diff --git a/scans_samba_dir.md b/scans_samba_dir.md new file mode 100644 index 0000000..57dc224 --- /dev/null +++ b/scans_samba_dir.md @@ -0,0 +1,57 @@ +--- +title: "Opret delt Samba-mappe til skan" +parent: "Skanner" +source: scripts/skanner/scans_samba_dir.sh +parameters: + - name: "Installer Samba og opret delt mappe?" + type: "boolean" + default: null + mandatory: false + - name: "Navn på mappen på skrivebordet" + type: "string" + default: null + mandatory: true + - name: "Ønsket kodeord til Samba-brugeren" + type: "password" + default: null + mandatory: true + - name: "Deaktiver NTLMv1 (så kun NTLMv2 og nyere tillades)" + type: "boolean" + default: null + mandatory: false + - name: "Tillad forbindelse over NetBIOS" + type: "boolean" + default: null + mandatory: false +compatibility: + - "BorgerPC" +--- + +## Beskrivelse +Dette script installerer Samba, og opretter følgende: +- En Samba share ved navn "scan". + Denne "share" peger på en mappe på Borgers skrivebord, med et valgfrit navn, som man vælger via andet parameter til dette script + Brugernavnet og gruppen denne "share" deles som, hedder "samba". + Gæsteadgang er slået fra. Muligheden for at at oprette "Usershares" er slået fra. +Brugernavnet skal være "samba". Kodeordet for denne "samba"-bruger vælger du selv via det tredje parameter til dette script. +Navnet på Workgroup er WORKGROUP. + +Samba-forbindelsen kan oprettes på to måder: +- Samba over TCP direkte (nyere, anbefales): Her kører serveren på TCP port 445. Både IPv4 og IPv6 skulle være understøttet. + Vi anbefaler at vælge Samba over TCP direkte, såfremt skanneren understøtter det. +- Samba over NetBIOS over TCP): Her køres serveren på TCP port 139 + UDP port 137 og 138. IPv4 er understøttet. + Denne forbindelses-metode er ældre, og anbefales derfor kun til ældre scannere, hvor førstnævnte ikke virker. + +BEMÆRK: +- Der SKAL logges ud efter kørsel af dette script, før denne share/delte mappe eksisterer, og derved før forbindelsen kan oprettes! +- Det kan være nødvendigt at vælge en bestemt version af NTLM i skannerens Samba-indstillinger. Dvs. NTLMv1 eller NTLMv2. + +## Parametre +- Aktiver: + - Sæt hak for at installere Samba og oprette mappen. + - Udelad hak for at fjerne Samba og mappen. +- Navn på mappen på skrivebordet +- Vælg kodeord til Samba-brugeren. Når du kører dette script for at deaktivere funktionen, er dette parameter ikke nødvendigt. +- NTLMv2 eller nyere er et krav i Sambas standardkonfiguration. Sæt hak her for at tillade ældre versioner - dvs. NTLMv1. De ældre protokoller er mindre sikre, men omvendt kan nogle (ældre) enheder ikke understøtte de nye protokoller, så det kan være nødvendigt, for at få forbindelsen til at virke. +- NetBIOS er aktiveret som standard, som både tillader at forbinde til Samba over NetBIOS og TCP direkte. Fjern hakket for at deaktivere NetBIOS-understøttelse. + Dette kan du gøre, hvis skanneren forbinder til Samba direkte over port 445, som er den nyere standard. \ No newline at end of file diff --git a/scripts/scans_samba_dir.sh b/scripts/scans_samba_dir.sh new file mode 100755 index 0000000..8e07beb --- /dev/null +++ b/scripts/scans_samba_dir.sh @@ -0,0 +1,216 @@ +#! /usr/bin/env sh + +# Test it like this, preferably from another machine: +# smbclient '\\\' -U +# ...so more specifically: +# smbclient '\\IP_ADDRESS_HERE\scan' -U samba + +set -x + +ACTIVATE="$1" +DIRECTORY_NAME_ON_DESKTOP="${2-scan}" # Set a default argument so rm --recursive below doesn't attempt to delete the desktop if no argument was passed +SAMBA_USER_PASSWORD="$3" +AUTH_DISALLOW_NTLM_V1="$4" +ALLOW_NETBIOS="$5" + +SCAN_DIRECTORY_SOURCE="/home/.skjult/Skrivebord/$DIRECTORY_NAME_ON_DESKTOP" +SCAN_DIRECTORY_DESTINATION=$(echo "$SCAN_DIRECTORY_SOURCE" | sed 's/.skjult/user/') +SAMBA_CONFIG=/etc/samba/smb.conf +# This share name can really be anything +SHARE_NAME="scan" +SAMBA_SERVICE="smbd" +OUR_USER="user" +# This name can be anything +SAMBA_USER="samba" + +if [ "$ACTIVATE" != "True" ]; then + apt-get purge --assume-yes samba samba-common-bin + rm --recursive "$SCAN_DIRECTORY_SOURCE" + userdel $SAMBA_USER + groupdel $SAMBA_USER + exit 0 +fi + +# A provided password is required when activating this script +[ -z "$SAMBA_USER_PASSWORD" ] && echo "Error: You need to choose a password for the samba user, which is then used to access the share. Exiting." && exit 1 + +if [ "$AUTH_DISALLOW_NTLM_V1" = "False" ]; then + AUTH_NTLM_V1_TEXT=" +# Better support for old devices by allowing older auth protocols +# Newer versions default to: ntlm auth = ntlmv2-only +# https://wiki.archlinux.org/title/Samba#Enable_access_for_old_clients/devices + server min protocol = NT1 + ntlm auth = yes" +fi + +# Defaults are: +# disable netbios = no +# smb ports 445 139 +if [ "$ALLOW_NETBIOS" = "False" ]; then + NETBIOS_TEXT=" +# Disabling netbios + stop listening on its TCP port + disable netbios = yes + smb ports = 445" +fi + +apt-get update --assume-yes +# Note: This installation also creates a group named "sambashare". Not currently using that for anything +apt-get install samba samba-common-bin --assume-yes + +# Don't create home dir, add the user fully noninteractively, and don't allow login to the user +groupadd --system $SAMBA_USER +adduser --system --no-create-home --disabled-password --disabled-login --group --shell /bin/false $SAMBA_USER +# Set the provided password for the samba user +#echo "$SAMBA_USER:$SAMBA_USER_PASSWORD" | /usr/sbin/chpasswd + +# Create the user in samba and set the password for it: +printf "%s\n%s" "$SAMBA_USER_PASSWORD" "$SAMBA_USER_PASSWORD" | smbpasswd -a -s samba + +# Enable the user +smbpasswd -e $SAMBA_USER + +# Create the directory and user and group for the share +# shellcheck disable=SC2174 # --parents is just there to ignore errors if it already exists +mkdir --parents --mode 0777 "$SCAN_DIRECTORY_SOURCE" +# User and group will be overwritten and set to root:user if desktop_toggle_writable.sh has been run, therefore we give the dir 777 access so samba can access and write to it +chown $OUR_USER:$SAMBA_USER "$SCAN_DIRECTORY_SOURCE" + +# This is most of the default config, with inactive sections, and print sections removed and only a few changes made (user shares are disabled) +# This was mostly done to disable the default printer sharing +cat <<- EOF > $SAMBA_CONFIG + #======================= Global Settings ======================= + + [global] + + ## Browsing/Identification ### + + # Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = WORKGROUP + + # server string is the equivalent of the NT Description field + server string = %h server (Samba, Ubuntu) + + #### Debugging/Accounting #### + + # This tells Samba to use a separate log file for each machine + # that connects + log file = /var/log/samba/log.%m + + # Cap the size of the individual log files (in KiB). + max log size = 1000 + + # We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. + # Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + + # Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + ### Don't share printers ### + # https://wiki.archlinux.org/title/Samba#Disable_printer_sharing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + show add printer wizard = no + + + ####### Authentication ####### + + # Server role. Defines in which mode Samba will operate. Possible + # values are "standalone server", "member server", "classic primary + # domain controller", "classic backup domain controller", "active + # directory domain controller". + # + # Most people will want "standalone server" or "member server". + # Running as "active directory domain controller" will require first + # running "samba-tool domain provision" to wipe databases and create a + # new domain. + server role = standalone server + + obey pam restrictions = yes + + # This boolean parameter controls whether Samba attempts to sync the Unix + # password with the SMB password when the encrypted SMB password in the + # passdb is changed. + unix password sync = yes + + # For Unix password sync to work on a Debian GNU/Linux system, the following + # parameters must be set (thanks to Ian Kahan < for + # sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + + # This boolean controls whether PAM will be used for password changes + # when requested by an SMB client instead of the program listed in + # 'passwd program'. The default is 'no'. + pam password change = yes + + # This option controls how unsuccessful authentication attempts are mapped + # to anonymous connections # never is the default. + map to guest = never + + $AUTH_NTLM_V1_TEXT + + ############ Misc ############ + + # Maximum number of usershare. 0 means that usershare is disabled. + usershare max shares = 0 + + # Allow users who've been granted usershare privileges to create + # public shares, not just authenticated ones + usershare allow guests = no + + $NETBIOS_TEXT + + #======================= Share Definitions ======================= + # +EOF + +# Modify some global configuration for all "user shares" +# User shares are shares users can create themselves, without needing root permissions +#sed --in-place --expression '/\[global\]/a\usershare max shares = 100' \ +# --expression '/\[global\]/a\usershare allow guests = yes' \ +# --expression '/\[global\]/a\usershare owner only = false' $SAMBA_CONFIG + + +# Create the share named $SHARE_NAME. Settings: +# - path: The path to the share on the file system +# - browseable = yes: "this share is seen in the list of available shares in a net view and in the browse list" +# - create mask and force create mode: Ensure new files created in the dir has those permissions +# - directory mask and force directory mode does the same for directories created within the share +# - force user and force group: Forcing the share to be shared as this user/group +# - writeable = yes: allow write access +# - guest ok = no: don't allow connecting to the service without a password +if ! grep "Scanned documents" $SAMBA_CONFIG; then # Idempotency check + cat <<- EOF >> $SAMBA_CONFIG + [$SHARE_NAME] + comment = Scanned documents + path = $SCAN_DIRECTORY_DESTINATION + force user = $SAMBA_USER + force group = $SAMBA_USER + create mask = 0664 + force create mode = 0664 + directory mask = 0775 + force directory mode = 0775 + browseable = yes + writeable = yes + guest ok = no + EOF +fi + +# Now restart samba after the configuration changes. If it starts up successfully, the settings should be at least syntactically valid. +systemctl restart $SAMBA_SERVICE +systemctl status $SAMBA_SERVICE + +# Check samba status + version info +smbstatus + +# Test configuration file correctness +testparm --suppress-prompt + +echo "Listing processes listening on TCP, matching smbd" +lsof -nP -iTCP -sTCP:LISTEN | grep smbd + +echo "Listing processes using UDP, matching nmbd (netbios)" +lsof -nP -iUDP | grep nmbd