Monday, August 15, 2016

Samba Server installation and configuration ( SMB )

Samba Server installation and configuration ( SMB )

In this tutorial I will configure Samba server on RHEL6 and test connectivity from linux and window client system.
  • Microsoft window use Common Internet File System (CIFS) protocol for networking.
  • CIFS was developed from Server Message Block (SMB) protocol.
  • Samba is a open source software.
  • Samba uses TCP/IP protocol.
  • Samba is Linux implementation of SMB/CIFS protocols.
  • Samba allows interoperability between Linux and Window.
  • Samba provide file and print sharing service between Linux and Window system.
  • Samba allows Linux to interact with Window client, Server, member of Active Directory, Primary domain controller, or member server.
  • Samba support Microsoft Access Control Lists.
  • Main configuration file of Samba server is /etc/samba/smb.conf
  • Samba Web Administration tool (SWAT) is a GUI base configuration tool for Samba Serveravailable from RHEL 6
  • In Linux SAMBA provides the following services:
    • User Authentication and authorization
    • File and printer sharing
    • Name resolution
    • Browsing

RHCE 6 EXAM TOPIC COVERED IN THIS ARTICLE

  • Provide network shares to specific clients.
  • Provide network shares suitable for group collaboration.
During the RHCE 6 exam you will not have access to Microsoft window so you must know how to test Samba configuration with Linux system.

RPM required for Samba Server
RPMDescription
sambaBase RPM for Samba Server
samba-clientBase RPM for Samba Client
samba-commonInclude commands those required by Samba Server and client
samba-docprovide Samba documentation
samba-swatGUI interface for Samba configuration
samba-winbindAllow interoperability between Linux and Window
samba-domainjoin-guiAllow linux user to connect with windows workgroups and domains.

LAB tasks
  • Configure Samba on Server system. Configure iptables firewall and SELinux Booleans to allow Samba connection on server.
  • Create 5 users on Server system. Make a group of two users. Add all users in Samba user database.
  • Check connectivity form linuxclient and windowclient system. Verify by login from one user.
  • Create a sharedata folder on server. Grant read and write access to public on sharedata folder. Share publicly this folder. Test form linux and window client.

Configure Samba Server

On samba server following RPM are required
  • samba
  • samba-common
  • samba-winbind
Check necessary rpm
rpm-qa-samba

You can install RPM from several sources including YUM repository, dump of RPM, FTP, etc. In this article I am installing RPM form RHEL 6 disk. Mount RHEL 6 disk in media folder and change directory to Package folder
cd-media-package

Install necessary RPM.
rpm-samba

Samba Daemons

For Samba we need three services to run, one optional and two required

ServiceDaemonsDescription
Requiredsmbsmbd(SMB/CIFS Server) main samba service which provide user authentication and authorization and file and printer sharing
Requirednmbnmbd(NetBIOS name server) Resources browsing
OptionalwinbindwinbinddFor host and user name resolution

If you have just installed RPM than these service would be stopped.
smb-nmb-stoped

Start necessary services
smb-nmb-running

Make sure the services are running at the next time Linux is booted
chkconfig-smb-on

How to allow samba through firewall

During the RHCE 6 exam we will have both firewall (iptables) and SELinux protection.
To make Samba to communicate outside the server we have to configure iptables and SELinux.

How to allow Samba in iptables

SAMBA uses ports 137,138,139 and 445
Port 137UDP NetBIOS name service (WINS)
Port 138UDP NetBIOS datagram
Port 139TCP NetBIOS Session (TCP), Windows File and Printer Sharing
Port 445Microsoft-DS Active Directory, Windows shares (TCP)
Port 445Microsoft-DS SMB file sharing (UDP)

To open firewall for Samba adds the following rules and restart the iptables
#iptables -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT 
#iptables -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT 
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT 
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
iptables-samba-server

How to allow Samba server from SELinux firewall

SELinux as a security feature prevents any viewing of a share automatically. SELinux is the complex security features of Linux. For RHCE 6 exam you should know following SELinux booleans

samba_enable_home_dirsEnables the sharing of home directories
samba_export_all_roEnable read-only access to any directory
samba_export_all_rwSets up read/write access to any directory
samba_share_t Default file which Samba can share
You can enables samba_export_all_ro or samba_export_all_rw Booleans in lab environment but it in real life that would be a security risk. Its good habit to set a file types for file and directories which need to be share via Samba. You can do that with following command

# chcon -R -t samba_share_t /sharedata
 
In this example we enable /sharedata directory. Now Samba can share this directory.
To share the default home directory run following command:
setsebool -P samba_enable_home_dirs on
-P makes sure the change preserve after reboot.
setbool

You can create a new Samba user only from valid accounts on a Linux computer so create 5 users
useradd

Set password for all users. Avoid setting password for local system if you only creating these users for Samba service and do not want to grant them local system access.
passwd
passwd1

Command smbpasswd -a can be used to add a user to the password database under /etc/samba/ for SAMBA authentication. Set up Samba users with the smbpasswd command.
smbpasswd

Create a smbgroup and add smbuser3 and smbuser4 users
group-add

Now open main configuration file of Samba
vi-smb-conf

The smb.conf file includes two types of comment lines.
  • The hash symbol (#) is used describes a feature
  • The semicolon (;), used to comment out feature (Add ; to disable the feature, remove ; to enable the feature)
Note down the value of workgroup directory
workgroup-mygroup

It would be same on network for seamless connectivity

Now navigate to Share Definitions section By default Samba automatically share the home directory of the logged-in user which is define in the first four lines of this section.
browseable = no limit user to his own home directory. Samba reads home directory information from /etc/passwd file so you need not to specify the home directories path.


share-home


Close the smb.conf file now and Note down the IP address of server
serverip
That's all configurations which we need right now on server.

