What do we want to do
---------------------

1) Install and start the smb and swat services (covered in linux4.txt).

2) Configure two or 3 options from the Samba server configuration section (we partially 
talked about it in linux4-part2.txt). The most important one is the security level, 
which can be one of the following: SHARE, USER, SERVER, DOMAIN and ADS. In this lab we 
only have time to discuss SHARE and USER security levels, but, fortunately, USER 
is similar in functionality with SERVER, DOMAIN and ADS, only who does the autentification differs.

3) Create 2 user accounts used for testing the shares. For convenience I will use user1 
and user2 as the users created at this step. You cannot use these ones, you will need 
your own users.

4) Make the users known by the Samba user database and modify their Samba passwords. Choose different passwords that the local acounts passwords. 
Do NOT choose complicated and long Samba passwords, because later maybe it won't work 
to connect to the shares and you will have to input again and again 
the long passwords until you make it work.


5) Create some local folder that we want to share
	mkdir /tmp/myshare

6) Share it through Samba. This is better done through the SWAT interface, so to do it we need that Samba and SWAT are running (linux4.txt). Then in a web browser on the local workstation
we connect to the port 901 on which SWAT is listening and we can use SWAT to configure Samba.

http://10.9.8.204:901

We enter admin as the user name, and the correct password for admin. 
Then we are connected as admin to SWAT (Samba Web Administration Tool). 
We have all the rights that the admin use has. Since we created admin as equivalent to the root account, we will have the same rights as root in administering Samba.
Important: do NOT use here your user accounts because of two reasons: the password is actually the Samba password, which for user admin or root does not necessary exist. For a simple user it is necessary that that Samba password is established, otherwise you won't be able to connect. The second reason is that your user will have limited functionality (rights) on 
the Samba server, even if you manage to connect.

To add the users user1 and user2 to the Samba database and modify (create) some Samba
 passwords for them use the Password button from the SWAT webpage.
On the form that appears you will need to complete username: user1
password: a
retype password: a
Press the button "Create user" to add the user to the Samba database. 
If you already have it there, then use the "modify password" button.

Repeat the process for user2.

Now you can create the share using the button "Shares". Before that look at the Status page, because you will come back here after each modification of your share, so that the 
Samba Server knows about the modifications you have done. 
I'm talking about using the button "restart all" from here, because the Samba server only 
reads the configuration files when it starts. And basically you are just modifying the 
configuration file "smb.conf" but from a web interface. The Samba database is in another file (see linux4-part2 for details about that). 

The security level can be modified from the "Global" webpage. We don't want to do that now!
After we have done all the other steps and created and tested the shares then we will start it 
all over with creating share on another security level (they are done DIFFERENTLY there).

You want to create 3(4) types of shares:
6a) read-only shares
6b) read-write shared
6c) mixed access shares with 2 subtypes:
  6c1) everybody has read-only except some users
  6c2) everybody has read-write except some users

The actual creation of the shares (steps 6a, 6b, 6c1 and 6c2) was explained during the lab.

7) Connect to the share in 2 ways under linux and 2 ways under Windows
8) Test that the shares are exactly how we made them (for example if we created a 6b) share
make sure it is really a Read-Write access share). 
Eventually you will need also to change the local access rights in order that your share 
behaves correctly.
9) Repeat steps 7) and 8) for the second user created at step 3) to prove it behaves the same 
or different for him too
10) Repeat steps 6) to 9) for another Samba security level. We will test the security levels
USER and SHARE



Steps 7-9 for the linux operating system (the other computer)
--------------------------------------------------------------


7) On linux, on the other (!!) computer, mount the share in a folder, so:
7a) create a folder there , for example /tmp/myshare1   
(and /tmp/myshare2, you will see later why)
7b) mount the share in the folder
mount -t cifs -o username=user1 //10.9.8.204/myshare  /tmp/myshare1
this means: mount the filesystem of type cifs (Samba) in the folder /tmp/myshare1. 
It comes from the computer 10.9.8.204, there the share is called myshare.
Do this using the user account user1, user that exists there (on 10.9.8.204) and
has a valid Samba password. The password will be asked after hitting the Enter key

It is convenient to mount also the share in a second folder, using the credentials of user2, so that we can then easily test the access rights of user1 and user2 just by 
changing into the second folder and test there what can we do.

So,

mount -t cifs -o username=user2 //10.9.8.204/myshare  /tmp/myshare2

8) Test the shares made from step 7)
 8a) Change the folder to /tmp/myshare1
 8b) Try to create there a subfolder. If you succeded, this means that, user1 has the 
Read-Write access to the folder. If not it means that it has the read-only access there.
 8c) Change the folder to /tmp/myshare2
 8d) Try to create there a subfolder. If you succeded, this means that, user2 has the 
Read-Write access to the folder. If not it means that it has the read-only access there.
  
