Samba File Sharing
Samba
is the file-sharing protocol used by the Microsoft Windows operating system. Because
some network environments include more than one operating system, Red Hat Enterprise
Linux provides a way to use alternative file-sharing methods. If only sharing between
Linux and other UNIX variants, it is recommended that NFS be used instead. For
additional information on Samba, refer to the
/usr/share/doc/samba-<version>/ directory.
To
configure a Red Hat Enterprise Linux system as a Samba server, the samba RPM
package must be installed. The configuration files for Samba are located in the
/etc/samba/ directory with the main configuration file being
/etc/samba/smb.conf. The options in the [global] section of the file apply to
all shares unless an individual share section overrides the global option.
In
the [global] section of smb.conf, specify a workgroup and description for the
server:
workgroup=WORKGROUP
server
string=DESCRIPTION
Even
though access to a specific share directory is granted via a username and
password combination, access can also be restricted to all shares from the
server by IP address. To grant only certain systems from accessing the server,
use the following option in the [global] section of smb.conf:
hosts
allow = <IP addresses>
where
<IP addresses> can be the hostnames, IP addresses, or IP address ranges.
If hostnames are used, the system must be able to resolve them to IP addresses.
All acceptable formats can be listed with the command man 5 hosts_access. The
hosts allow option can also be used in the individual share sections.
Use
the command man smb.conf to view a complete list of the many configuration options
for Samba.
Adding Samba Users
Samba
uses its own user database, including passwords. However, a system user with
the same username must exist before a corresponding Samba user can be added to
the server. To add a Samba user, create a system user with the same username if
it doesn’t already exist, and then use the following command as root:
smbpasswd
-a <username>
This
writes an encrypted password for the user to the /etc/samba/smbpasswd file. By default,
Samba encrypts passwords. The use of encrypted passwords does not need to be explicitly
included in the configuration file, but it can be set with the following line
in the [global] section:
encrypted
passwords = yes
If
users will be connecting to the Samba shares from a Microsoft Windows system,
it is possible to map Windows usernames to Samba usernames. This is useful if
the Windows system is configured with different usernames. To map Windows
usernames to Samba usernames, add them to /etc/samba/smbusers with the
following format:
username
= Windows_name1
To
map more than one Windows username to the same Linux system username, separate them
by spaces:
username
= Windows_name1 Windows_name2
Adding a Samba Share
To
add a shared directory, include a section in smb.conf:
[sharename]
path = <path>
The
sharename should be descriptive and easy to remember. Table includes other common
options.
LISTING Private Samba Share
[data]
comment=Private
share for bsf and akf
path=/shares/data
read
only = no
valid
users = bsf akf
browseable
= no
Testing the Samba Configuration
File
After
modifying the smb.conf file, test for syntax errors with the testparm command.
By default, it looks for the
configuration file in /etc/samba/smb.conf. To force it to look at a different
file, specify it as a command-line argument such as testparm
/etc/samba/smb.conf.new. This allows an administrator to test multiple files or
create a new Samba configuration file elsewhere before committing it to the
actual configuration file. Listing shows the output of testparm.
LISTING
Testing a Samba Configuration File
Load
smb config files from /etc/samba/smb.conf
Processing
section “[homes]”
Processing
section “[printers]”
Processing
section “[tmp]”
Loaded
services file OK.
Server
role: ROLE_STANDALONE
Press
enter to see a dump of your service definitions
After
the testing is done, it prompts the administrator to press Enter to display the
service definitions. If Enter is pressed, the global options are shown followed
by a list of configured Samba shares for the server as shown in Listing.
LISTING
of Samba Shares
#
Global parameters
[global]
workgroup
= WUDAN
server
string = Samba Server
log
file = /var/log/samba/%m.log
max
log size = 50
socket
options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap
name = /etc/printcap
dns
proxy = No
cups
options = raw
[homes]
comment
= Home Directories
read
only = No
browseable
= No
[printers]
comment
= All Printers
path
= /var/spool/samba
printable
= Yes
browseable
= No
[tmp]
comment
= Temporary file space
path
= /tmp
read
only = No
Starting and Stopping the Samba
Server
To
start the Samba server, execute the command service smb start. To stop the
server, execute the command service smb stop.
