Add Opret delt Samba-mappe til skan

agnetemoos · agnetemoos · commit b3a791b52bc9 · 2024-12-10T16:15:08.000+01:00
diff --git a/scans_samba_dir.md b/scans_samba_dir.md
@@ -0,0 +1,57 @@
+---
+title: "Opret delt Samba-mappe til skan"
+parent: "Skanner"
+source: scripts/skanner/scans_samba_dir.sh
+parameters:
+  - name: "Installer Samba og opret delt mappe?"
+    type: "boolean"
+    default: null
+    mandatory: false
+  - name: "Navn på mappen på skrivebordet"
+    type: "string"
+    default: null
+    mandatory: true
+  - name: "Ønsket kodeord til Samba-brugeren"
+    type: "password"
+    default: null
+    mandatory: true
+  - name: "Deaktiver NTLMv1 (så kun NTLMv2 og nyere tillades)"
+    type: "boolean"
+    default: null
+    mandatory: false
+  - name: "Tillad forbindelse over NetBIOS"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:
+  - "BorgerPC"
+---
+
+## Beskrivelse
+Dette script installerer Samba, og opretter følgende:
+- En Samba share ved navn "scan".
+  Denne "share" peger på en mappe på Borgers skrivebord, med et valgfrit navn, som man vælger via andet parameter til dette script
+ Brugernavnet og gruppen denne "share" deles som, hedder "samba". 
+ Gæsteadgang er slået fra. Muligheden for at at oprette "Usershares" er slået fra. 
+Brugernavnet skal være "samba". Kodeordet for denne "samba"-bruger vælger du selv via det tredje parameter til dette script.
+Navnet på Workgroup er WORKGROUP.
+
+Samba-forbindelsen kan oprettes på to måder:
+- Samba over TCP direkte (nyere, anbefales): Her kører serveren på TCP port 445. Både IPv4 og IPv6 skulle være understøttet.
+  Vi anbefaler at vælge Samba over TCP direkte, såfremt skanneren understøtter det.
+- Samba over NetBIOS over TCP): Her køres serveren på TCP port 139 + UDP port 137 og 138. IPv4 er understøttet.
+  Denne forbindelses-metode er ældre, og anbefales derfor kun til ældre scannere, hvor førstnævnte ikke virker.
+
+BEMÆRK: 
+- Der SKAL logges ud efter kørsel af dette script, før denne share/delte mappe eksisterer, og derved før forbindelsen kan oprettes!
+- Det kan være nødvendigt at vælge en bestemt version af NTLM i skannerens Samba-indstillinger. Dvs. NTLMv1 eller NTLMv2.
+
+## Parametre
+- Aktiver: 
+  - Sæt hak for at installere Samba og oprette mappen.
+  - Udelad hak for at fjerne Samba og mappen.
+- Navn på mappen på skrivebordet
+- Vælg kodeord til Samba-brugeren. Når du kører dette script for at deaktivere funktionen, er dette parameter ikke nødvendigt.
+- NTLMv2 eller nyere er et krav i Sambas standardkonfiguration. Sæt hak her for at tillade ældre versioner - dvs. NTLMv1. De ældre protokoller er mindre sikre, men omvendt kan nogle (ældre) enheder ikke understøtte de nye protokoller, så det kan være nødvendigt, for at få forbindelsen til at virke.
+- NetBIOS er aktiveret som standard, som både tillader at forbinde til Samba over NetBIOS og TCP direkte. Fjern hakket for at deaktivere NetBIOS-understøttelse.
+  Dette kan du gøre, hvis skanneren forbinder til Samba direkte over port 445, som er den nyere standard.
