An intranet is a private network created by enterprises to facilitate communication and data transfer. Each user connected to this private network has also access to certain files or services from home. To do so, a VPN service is used to create a secure and encrypted connection tunnel between the user's computer and the main office network.
In this tutorial you will learn how to create an Intranet site, by configuring a file sharing service with Samba and OpenVPN, and how to manage access to shared company information and computing resources, providing it only to the users connected via VPN.
Prerequisites
To proceed with the installation of Samba package, a server installed and configured with OpenVPN is necessary. If OpenVPN is not installed on your server, follow our guide first How to create and configure a VPN using OpenVPN on Ubuntu 18.04.
To get started, connect to your server via an SSH connection. If you haven’t done so yet, following our guide is recomemended to securely connect with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.
Installing and Configuring Samba server
Samba server is a software that enables sharing and access to files between different operating systems connected within the same network. Unlike other well-known file storage services, such as Google Drive or Dropbox, there is no graphical interface and no maximum number of shared files on Samba server. The sole limit of Samba server is the hard disk storage space used.
First, install on your server Samba and its dependencies:
sudo apt-get install samba samba-common python-glade2 system-config-samba
For security purposes, create a copy of the configuration file, so that, if necessary, your configuration file can be restored:
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.backup
Since the service needs access to the network, if a firewall like UFW is enabled, first add Samba to the firewall exceptions:
sudo ufw allow samba
Then, create two folders, one (public) folder with no limited access and a (private) folder to be accessed only by authorized users.
sudo mkdir -p /samba/private
sudo mkdir -p /samba/public
Configuring Samba server
Edit the Samba configuration file to set up the rules for accessing folders and files:
sudo nano /etc/samba/smb.conf
Delete all content and replace it with the following configuration:
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = ubuntu
security = user
map to guest = bad user
dns proxy = no
interfaces = 10.8.0.1/8
bind interfaces only = yes
## Logging
log level = 2
log file = /var/log/samba.log.%m
max log size = 50
debug timestamp = yes
#============ Share Defenitions ==================
[public]
path = /samba/public/
browsable = yes
writable = yes
guest ok = yes
read only = no
force user = nobody
[private]
path = /samba/private/
valid users = @authorized
guest ok = no
writable = yes
browsable = yes
This configuration defines 3 sections: Global, Public and Private, each with different levels of file access authorization.
- Global: contains the general settings parameters for Samba server.
- Workgroup: workgroup to which the server will be shown. By default, it is shown as WORKGROUP on windows but, with other operating systems, it can be changed.
- String & Netbios servers: refers to the name of the server and to the server platform.
- Security: specifies that the server is independent (standalone server) with its own accounts.
- Map to guest: any user who does not log in correctly is managed as a guest user.
- Proxy DNS: not connected via DNS
- Interfaces: access is limited only to those that interface via the IP of the VPN server.
- Bind interfaces only: ensures that Samba only bind requests from within the VPN
- Log level: desired level of detail in the log log (from 1 to 10).
- Log File: path and name of the file in which to save the log.
- Max log size: maximum size of the log file.
- Timestamp Debugging: whether or not to include timestamps in the log.
- Publish: level of access to folders by all users.
- Path: path of the folder to be accessed.
- Browsable & Writable: ability to browse folders, view and edit their contents.
- Guest ok: allows access to the folder even to users who do not have a registered account.
- Read only: to allow read-only access.
- Force user: identity of guest users.
- Private: contains access rules for members belonging to the "authorized" group
- Path: path to access a specific folder
- Valid users: allows access to members of the "authorized" group only
- Guest ok: allows access to the folder even to users who do not have a registered account.
- Writable & Browsable: ability to browse folders, view and edit their contents.
Configuring access to Samba Shares
To access the files in the "private" folder, create the "authorized" user group where to enter the login data of the users that have access to these files.
sudo addgroup authorized
Add the user to the group of users that have access to the private folder:
sudo useradd authorized_username -G authorized
sudo smbpasswd -a authorized_username
You will be requested to enter the password to be used by that user to access the shared files.
Now, set read and write permissions for users to access the public folder:
sudo chmod -R 766 /samba/public
sudo chown -R nobody:nogroup /samba/public
sudo setfacl -dm g:nogroup:rw /samba/public
sudo setfacl -dm u:nobody:rw /samba/public
Then, set the read and write permissions for users to access the private folder:
sudo chmod -R 770 /samba/private
sudo chown root:authorized /samba/private
After the configuration, restart the server to implement the changes made:
sudo service smbd restart
Connecting to Samba Server
Ubuntu
Open the File Explorer -> Other Locations -> Connect to the server, and type:
smb://10.8.0.1/
To access the "public" folder, leave it as "Anonymous". Instead, to access the "private" folder, enter the username and password set when you added that specific user to the "authorized" group.
Windows
Open Explorer -> Network, and type:
\\10.8.0.1\
Access to the "public" folder will be allowed without any request, while to access the "private" folder a Username and Password will be required.
Removing access to folders and files
To make sure that a specific user has no access to the shared files, remove it from the "authorized" group:
sudo deluser authorized_username -G authorized
To view the list of users associated with the "authorized" group that has access to confidential files, run the "members" command:
sudo apt-get install members
members authorized
To add a previously deleted user once again, instead, type:
usermod -a -G authorized authorized_username