To
have the service start automatically at boot time, use chkconfig:
chkconfig
smb on
To
determine whether or not the Samba server is running, use the command service
smb status. If the smb.conf
configuration file is modified after the service is started, use the command
service smb reload to force a reread of the configuration file so the changes take
effect.
Logging Samba Connections
The
system log file, /var/log/messages, contains messages from the Samba services
smbd, nmbd, and mount.cifs as well as kernel messages about the smb service. By
default, a log file is created for each system that connects to the server. The
log files are located in the /var/log/samba/ directory, with the naming
convention of <client_name>.log for the individual log files. This
default is configured in smb.conf with the following line:
log
file = /var/log/samba/%m.log
To
use one log file for all clients instead, change this line to the following:
log
file = /var/log/samba/log.smbd
The
log files are rotated once a week and kept on disk for four weeks by the logrotate
utility.
Connecting to the Samba Shares
Connecting
to a Samba share in Windows varies with the different versions. Refer to the documentation
for your version of Windows for detailed information on connecting to a Samba
share. The method for connecting to a Windows Samba server and Linux Samba server
are the same. This section goes into detail about how to connect to a Samba
server, Linux or Windows, from a Red Hat Enterprise Linux system.
Connecting with smbclient
The
smbclient command provides an FTP-like interface to the server. It is provided
by the samba-client package. Install it via RHN if not already installed.
Before
you can connect to a Samba share, you must know its name. If you only know the name
of the Samba server, use smbclient to display a list of available shares and
the workgroup for the Samba server, and replace the <servername> and
<username>:
smbclient
-L <servername> -U <username>
The
output will look similar to Listing.
LISTING
Output from smbclient -L
Domain=[JADEFOX]
OS=[Unix] Server=[Samba 3.0.14a-2]
Sharename
Type Comment
---------
---- -------
tmp
Disk Temporary file space
IPC$
IPC IPC Service (Jadefox)
ADMIN$
IPC IPC Service (Jadefox)
printer
Printer printer
tfox
Disk Home Directories
Domain=[JADEFOX]
OS=[Unix] Server=[Samba 3.0.23c-2]
Server
Comment
---------
-------
Workgroup
Master
---------
-------
WUDAN
JADEFOX
If
the -U <username> option is not used, the connection is attempted as a
guest user. If a username is specified, enter the correct password when prompted.
To
connect to a specific share using smbclient, use the following:
smbclient
//<servername>/<sharename> -U <username>
A
successful connection is indicated by the smb: \> prompt. Once connected,
the
commands
are similar to a command-line FTP client. Table lists common commands .
TABLE
Common smbclient Commands
Command Description
pwd
Display
current remote directory
cd
<directory_name> Change
directories if it is accessible
lcd
<directory_name> Change
current local directory
get
<file> Retrieve <file> from current remote
directory to current local directory
mget <files> Retrieve multiple
files, will be prompted for each matching file unless prompt is disabled
put
<file> Upload
local file to the current remote directory
mput <files> Upload multiple local
files to the current remote directory; you will be prompted for each matching
file unless prompt is disabled
ls
List
files in current remote directory
exit Close
connection to Samba server and exit
Samba and SELinux
Samba
file sharing is protected by SELinux, a mandatory access control security mechanism.
If SELinux is set to the enforcing mode, the files shared via Samba must be
labeled with the correct SELinux security context. After configuring Samba to
share a directory, execute the following command to change the security context
of the files in the shared directory:
chcon
-R -t samba_share_t <directory>
If
the directory is inside a home directory, you might need to set the security
context of the entire home directory:
chcon
-R -t samba_share_t <home_directory>
Execute
the following command to allow home directories or directories inside home directories
to be shared:
setsebool
-P samba_enable_home_dirs=1
If
more than one file sharing protocol is configured to share the same set of
files such as FTP and Samba, the security context of the files must be set to
public_content_t or public_content_rw_t instead. Additional SELinux booleans
must be enabled as well.