Configure Samba client on Linux system

On Samba client following RPM are required
  • samba-client
  • samba-common
  • samba-winbind-client
rpm-qa-samba-client

Mount RHEL 6 disk in media folder and move to Package directory
cd-media-ls-package

Install RPM if required.
rpm-samba-client

Check connectivity from Samba Server.
ping-server

Try to list share from Samba server with smbuser1
client-login


To verify "Share user home directory" [lab task], list the share from smbuser5 and create a sambatmp folder. Logged in from smbuser5 and mount his home directory in sambatmp folder. To make sure user have writeable permission also create a test file.
smbuser5-login

Go on server system and logged in from smbuser5 and verify the testing.
ls-smbuser5

We have successfully configured Samba client on Linux client system.

Configure window 7 as Samba client system

Open computer properties
computer-properties
Click on change setting
change-setting
Click on change
change-rename
Change workgroup name to MYGROUP
mshome-workgroup

System restart is required, confirm restart
restart-ok

After system restart Check connectivity form Server
winconnectivity

Open Network and click on server system
win-network

Login from smbuser1
smbuerlogin

User will be logged in his home directory
smbuser

We have successfully configured window 7 as a client system of Samba.
Create a sharedata folder on server. Grant read and write access to public on sharedata folder. Share publicly this folder. Test form linux and window client.
On Server create a /sharedata folder. This folder is created from root user so our users will not be able to write in this folder. Change its permission 777. Configure SELinux Boolean . 

Now open the smb.conf file
mkdir-sharedata
This share of /sharedata will share a common location where user can download / upload / read the files. In this end of file add following stanza and save the file
# Common location for people to share files 
[sharedata] comment = common location file sharing 
path = /sharedata 
read only = no 
public = yes
smb-conf-sharedata

Restart the smb service
restart-smb

On linuxclient create a tmpdata directory and mount the sharedata folder in it. Create test files.
mount-sharedata

sharedata is a temporary folder and we have shared it with full permission for everyone. It means other user should be able to read / write the file made from smbuser5. To test it go on window system and open server system from network. Open sharedata folder and read the file
read-file-on-window

Now delete this file.
confirm-delete-window

Make a folder and create file in it
create-file-window

Check these on Server system.
check-on-server

In above example we shared a folder in insure way where any user can delete others file and folder. Now make it little bit secure. Go server and change permission to 1777
set-stickybit-sharedata


On linuxclient logged in from smbuser5 and create a file
linuxclient-exmpale-stickybit


On window we are logged from smbuser1, try to read the file.
read-stickybit-file-window


Now try to delete this file.
try-to-delete-sticky-bit-file


It will be denied
sticky-bit-error-delete

 

How to deny users in Samba

Samba allows you to deny user / users from shared resources. To deny smbuser5 from sharedata open /etc/samba/smb.conf and change configuration value to following and save the file
deny-smbuser5-server

Reload the smb service
reload-smb


On linuxclient system first try to mount sharedata from smbuser5 and than from smbuser1
deny-smbuser5-clinet

How to limit samba to group

We have created a group smbgroup above in this tutorial. Now configure Samba to allow access only to this group.
On server change the group of sharedata and update the permission to 1770. Open the smb.conf file
chgrp-sharedata

Update the stanza and save the file
group-samba-share

reload the smb service
reload-smb


On linux client first try with smbuser5 which is not the member of smbgroup and later try with smbuser3 which is the member of smbgroup
group-samba-linuxclient

How to limit samba to users

Now we will share only for user/ users. Now configure Samba toallow only smbuser1 on sharedata folder.
On server make smbuser1 the owner of /sharedata folder and update the permission. Open the smb.conf
samba-user-share

change the stanza and save the file
samba-user-share-config

Reload the file
reload-smb

On linuxclient first try with other users and latter try with smbuser1
single-user-samba

So far in this article we have configured different level of access for Samba share. For RHCE 6 exam always remember that file permissions, file system mount options, SELinux Booleans, ACL cannot be overridden by Samba. Its mean that if a directory does not have write permission and you have Samba setting writeable = yes, it will not allow to write. This is the reason why we first update the file system permission than we set Samba settings.

During the RHCE 6 exam following 2 commands can be very handy for you.

testparm

testparm command will check smb.conf file for internal errors. If output of this commands return without any errors, you use the configuration file.
testparm

smbstatus

This command will list the current Samba connection.
smbstaus
For RHCE 6 exam should also know following directives of smb.conf file

How to change samba server name [NetBIOS]

By default Samba hostname as a NetBIOS name. NetBIOS is name which other clients see in network browse lists such as those shown from a Microsoft net view command or a regular Linux smbclient command. To change the Samba server name uncomment and change the value of following directive.
; netbios name = MYSERVER

How to change samba workgroup name

Default workgroup name of Samba is MYGROUP. You can update it form smb.conf file. To change the default workgroup name update the value of following directive.
workgroup = MYGROUP

How restrict samba to local network

To limit access to the specified network, uncomment the following directive and give specify the network.
; hosts allow = 127. 192.168.12. 192.168.13.

If you uncomment without change the value it would limit access to the networks with the 192.168.12.0 and 192.168.13.0 network IP addresses, as well as the local computer (127.): You can also configure the hosts deny directive. Configure host allow/deny directives here only if you want to need make change globally. Individually shared directories can also be configured with hosts allow / deny. So if you are seeking for individually configurations do it in their own section.
network-related-opration

That's all for this article.

No comments:

Post a Comment