RHCE-samba
| RPM Package | Description |
|---|---|
| samba | Includes the basic SMB server software for sharing files and printers. |
| samba-client | Provides the utilities needed to connect to shares from Samba and Microsoft servers. |
| samba-common | Contains common Samba commands used by both the client and the server. |
| samba-doc | Includes Samba documentation in both HTML and PDF formats. |
| samba-domainjoin-gui | Supports connections to network workgroups and domains. |
| samba-swat | Provides the web-based interface for Samba configuration. |
| samba-winbind | Supports Samba as a member server on Microsoft-based domains and supports Windows users on Linux servers. |
| samba-winbind-nss | Provides client connections to Winbind via PAM and the Network Switching Service (NSS). |
| Boolean | Description |
|---|---|
| allow_smb_anon_write | Supports the writing of files to directories configured with the public_content_rw_t SELinux setting. |
| cdrecord_read_content | Allows the cdrecord command to read shared Samba (and other network) directories. |
| qemu_use_cifs | Works with access to CIFS filesystems; enabled by default. |
| samba_create_home_dirs | Supports the creation of home directories, normally set up for external users. |
| samba_domain_controller | Allows Samba to act as a domain controller for authentication management. |
| samba_enable_home_dirs | Enables the sharing of home directories. |
| samba_export_all_ro | Sets up read-only access to any directory, even those without the samba_share_t file type label. |
| samba_export_all_rw | Sets up read/write access to any directory, even those without the samba_share_t file type label. |
| samba_run_unconfined | Supports the execution of unconfined scripts from the /var/lib/samba/scripts directory. |
| samba_share_fusefs | Allows Samba to share filesystems mounted to fusefs, a common mount for the Microsoft NTFS filesystem. |
| samba_share_nfs | Enables sharing of NFS filesystems. use_samba_home_dirs Supports the use of a remote server for Samba home directories. |
| virt_use_samba | Allows a VM to access files mounted to the CIFS filesystem. |
Samba Services
Install Samba Services
| RPM Package | Description |
|---|---|
| samba | Includes the basic SMB server software for sharing files and printers. |
| samba-client | Provides the utilities needed to connect to shares from Samba and Microsoft servers. |
| samba-common | Contains common Samba commands used by both the client and the server. |
| samba-doc | Includes Samba documentation in both HTML and PDF formats. |
| samba-domainjoin-gui | Supports connections to network workgroups and domains. |
| samba-swat | Provides the web-based interface for Samba configuration. |
| samba-winbind | Supports Samba as a member server on Microsoft-based domains and supports Windows users on Linux servers. |
| samba-winbind-nss | Provides client connections to Winbind via PAM and the Network Switching Service (NSS). |
Ports, Firewalls, and Samba
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
Configure SELinux Booleans for Samba
# setsebool -P samba_enable_home_dirs
Samba Communication Services
| Port/Protocol | Description |
|---|---|
| 137/UDP | NetBIOS name service |
| 138/UDP | NetBIOS datagram service |
| 139/UDP | NetBIOS session service |
| 445/TCP | Microsoft directory services, also known as Samba over IP |
| Boolean | Description |
|---|---|
| allow_smb_anon_write | Supports the writing of files to directories configured with the public_content_rw_t SELinux setting. |
| cdrecord_read_content | Allows the cdrecord command to read shared Samba (and other network) directories. |
| qemu_use_cifs | Works with access to CIFS filesystems; enabled by default. |
| samba_create_home_dirs | Supports the creation of home directories, normally set up for external users. |
| samba_domain_controller | Allows Samba to act as a domain controller for authentication management. |
| samba_enable_home_dirs | Enables the sharing of home directories. |
| samba_export_all_ro | Sets up read-only access to any directory, even those without the samba_share_t file type label. |
| samba_export_all_rw | Sets up read/write access to any directory, even those without the samba_share_t file type label. |
| samba_run_unconfined | Supports the execution of unconfined scripts from the /var/lib/samba/scripts directory. |
| samba_share_fusefs | Allows Samba to share filesystems mounted to fusefs, a common mount for the Microsoft NTFS filesystem. |
| samba_share_nfs | Enables sharing of NFS filesystems. use_samba_home_dirs Supports the use of a remote server for Samba home directories. |
| virt_use_samba | Allows a VM to access files mounted to the CIFS filesystem. |
Confi gure SELinux File Types for Samba
Normally, Samba can only share those files and directories labeled with the samba_share_t file type. It is true, the samba_share_t file type is not required if the samba_export_all_ro or samba_export_all_rw booleans are enabled. However, that would be a security risk. So in most cases, you’ll want to enable directories (and files therein) with the noted file type with a command like the following:
# chcon -R -t samba_share_t /share
In addition, to make sure the changes survive a relabel of SELinux, you’ll want to set up the file_contexts.local file in /etc/selinux/targeted/contexts/files directory with a command such as the following:
# semanage fcontext -a -t samba_share_t /share
Samba Daemons
If you want to make sure the services are running the next time Linux is booted, the associated scripts in the /etc/init.d directory are smb, nmb, and winbind. They start the associated smbd, nmbd, and winbindd daemons with the following options in the /etc/sysconfig/samba file:
SMBDOPTIONS="-D"
NMBDOPTIONS="-D"
WINBINDOPTIONS=""
Yes, while no options are included for the winbind daemon, they can be included in quotes in the noted file. To confirm the way a daemon is running, the ps command can help. For example, the following output to the ps aux | grep smb command confirms that the Samba service is running with the -D switch:
root 12836 0.0 0.2 203612 1648 ? S Mar08 0:00 smbd -D
Samba Server Global Confi guration
#----------- Logging Options ---------------
The log file directive as shown sets up separate log files for every machine that connects to this Samba server, based on its machine name (%m). By default, the log file is limited to 50KB. As suggested by the comment, log files that exceed the given size are rotated. If logs exceed that size, you’ll still see them in the /var/log/samba directory with the .old extension.