To
use Samba to mount home directories from a Samba server, the
use_samba_home_dirs boolean must be set to 1 on each system mounting the home
directories.
Any
of these SELinux booleans can also be modified by running the SELinux Management
Tool. Start it by selecting Administration, SELinux Management from the System
menu on the top panel of the desktop or by executing the system-config-selinux
command.
Enter
the root password when prompted if running as a non-root user. Select Boolean from
the list on the left. On the right, click the triangle icon next to Samba. The
SELinux booleans affecting Samba appear. A check box appears next to each
boolean enabled. Changes take place immediately after modifying the check box.
The
SELinux booleans that affect Samba are described in the samba_selinux man
page
viewable with the man samba_selinux command. Allowing Samba Connections Before
configuring the Samba server, configure your firewall settings to allow the
incoming connections. The following ports must be opened:
.
UDP port 137 for netbios-ns, the NETBIOS Name Service
.
UDP port 138 for netbios-dgm, the NETBIOS Datagram Service
.
TCP port 139 for netbios-ssn, the NETBIOS session service
.
TCP port 445 for microsoft-ds, the Microsoft Domain Service
If
custom IPTables rules are being used. If the default security level is enabled
instead of custom IPTables rules, use the Security Level Configuration tool to
allow Samba connections. Start it by selecting Administration, Security Level
and Firewall from the System menu on the top panel of the desktop or by executing
the system-config-securitylevel command. Enter the root password when prompted
if running as a non-root user. In the Other ports area, click Add to specify
each Samba port.
Mounting the Samba Share
To
mount a Samba share to a local directory similar to mounting an NFS share, use
the following command (you must be root):
mount
-t cifs //servername/sharename /mountpoint -o username=<username>
Replace
the servername, sharename, mountpoint, and username. You will be prompted for the
password. Remember that the user must exist as a Samba user on the Samba
server.
After
it is mounted, the files on the mount can be accessed just like local files in
the directory given as the mount point. All updates to the share automatically
appear on the clients.
To
unmount the share, use the command umount /mointpoint (replace /mountpoint). This
mount is not persistent—it will not be remounted on reboot.
Alternatively,
the mount.cifs command from the samba-client package can perform the same
mount. It is just a shortcut to mount -t cifs. It must be run as the root user
as well:
mount.cifs
//servername/sharename /mountpoint -o username=<username>
To
create a persistent mount that is automatically mounted at boot time, add an
entry to etc/fstab:
//servername/sharename
/mountpoint cifs defaults 0 0
Replace
servername, sharename, and mountpoint. To make the mount read-write, replace defaults
with rw. Because including the password is a security risk, and just giving the
username will prompt for a password, this configuration mounts the share as a
guest user.
Because
mounting as a guest only gives the user the permissions of user nobody on the Samba
server, it is possible to configure a credentials file that includes the
username and password (and any other options necessary for the mount):
//servername/sharename
/mountpoint cifs credentials=/etc/smbcreds 0 0
This
configuration will refer to the file /etc/smbcreds for Samba options. The file
should include the following lines (replace <username> and
<password>):
username=<username>
password=<password>
This
file can have a different filename and be located anywhere on the filesystem.
However,
to prevent other users from getting the password be sure to change the
permissions of the credential file with the command chmod 600 <filename>
so only the owner can read it. For extra security, be sure the password used is
not used for access to other systems in case it is compromised or read by
someone else.
Yet
another option for configuring a Samba mount is to use autofs. The share can be
mounted in any directory reserved for autofs. For example, to mount it in
/misc/<mount_dir>/,
make sure the following line exists and is not commented out in /etc/auto.master:
/misc
/etc/auto.misc
Then,
in /etc/auto.misc, add the following line:
mount_dir
-fstype=cifs,credentials=/etc/smbcreds ://<servername>/<sharename>
As
shown, a credentials file can also be used with autofs. If the autofs service
is already started, be sure to reload the configuration files with the command
service autofs reload.
0 comments:
Post a Comment