Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux SAMBA Linux Server

Samba provides a stable and highly compatible file and print sharing service that allows a Linux node to act as a client, a member server, or even a Primary Domain Controller (PDC) or a member of an Active Directory (AD) service on Microsoft-based networks. Samba interacts with Microsoft's CIFS built on the Server Message Block (SMB) protocol.

Samba is installed through the samba rpms :

# yum install samba*

Samba Server

Samba is build on two daemons (smbd, nmbd) and one service (smb) which control the daemons.

smbd
The smbd server daemon provides file sharing and printing services to Windows/Linux clients. It is also responsible for user authentication, resource locking, and data sharing through the SMB protocol. The ports on which the server listens for SMB traffic are TCP ports 139 and 445. It is controlled by the smb service.

nmbd
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows systems. It also participates in the browsing protocols that make up the Windows Network Neighbourhood view. The port that the server listens to for NMB traffic is UDP port 137. The nmbd daemon is controlled by the smb service.

/etc/samba/smb.conf

This is the main configuration file and is plenty of comments that explain every option. The following is a basic samba server configuration that just exports the printers and /home dir to all Windows/Linux neighbours.

# cat /etc/samba/smb.conf

[global]
# Set the workgroup name (samba domain) to RHEL6-WG.
workgroup = RHEL6-WG
server string = Samba Server Version %v


# Samba name for this server, is the name controlled by nmbd daemon
netbios name = rhel6

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50

# ----------------------- Standalone Server Options ------------------------
# Use local system accounts for authentication. To create the samba user 'john'
# use the command 'smbpasswd -a john' an set the same password as on the system.
# To remove john account on samba server 'smbpasswd -x john'

security = user
passdb backend = tdbsam


# --------------------------- Printing Options -----------------------------
# Use CUPs for printing

load printers = yes
cups options = raw


; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups

#============================ Share Definitions ==============================
# Export /home and printers

[homes]
comment = Home Directories
browseable = no
writable = yes

; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes


There is a tool that can be used to verify the smb.conf configuration : 'testparam'.

# testparm /etc/samba/smb.conf

Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
workgroup = RHEL6-WG
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No


Now samba is ready to be started.

# /etc/init.d/smb restart
# chkconfig smb on

Server Security

Firewall

In order to allow samba server to work through a firewall the following ports must be open .

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

SElinux

In case that SElinux has been configured as 'enforcing' in targered mode, the following SElinux parameters must be configured to allow samba server to be executed on SElinux environment.

# setsebool -P samba_run_unconfined 1
Disables SElinux restrictions to samba.

# setsebool -P samba_enable_home_dirs 1
Allows samba to share users' home directories.

# setsebool -P samba_share_nfs 1
Allows Samba to share directories already shared via NFS.

# setsebool -P use_samba_home_dirs 1
Supports remote access to local home directories using Samba.


# chcon -R -t samba_share_t /home/share
It labels /home/share to be exported rw mode through samba on a SElinux environment. The label public_content_rw_t is also valid.

Samba Client

The following is a list of the samba client utility than can be used. For this section consider the node rhel6 (192.168.1.10) configured as the samba server defined on 'Samba Server' section and the samba client utilities are launched from node01 (192.168.1.101) against samba server on rhel6.

smbclient

It displays the samba shares exported from a Samba server.

node01> smbclient -L 192.168.1.10 -U john

Enter john's password:
Domain=[RHEL6-WG] OS=[Unix] Server=[Samba 3.5.4-68.el6]

      Sharename       Type       Comment
      ---------       ----       -------
      IPC$       IPC       IPC Service (Samba Server Version 3.5.4-68.el6)
      john       Disk       Home Directories

Domain=[RHEL6-WG] OS=[Unix] Server=[Samba 3.5.4-68.el6]

      Server       Comment
      ---------       -------

      Workgroup       Master
      ---------       -------


The samba server account 'john' generated before with the command 'smbpasswd -a john' has been used to list the samba shares. For 'john' user the share 'john' that corresponds to /home/john on rhel6 server is available.

mount

Standard mount command can be used in order to mount remote samba shares on a client using the option '-t cifs'.

node01> mount -t cifs //192.168.1.10/john /mnt -o username=john

Password:
node01> ls -lrt /mnt
total 10024
-rw-r--r--. 1 john john 10240000 Feb 22 23:08 file
-rw-r--r--. 1 john john 21820 Feb 26 13:47 install.log

Windows client

Of course a Windows node connected to the same LAN as the samba server can access to the samba server as it was a Windows node ...

Questions

1.- Through samba Windows shares can be mounted on a Linux node (true/false).

2.- Nautilius file browser can be used to access to remote samba shares (true/false).

3.- By default samba is not protected by SElinux in 'enforcing' mode with 'targered' policy (true/false).

4.- Which 'smbclient' command option can be used in order to access as user 'john' to 'public' samba share on 192.168.1.10 as an FTP environment?.

5.- Which command can be used in order to mount as user 'kate' a remote samba share //192.168.1.10/share on /mnt directory?.

6.- Which command can be used in order to list the samba shares exported by the samba server 192.168.1.10?.

7.- Which command can be used in order test the samba server configuration ?.

8.- Which SElinux boolean can be configured in order to deactivate SElinux protection to samba server?.

9.- Which samba configuration parameter must be applied on a share in order to export that share in read-write mode only to users on group 'group'?.

A - write list = .group
B - write list = @group
C - Both of them
D - None of them

10.- Which samba configuration parameter must be applied on the samba server configuration file in order to allow only access to any share only from 192.168.1.10/24 LAN ?.

A - hosts allow=192.168.1.0/255.255.255.0
B - hosts allow=192.168.1.
C - Both of them
D - None of them

Labs

1.- Configure samba server rhel6 (192.168.1.10) in domain REDHAT to share homes directories in rw . Create user 'smith' and mount the /home/smith from rhel6 on node01 (192.168.1.10 ) on /mnt directory.

2.- Share with samba on server rhel6 (192.168.1.10) the share /storage rw to user 'cash' and ro to other valid users. The share will be available only to node01, 192.168.1.101.

-- This page is part of Linux Server online tutorial --