so will have to play around with it, you can put the IP address of certain computers you want the Samba server to announce its name to. You can announce it to all your machines by using 192.168.2.255  on the left and your workgroup name on the right. This is noisy and not recommended.

 

 

This ends the non-recommended troubleshooting part. Itís my opinion that these settings should not be used. Remote announce to:   is very noisy on your network, and static DNS entries are way too easy to forget they are there. But if you have a browsing by computer name need, a combination of those should fix it. 

 

            ============================= End Troubleshooting ===========================

 

Next we are going to setup Samba groups. On a small home network you probably wonít need this. But as your network grows, or if your setting up a small business network, this will become a must have.

 

Extremely similar to what we did early, when we told Samba and Webmin anytime a user account is made, also make a matching Samba account. We need to tell Samba anytime a group is made, also make a matching Samba group. This isnít the law, but if youíre following my how-to exactly, we are requiring every user to have a system account, and a Samba account, and are matching filesystem permissions to share permissions. So for this to work right we have to have matching users and groups in both. But after a few clicks that will all be transparent anyway, and the system will automatically take care of all that for us.

 

Navigate to the Samba Windows File Sharing module, and scroll down towards the bottom and click on the

Configure automatic Unix and Samba group synchronization   icon

 

 

 

 

 

 

You should see something like this, make the following changes and click     apply

 

 

 

 

 

 

Just a reminder, you have to forever use the Webmin module for creating new users and groups, or this function wonít happen.

 

 

Next navigate to the Users and Groups module, and click on Local Groups.

 

 

 

 

 

 

And then click on    Create a new group

 

 

 

 

 

 

You should see something like this, make the following changes.

 

 

 

 

 

Click Create

 

 

Now you have a group called   mygroup1    that is both a Linux group and a Samba group

With the following members: roommates 1, 2, 3, and 4, and yourself (wood).

 

Next navigate to the Samba module, and click on       Create a new file share

 

 

 

 

 

 

 

You should see something like this, make the following changes.

 

 

 

Notice the share is called    pub4roomies

Which to me mean a public share, but only the roommates can access it (and you) everyone in the group   mygroups1

 

Notice the Create with permissions are 770

Thatís unlimited for the owner, unlimited for the group, and no access for everyone else. (empty bottom row)

 

Make sure the owner is you, and the group is mygroup1, and click Create.

 

 

You should have been returned to the main Samba screen, but there are few more changes we still need to make.

 

 

Click on the pub4roomies share

 

 

 

 

 

 

 

You should see something like this

 

 

 

Click on File Permissions

 

 

 

 

 

 

You should see something like this, make the following changes.

 

 

 

 

 

 

You will have to click save at this screen, and the next one.

 

 

Youíre almost done, we just have to make one small change to the permissions of the pub4roomies folder.

 

Using the Webmin File Manger module, navigate to the pub4roomies folder, click on it, then click Info.

 

 

 

 

 

Click the     Files inherit group    checkbox, and then click save

You could also optionally click the    only owners can delete files    checkbox. If you didnít want the roommates deleting each otherís stuff.

But this is a public share for them, so I wouldnít recommend check that box, unless you have one jerk roommate :- )

 

 

 

 

 

Thatís it, just navigate back to the Samba module and restart Samba.

 

Now any member of the mygroup1 group can access the pub4roomies share with full rights.

Newly uploaded files will get the uploading roommate as the owner, and mygroup1 as the group, and be fully accessible fully editable by all of that groups members.

 

Thatís pretty much it for Samba, there is just a little preventive stuff we should do next.

                                                                                                           Continue to Page 4 >


Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate