Thursday, September 22, 2016

Rasberry pi samba and git server setup

Purchase and assumable physical items

* model 3 pi + case
* 32gb mirco sd card and adapter
* usb portable disk
* a usb hub (the pi lacks sufficient power output to drive a usb powered hdd)

Setup Jesse on the micro sd

Note more info at:

1) Download the RASPBIAN JESSIE LITE .img

2) Get sd card mount point

df -h | egrep "mmc|sdd"

/dev/mmcblk0p1   30G   32K   30G   1% /media/kage/3535-3133

3) umount so the card so it can be imaged

umount /dev/mmcblk0p1 

4) write img to sd card

sudo dd bs=4M if=~/Downloads/2016-05-27-raspbian-jessie-lite.img of=/dev/mmcblk0

5) correct sd card partition back to max size

sudo parted /dev/mmcblk0

(parted) p free

Model: SD SL32G (sd/mmc)
Disk /dev/mmcblk0: 31.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
32.3kB  4194kB  4162kB           Free Space
1      4194kB  70.3MB  66.1MB  primary  fat16        lba
2      70.3MB  31.9GB  31.8GB  primary  ext4
31.9GB  31.9GB  15.0MB           Free Space

(parted) resizepart 2 32G                                              
(parted) p free

Model: SD SL32G (sd/mmc)
Disk /dev/mmcblk0: 31.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
32.3kB  4194kB  4162kB           Free Space
1      4194kB  70.3MB  66.1MB  primary  fat16        lba
2      70.3MB  31.9GB  31.8GB  primary  ext4

6) Eject card and reinsert. confirm mounting and sizes are ok

setup passwordless ssh for pi user (assuming the machine your on is the accessor)

1) cd to the mounted sd card and into the pi home dir

cd /media/sd-card-uuid/
pushd .
cd home/pi

2) setup .ssh with the working machines publish ssh info
mkdir .ssh
chmod 0700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat ~/.ssh/  >> .ssh/authorized_keys

setup static ip

1) cd to the mounted sd card and into the /etc/networks area
popd .

2) modify the interface setup
sudo vi etc/network/interface

3) setup a static hard line ip im using feel free to adjust as needed
iface eth0 inet static

3b) OR setup the wifi (i would not advise this)
sudo vi etc/wpa_supplicant/wpa_supplicant.conf

# add this at the end 
  ssid="network id"
  psk="network password"

finish up raw img adjustments

1) sync and umount card and then eject the card

umount /dev/mmcblk0p1 

2) Install sd card in the pi3. You insert the micro card into the card reader on the underside of the pi3 board, face out.
Power it up and check that it seems to booted

3) Now in back your work machine find out where it went

nmap -sP

4) If it booted at the correct address then great otherwise check your router setups

check access and secure the default password

1) ssh into the pi. Note the default password is "raspberry" but you shouldnt need it your ssh key is the access method.

ssh pi@

2) Scramble the default password (I use a software vault, keepassx, to generate and store passwords) this way if someone gets in they cant just sudo with the default password and get root as well


clean up and secure the ssh access

1) Its an image so /etc/ssh identity files are already setup.. thats not very healthy lets rebuild them

sudo rm -f /etc/ssh/*key*
sudo dpkg-reconfigure openssh-server

2) Confirm the ssh is ok (for chmods etc)

ls -al ~/.ssh/authorized_keys

3) Now secure the ssh access to keys only

sudo vi  /etc/ssh/sshd_config

4) Edit/add the following lines

PasswordAuthentication no
 AllowTcpForwarding no
 X11Forwarding no

5) And confirm that ssh still works (with a second window).. Note if you make a mistake you can always turn off the pi, eject the sd card and edit it directly in your working PC.

update machine and fix various other image guff

1) first update the images software.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

2) after that I seemed to be getting this mess with the locale being bad..

perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),

3) so fix it with:

sudo dpkg-reconfigure locales

Setup usb disk

for more info refer to:

1) find out what usb disk we have attached

sudo blkid 

/dev/sda1: LABEL="EC-PHU3" UUID="2E24054E24051B0B" TYPE="ntfs" PARTUUID="8418c874-01"

2) Right looks like a ntfs (but it could have also been vfat etc). So setup ntfs drivers

sudo apt-get install ntfs-3g 

3) make the mount point

sudo mkdir       /media/hdd
sudo chmod a+rwx /media/hdd

4) And check that it can actually mount

sudo mount -t auto /dev/sda1 /media/hdd

4a) ok.. stupid things are happening

modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.11-v7+/modules.dep.bin'
ntfs-3g-mount: fuse device is missing, try 'modprobe fuse' as root

4b) well thats because.. it has the wrong /lib/modules version installed!!.. wtf!

ls /lib/modules/4.4.13-v7+/

4c) So after googling for a while turns out there is a surprising fix... most likely it was something in that first apt-get update cycle caused all the modules to move forward!

sudo reboot

pi@raspberrypi:/lib/modules $ uname -a
Linux raspberrypi 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l GNU/Linux

4d) But something crazy happened to the ntfs-3g had to install it again??? no idea why..

sudo apt-get install ntfs-3g

5) now mount and test access

sudo mount -t ntfs-3g -o uid=pi,gid=pi /dev/sda1 /media/hdd
cd /media/hdd
touch abc.txt
rm /media/hdd/abc.txt

6) if that worked and u can see the test file move on otherwise start googling..

Setup usb disk at permanent location

1) now we are going to make the usb disk a permanent fixture, umount it

sudo umount /media/hdd

2) update /etc/fstab. We are going make all files owned by user pi and group users, read and writable
extra info at
* note nobootwait doesnt work???

sudo vi etc/fstab

2a) and add the following line
/dev/sda1       /media/hdd    ntfs-3g noatime,umask=0,uid=pi,gid=users,dmask=0007,fmask=0117 0 0

2b) or you can use something like:
/dev/sda1 /media/hdd vfat uid=pi,gid=users,umask=0022,sync,auto,nosuid,rw,nouser 0 0

3) and then mount it
sudo mount /dev/sda1

4) test access

touch /media/hdd/abc.txt
rm /media/hdd/abc.txt

setup samba for remote share

1) ok build samba share location...

mkdir /media/hdd/share

2) install samba

sudo apt-get install samba samba-common-bin libpam-smbpass

3) Configure samba

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.20160922
sudo vi /etc/samba/smb.conf

4) insert or uncomment the following in the Authorization section

security = user
unix password sync = yes

5) comment out homes,printers sections.. its junk we dont want or need

6) insert "share" section

  comment = 1TB_samba
  path = /media/hdd/share
  valid users = remote
  read only = No

7) bounce the samba service

sudo /etc/init.d/samba restart

8) check its setup

testparm -s

9) now in the working pc with what ever file manager u use "browse" your network and locate the pi likely called "raspberrypi" open it and confirm there are no "printers" stuff and "share" is visible

10) try to access the "share" using "guest" access, then as the user "pi" with the default password, your new password and confirm all of this has no access

11) back in the pi. Make the "remote" user and passwd it. Again password vault scramble a password for it.. but make certain its type-able
For more info refer to

sudo adduser remote
sudo usermod -a -G users remote
groups remote
sudo smbpasswd -e remote

12) then bounce samba

sudo /etc/init.d/samba restart

13) then back in the working PC retest the samba share using the user "remote" and there unix password and confirm file/dir create/delete etc. Also check the guest and "pi" users again to be certain..

14) then reboot and check mount stays put and samba works over the reboot

sudo reboot

Setup the git ssh server

1) make the repos storage location

mkdir /media/hdd/repos

2) install git

sudo apt-get install git-core

3) add a git user

sudo adduser git
sudo usermod -a -G users git
groups git

4) switch over to the new "git" user

#cat *pi* users access keys first so u can copy it later for step 6
cat .ssh/authorized_keys

su git
cd ~

5) confirm sudo limits.. (should fail)

sudo ls

6) setup the "git" users ssh access

mkdir .ssh
chmod 0700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
vi ~/.ssh/authorized_keys

7) from your working pc confirm ssh access

ssh git@

8) link the repos storage to the git users home

ln -s /media/hdd/repos repos

9) create a test repo

cd ~/repos 
git init --bare test.git

9a) Note ignore chmod errors (we have it forced to a certian way in fstab)
error: chmod on /media/hdd/repos/test.git/config.lock failed: Operation not permitted
error: chmod on /media/hdd/repos/test.git/config.lock failed: Operation not permitted

Note to self. There might be an issue with executable scripts loosing x permission due to this...may have to rethink this.

10) Then on your working machine clone and check that the repo worked

git clone git@:~/repos/test.git 
cd test/
touch test.txt
git add test.txt 
git commit -a -m "Initial"
git push

11) then reclone and confirm test.txt is there in the new clone

cd ..
git clone git@ test2
cd test2

setup automatic updating

now we know all the basics are working... lets harden it a bit

1) setup auto updates
for more info see

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

disable needless hardware

1) disable wifi and bluetooth (as im using the hard line)

sudo touch /etc/modprobe.d/disable_rpi3_wifi_bt.conf
sudo vi /etc/modprobe.d/disable_rpi3_wifi_bt.conf

2) add the lines

blacklist brcmfmac
blacklist brcmutil
##blue tooth
blacklist btbcm
blacklist hci_uart

3) and reboot

sudo reboot

4) log back in to the pi and confirm wifi is off


setup the firewall

for more info check;

1) install ufw.. its an easy to use firewall

sudo apt-get install ufw 

2) let in local ssh

sudo ufw allow ssh

3) let in local samba (and bonjour)
for more info check:

sudo ufw allow proto tcp to any port 135 from
sudo ufw allow proto udp to any port 137 from
sudo ufw allow proto udp to any port 138 from
sudo ufw allow proto tcp to any port 139 from
sudo ufw allow proto tcp to any port 445 from
sudo ufw allow proto udp to any port 5353 from 

4) and turn it on

sudo ufw enable

5) then retest all the samba acces and git cloning

Setup the hostname to something better

1) adjust the hostname so you know which machine your in replace "raspberrypi" with the name you want

sudo vi /etc/hostname
sudo vi /etc/hosts

2) and reboot

sudo reboot

Clean up

1) clean up the working pc git clones

rm -rf test
rm -rf test2

2) go back to the pi clean out the test and import/setup your real ones

rm test.git

bonus notes..

1) i trialed wake on lan

sudo apt-get install ethtool
ethtool eth0 | grep wake
ethtool -s eth0 wol g

# it responds with bad news
Cannot get wake-on-lan settings: Operation not permitted

No comments:

Post a Comment