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
comment lines.
The hash symbol (#) is used for a general text comment. This is typically verbiage that describes a feature.
The second comment symbol is the semicolon (;), used to comment out Samba directives (which you may later wish to uncomment to enable the disabled feature).
[global]
The [global] section starts with the following two lines:
#======================= Global Settings==========================
[global]
Now examine the global settings that follow. First, if you see the line
#--authconfig--start-line--
this means the configuration file has been modified by the authconfig or the system-config-authentication tool.
Network-Related Options
workgroup = MYGROUP
Despite the name, the workgroup variable specifies the name of a workgroup or more commonly, a domain. But since peer-to-peer workgroups were developed first, the default Samba workgroup is WORKGROUP, which happens to be the old name of the default peer-to-peer workgroup. It’s now set to the default workgroup for Microsoft Windows 7:
server string = Samba Server Version %v
The server string directive that follows becomes the comment shown with the NetBIOS name of the system in the visible browse list, where Samba substitutes the version number for the %v variable:
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
f the local system is connected to more than one network, you can specify them with the interfaces directive, as shown here. Of course, the devices and network addresses should be changed appropriately.
; hosts allow = 127. 192.168.12. 192.168.13.
If you activate the hosts allow directive, that action can limit access to the specified network(s). The following default would limit access to the networks with the 192.168.12.0 and 192.168.13.0 network IP addresses, as well as the local computer (127.):
Logging Options
Standalone Server Options
Alternatively, to configure this computer as a member server on a domain, use a password database from a DC. Strangely enough, in that case, you would substitute the following command:
security = user
It is appropriate when configuring this computer as a Domain Controller (DC), specifically a Primary Domain Controller (PDC).
security = domain
security = ads
To configure a system as a member server on an Active Directory network, substitute the following command:
security = server
Alternatively, to use a database from another computer that is not a DC, you’d substitute the following command:
security = share
Finally, to configure a system on a peer-to-peer workgroup that does not require usernames, substitute the following command:
Domain Controller Options
Browse Control Options
#----------- Browser Control Options --------------
Unless a Samba server is specifically designated as a local browse master,
; local master = no
Samba participates in browser elections like any other Microsoft Windows computer, using the specified os level.
; os level = 33
Alternatively, if a Domain Controller isn’t already elected as a browse master, you can make it easier for the local computer to win the browser election, with the preferred master command:
; preferred master = yes
Name Resolution
The following section allows you to set up a Samba server with a database of NetBIOS names and IP addresses, starting with the following comment:
#----------- Name Resolution --------------
The Windows Internet Name Service (WINS) is functionally equivalent to DNS on Microsoft-based networks such as Samba. If you activate the following command, Samba activates a WINS server on the local computer:
; wins support = yes
Alternatively, you can point the local computer to a remote WINS server on the network; of course, you’d have to substitute the IP address for w.x.y.z. Do not activate both the wins support and wins server directives on the same system, as they are incompatible.
; wins server = w.x.y.z
Samba servers may not installed on every Linux system. In that case, you could enable the following directive to allow access from such systems with only Samba client software:
; wins proxy = yes
If the answer to a name resolution request is not in a WINS server, the following directive would allow the same search through configured DNS servers:
; dns proxy = yes
Printing Options
#----------- Printing Options --------------
These default printer settings are required to share printers from this Samba server. The following three directives loads printers as defined by printcap name = /etc/printcap. The cups options = raw directive means that print jobs are already processed by a service with print processors, such as the CUPS service.
load printers = yes
cups options = raw
printcap name = /etc/printcap
Alternatively, it’s possible to configure a different print server. The following option obtains information from printers configured on older Linux systems:
printcap name = lpstat
Filesystem Options
Shared Samba Directories
#============================ Share Definitions =============
[homes]
comment = Home Directories
browseable = no
writable = yes
Every user gets access to his or her own home directory; the browseable = no command keeps users away from each other’s home directory.