diff --git a/scripts/scans_samba_dir.sh b/scripts/scans_samba_dir.sh
@@ -0,0 +1,216 @@
+#! /usr/bin/env sh
+
+# Test it like this, preferably from another machine:
+# smbclient '\\<IP_ADDRESS_HERE>\<SHARE_NAME>' -U <USER>
+# ...so more specifically:
+# smbclient '\\IP_ADDRESS_HERE\scan' -U samba
+
+set -x
+
+ACTIVATE="$1"
+DIRECTORY_NAME_ON_DESKTOP="${2-scan}" # Set a default argument so rm --recursive below doesn't attempt to delete the desktop if no argument was passed
+SAMBA_USER_PASSWORD="$3"
+AUTH_DISALLOW_NTLM_V1="$4"
+ALLOW_NETBIOS="$5"
+
+SCAN_DIRECTORY_SOURCE="/home/.skjult/Skrivebord/$DIRECTORY_NAME_ON_DESKTOP"
+SCAN_DIRECTORY_DESTINATION=$(echo "$SCAN_DIRECTORY_SOURCE" | sed 's/.skjult/user/')
+SAMBA_CONFIG=/etc/samba/smb.conf
+# This share name can really be anything
+SHARE_NAME="scan"
+SAMBA_SERVICE="smbd"
+OUR_USER="user"
+# This name can be anything
+SAMBA_USER="samba"
+
+if [ "$ACTIVATE" != "True" ]; then
+	apt-get purge --assume-yes samba samba-common-bin
+	rm --recursive "$SCAN_DIRECTORY_SOURCE"
+	userdel $SAMBA_USER
+	groupdel $SAMBA_USER
+	exit 0
+fi
+
+# A provided password is required when activating this script
+[ -z "$SAMBA_USER_PASSWORD" ] && echo "Error: You need to choose a password for the samba user, which is then used to access the share. Exiting." && exit 1
+
+if [ "$AUTH_DISALLOW_NTLM_V1" = "False" ]; then
+  AUTH_NTLM_V1_TEXT="
+# Better support for old devices by allowing older auth protocols
+# Newer versions default to: ntlm auth = ntlmv2-only
+# https://wiki.archlinux.org/title/Samba#Enable_access_for_old_clients/devices
+   server min protocol = NT1
+   ntlm auth = yes"
+fi
+
+# Defaults are:
+#   disable netbios = no
+#   smb ports 445 139
+if [ "$ALLOW_NETBIOS" = "False" ]; then
+  NETBIOS_TEXT="
+# Disabling netbios + stop listening on its TCP port
+   disable netbios = yes
+   smb ports = 445"
+fi
+
+apt-get update --assume-yes
+# Note: This installation also creates a group named "sambashare". Not currently using that for anything
+apt-get install samba samba-common-bin --assume-yes
+
+# Don't create home dir, add the user fully noninteractively, and don't allow login to the user
+groupadd --system $SAMBA_USER
+adduser --system --no-create-home --disabled-password --disabled-login --group --shell /bin/false $SAMBA_USER
+# Set the provided password for the samba user
+#echo "$SAMBA_USER:$SAMBA_USER_PASSWORD" | /usr/sbin/chpasswd
+
+# Create the user in samba and set the password for it:
+printf "%s\n%s" "$SAMBA_USER_PASSWORD" "$SAMBA_USER_PASSWORD" | smbpasswd -a -s samba
+
+# Enable the user
+smbpasswd -e $SAMBA_USER
+
+# Create the directory and user and group for the share
+# shellcheck disable=SC2174  # --parents is just there to ignore errors if it already exists
+mkdir --parents --mode 0777 "$SCAN_DIRECTORY_SOURCE"
+# User and group will be overwritten and set to root:user if desktop_toggle_writable.sh has been run, therefore we give the dir 777 access so samba can access and write to it
+chown $OUR_USER:$SAMBA_USER "$SCAN_DIRECTORY_SOURCE"
+
+# This is most of the default config, with inactive sections, and print sections removed and only a few changes made (user shares are disabled)
+# This was mostly done to disable the default printer sharing
+cat <<- EOF > $SAMBA_CONFIG
+	#======================= Global Settings =======================
+
+	[global]
+
+	## Browsing/Identification ###
+
+	# Change this to the workgroup/NT-domain name your Samba server will part of
+	   workgroup = WORKGROUP
+
+	# server string is the equivalent of the NT Description field
+	   server string = %h server (Samba, Ubuntu)
+
+	#### Debugging/Accounting ####
+
+	# This tells Samba to use a separate log file for each machine
+	# that connects
+	   log file = /var/log/samba/log.%m
+
+	# Cap the size of the individual log files (in KiB).
