Oracle 8i | Oracle 9i | Oracle 10g | Oracle 11g | Oracle 12c | Miscellaneous | PL/SQL | SQL | Oracle RAC | Oracle Apps | Linux

Linux Samba Configuration

This article provides an introduction to Samba configuration on Linux, with specific reference to the information needed for the RHCE EX300 certification exam.

Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.

Related articles.

Installation

The Samba service is installed from a Yum repository using the following command.

# yum install samba

Turn on the Samba server and make sure it starts automatically on reboot.

# service smb start
# chkconfig smb on

Samba is configured by altering the contents of the "/etc/samba/smb.conf" and "/etc/samba/smbusers" files. Configuration changes have to be followed by a reload or a restart of the smb service.

# service smb restart
# # or
# service smb reload
# /etc/init.d/smb reload

Firewall

If you are using the Linux firewall, you need to open ports 139 and 445 specifically. The Samba documentation suggest opening 3 additional ports also. Assuming you are using a firewall setup file, as described here, you can include the following additions to the INPUT chain.

# Open ports for SAMBA.
iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT

SELinux

If you are using SELinux, you will need to consider the following points.

The SELinux booleans associated with the Samba service are displayed using the getsebool command.

# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
#

The setsebool command is used to set a specific boolean value.

# setsebool use_samba_home_dirs on
# setsebool use_samba_home_dirs off

The samba_share_t context should be assigned to all content.

# semanage fcontext -a -t samba_share_t "/u01(/.*)?"
# restorecon -F -R -v /u01

You can check the current context setting on files and directories using the "ls -alZ" command.

More information on SELinux can be found here.

Create Network Shares

Shares are created by editing the "/etc/samba/smb.conf" file. In RHEL5 and Fedora distributions you can use a GUI tool called system-config-samba, but this has been removed from RHEL6.

The "/etc/samba/smb.conf" file contains an example share definition towards the bottom of the file. The ";" characters are comments.

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;       [public]
;       comment = Public Stuff
;       path = /home/samba
;       public = yes
;       writable = yes
;       printable = no
;       write list = +staff

More detailed information is available using the "man smb.conf" or "info smb.conf" commands. The following example defines a share accessible to a user called "john_doe" and members of the "developers" group.

[u01]
  valid users = john_doe @developers
  write list = john_doe @developers
  path = /u01
  writeable = yes
  create mask = 0775

Remember to reload the configuration, or restart the smb service for the changes to take effect.

The next section shows a worked example, so this should make things a little clearer.

Create Network Shares for Group Collaboration

This section describes the steps necessary to create Samba shares suitable for group collaboration.

Create a group that will act as the owner of the shared files.

# groupadd developers

Create some users that are assigned to the "developers" group.

# useradd dev1 -G developers
# passwd dev1 # password set to dev1

# id dev1
uid=501(dev1) gid=504(dev1) groups=504(dev1),506(developers)
#

# useradd dev2 -G developers
# passwd dev2 # password set to dev2

# id dev2
uid=502(dev2) gid=505(dev2) groups=505(dev2),506(developers)
# 

Set the Samba password for the users.

# smbpasswd -a dev1
New SMB password:
Retype new SMB password:
Added user dev1.
#

# smbpasswd -a dev2
New SMB password:
Retype new SMB password:
Added user dev2.
#

Create a directory to own the shared files, making sure its group is set correctly. The permissions are set to "g+rwx" (0770), since the group is the defining factor in accessing data in this directory.

# mkdir /developers_dir
# chgrp developers /developers_dir
# chmod g+s /developers_dir
# chmod -R 770 /developers_dir

Add the following share into the "/etc/samba/smb.conf" file. Notice the 0770 permissions again, so users don't accidentally create files that can't be amended by other members of the group.

[devshare]
browseable=yes
path = /developers_dir
force group = +developers
valid users = @developers
write list = @developers
create mask = 0770
force create mode = 660

Reload the Samba configuration.

# service smb reload
Reloading smb.conf file:                                   [  OK  ]
# 

From another machine, mount the share as the "dev1" user and create a file.

# mkdir -p /u01/dev1
# mount -t cifs -o rw,username=dev1,password=dev1 //192.168.0.190/devshare /u01/dev1 
# echo "apples" >> /u01/dev1/test.txt

From another machine, mount the share as the "dev2" user and edit the file created previously.

# mkdir -p /u01/dev2
# mount -t cifs -o rw,username=dev2,password=dev2 //192.168.0.190/devshare /u01/dev2 
# echo "oranges" >> /u01/dev2/test.txt
# cat /u01/dev2/test.txt
apples
oranges
#

Security

The basic user security model for Samba is quite simple. As shown previously, existing Linux users can be made into Samba users by issuing the "smbpasswd -a" command. This allows shares to be made user-specific by adding the users into the "valid users" and "write list" entries of the "/etc/samba/smb.conf" file.

In a similar manner, permissions can be at the group-level by specifying the group with a preceeding "@" symbol.

Host-level security can be controlled using the Linux Firewall, or by addition of the "hosts allow" or "hosts deny" parameters to the share definitions on the "/etc/samba/smb.conf" file. If these settings are placed in the "[global]" section of the file, they affect all share defintions.

Mapping User Names

The "/etc/samba/smbusers" file is used to map Samba user names to Linux user names, allowing for different naming standards between machines running different operating systems. The default settings in the file map the common Windows users of "admin" and "administrator" to the Linux "root" user.

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

Mounting Samba Shares

The following links point to articles on this site about mounting Samba shares:

For more information see:

Hope this helps. Regards Tim...

Back to the Top.