Interpretation: 
    8e1) on the steps 8a) and 8d) you failed to create the subfolder, then the access 
is RO (read-only) for all the users, thus you have a folder of type 6a)
    8e2) on the steps 8a) and 8d) you succeded in both cases to create the subfolder, 
then the access is RW (read-write) for all the users, thus you have a folder of type 6b) 
    8e3) on the steps 8a) you succeded and on step 8d) you didn't succed to create the  subfolder then the access is RW (read-write) for user1 and RO (read-only) for user2, 
the share is of type 6c1) or 6c2), depending on who else, beside user1 has the right to 
create subfolders (or files) there. Basicaly you have a mixed access share, 
the one that is the most difficult to create.
    8e4) you fail to connect to the share. The firewall from 10.9.8.204 might oppose. 
You may need to shut that firewall down (for now), or configure it so that it accepts 
connections of that type.
Maybe you have some mistakes in the commands. Read carefully the error message. 
In most of the casses the answer of how to solve the error is there!
    8e5) Other possible failures:
- the share is still inaccessible. Veryfy the share configuration from SWAT.
- Maybe you have the wrong combination of options. 
- Or maybe only you forgot to select for the "AVAILABLE" option the value YES. 
- Or maybe the local folder does not exist.
- Or maybe the folder you shared does not exist (you created it elsewhere than you think 
you did)
- Or maybe the local folder exist but the normal (plain) user canot access it locally. 
If that, neigher will he be able to access the share. If you don't have the access 
rights localy, then you also won't have them on the share.

NOTE: on the security level SHARE, all the users are transformed into a guest account, 
called nobody, thus it is impossible to create mixed access shares (types 6c1) and 6c2))

Of course at steps 6a) or 6b) or 6c1) or 6c2) explained at the lab you granted the two users 
user1 and user2 DIFFERENT (!!!) access rights.


Steps 7-9 for the linux operating system (the local workstation)
----------------------------------------------------------------

On the local workstation you cannot use the mount command, which is restricted for the use 
of only the root account. So we need to do the same thing in a different manner.
We will use the capabilities of the local system to "browse the local neighbourhood".
We can do this in three manners:

Variant A. Use firefox to browse the neighbourhood, with the use of the smb protocol.
Try accessing from the Address textbox of Firefox web browser the following address:

smb://user1@10.9.8.204/myshare

You will see the contents of the folder, unfortunatelly being unable to modify the folder content. So, you cannot test the access rights, only if the share is available for user1.

Variant B. Use a option from the xwindows menu for accessing the share.
In the menu "Places" select "connect to server". A dialog window appears.
You choose: 
Protocol: Windows Share
Server: 10.9.8.204
Share: myshare
user: user1
Then press the button that means "OK". I don't remeber exactly what is written on the button, 
I am sure that is the other one than the "Cancel" button.
Another dialog pops up. You will just write the Samba password that you established at step 2) for user1. There's also a check box somewhere saying that you want the computer not to remember the username and password. 
You need that so that in another window you can acces the share, this time as user2.

Repeat the process again to obtain in another window access this time as user2

Test the shares if you can create subfolders in them. Remember thet in the 2 windows that you 
have opened, in one you are identified as user1, in the second as user2, thus being able 
to test what access rights have the two users.

Of course at steps 6a) or 6b) or 6c1) or 6c2) explained at the lab you granted the two users 
DIFFERENT access rights.



Steps 7-9 for the windows operating system (the local workstation)
------------------------------------------------------------------

On Windows 10 SMB v1.0 is disabled, so to enable it, see
https://www.tenforums.com/tutorials/107605-enable-disable-smb1-file-sharing-protocol-windows.html
then you can proceed and try the following commands 

Open a command prompt:
Start menu then "Run" type cmd and enter

NET USE
is the command that display your existing network drives. What is a network drive? 
It is an association that you can create in Windows between a shared folder (from another computer) and a local drive. For example you want to associate the drive K: with the share created at step 6a) or 6b) or 6c1) or 6c2) on the computer 10.9.8.204. If you want just hat, and want to be autentiifcated there as user1, the command is:

NET USE K: /USER:USER1 \\10.9.8.204\MYSHARE

It will prompt you for the Samba password of user1 from the computer 10.9.8.204
You might have problems if the firewall is on on the computer 10.9.8.204. 
We saw at he lab how to disable the firewall. Later at the lecture we will see how 
to create rules in the firewall to allow things. Until then, we are disabling it.

The operation might fail if: 

 - you already have drive k: mapped to another network driveor to a 
local drive. In this case modify K: and choose another letter, 
for example N: instead of K:, or simple substitute K: with * and let the system 
assign the first available letter for the drive (it probably will be z: because it starts 
from z down to a)

 - you are already identified as another user on the same computer. This generally happens 
when you try to get there comming from the "Network neighbourhood" or "Network Places" 
from the graphical interface, which will try to autentificate you there as your current LOCAL
user account and fail. Windows will still remember that you are that user on that computer, 
although you failed, and you will need to destroy the connection with the command
	NET USE * /DEL
this will close all the connections, after you respond Yes to the confirmation question that 
follows.

Now if the creation of the network drive succeded you can go on the drive K: (or whatever was the drive you just created) and try to create a subfolder there, to test the access rights 
that user1 has on the share.

Then repeat the same for user2. Start with 
NET USE * /DEL
to delete the drive K; with the autentification as user1. Now you will create it again, 
but this time you will be user2.
This is necessary, because Windows does NOT allow on the same computer 2 
different autentifications AT THE SAME TIME.
You can have more than one network drive, but if they are connected on the same remote 
computer, then you are on all of them the same user. You can trick that only using 
a second identity on the Netbios name of the computer. One identity on the IP address 
and another on the Netbios name of the computer. On linux no limitations on that.


There's another way of accessing the share from the graphical interface. Actually more that one way. The problem is that for closing the connection with the share and try again as the other user you will still need to use the 
NET USE * /DEL
command. Then why not use it also to access the shares by creating some permanent 
association with the share? (the network drive) (I said permanent, because it can even be made persistent to a system reboot)

Still I will name one of the ways to do it from the graphical interface:

Start -> Run -> \\10.9.8.204