+	   max log size = 1000
+
+	# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
+	# Append syslog@1 if you want important messages to be sent to syslog too.
+	   logging = file
+
+	# Do something sensible when Samba crashes: mail the admin a backtrace
+	   panic action = /usr/share/samba/panic-action %d
+
+	### Don't share printers ###
+	# https://wiki.archlinux.org/title/Samba#Disable_printer_sharing
+	   load printers = no
+	   printing = bsd
+	   printcap name = /dev/null
+	   disable spoolss = yes
+	   show add printer wizard = no
+
+
+	####### Authentication #######
+
+	# Server role. Defines in which mode Samba will operate. Possible
+	# values are "standalone server", "member server", "classic primary
+	# domain controller", "classic backup domain controller", "active
+	# directory domain controller".
+	#
+	# Most people will want "standalone server" or "member server".
+	# Running as "active directory domain controller" will require first
+	# running "samba-tool domain provision" to wipe databases and create a
+	# new domain.
+	   server role = standalone server
+
+	   obey pam restrictions = yes
+
+	# This boolean parameter controls whether Samba attempts to sync the Unix
+	# password with the SMB password when the encrypted SMB password in the
+	# passdb is changed.
+	   unix password sync = yes
+
+	# For Unix password sync to work on a Debian GNU/Linux system, the following
+	# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
+	# sending the correct chat script for the passwd program in Debian Sarge).
+	   passwd program = /usr/bin/passwd %u
+	   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+
+	# This boolean controls whether PAM will be used for password changes
+	# when requested by an SMB client instead of the program listed in
+	# 'passwd program'. The default is 'no'.
+	   pam password change = yes
+
+	# This option controls how unsuccessful authentication attempts are mapped
+	# to anonymous connections # never is the default.
+	   map to guest = never
+
+	$AUTH_NTLM_V1_TEXT
+
+	############ Misc ############
+
+	# Maximum number of usershare. 0 means that usershare is disabled.
+	usershare max shares = 0
+
+	# Allow users who've been granted usershare privileges to create
+	# public shares, not just authenticated ones
+	usershare allow guests = no
+
+	$NETBIOS_TEXT
+
+	#======================= Share Definitions =======================
+	#
+EOF
+
+# Modify some global configuration for all "user shares"
+# User shares are shares users can create themselves, without needing root permissions
+#sed --in-place --expression '/\[global\]/a\usershare max shares = 100' \
+#    --expression '/\[global\]/a\usershare allow guests = yes' \
+#    --expression '/\[global\]/a\usershare owner only = false' $SAMBA_CONFIG
+
+
+# Create the share named $SHARE_NAME. Settings:
+# - path: The path to the share on the file system
+# - browseable = yes: "this share is seen in the list of available shares in a net view and in the browse list"
+# - create mask and force create mode: Ensure new files created in the dir has those permissions
+# - directory mask and force directory mode does the same for directories created within the share
+# - force user and force group: Forcing the share to be shared as this user/group
+# - writeable = yes: allow write access
+# - guest ok = no: don't allow connecting to the service without a password
+if ! grep "Scanned documents" $SAMBA_CONFIG; then # Idempotency check
+	cat <<- EOF >> $SAMBA_CONFIG
+		[$SHARE_NAME]
+		  comment = Scanned documents
+		  path = $SCAN_DIRECTORY_DESTINATION
+		  force user = $SAMBA_USER
+		  force group = $SAMBA_USER
+		  create mask = 0664
+		  force create mode = 0664
+		  directory mask = 0775
+		  force directory mode = 0775
+		  browseable = yes
+		  writeable = yes
+		  guest ok = no
+	EOF
+fi
+
+# Now restart samba after the configuration changes. If it starts up successfully, the settings should be at least syntactically valid.
+systemctl restart $SAMBA_SERVICE
+systemctl status $SAMBA_SERVICE
+
+# Check samba status + version info
+smbstatus
+
+# Test configuration file correctness
+testparm --suppress-prompt
+
+echo "Listing processes listening on TCP, matching smbd"
+lsof -nP -iTCP -sTCP:LISTEN | grep smbd
+
+echo "Listing processes using UDP, matching nmbd (netbios)"
+lsof -nP -iUDP | grep nmbd
