Samba File Sharing
Samba is the file-sharing protocol used by the Microsoft Windows operating system. Because some network environments include more than one operating system, Red Hat Enterprise Linux provides a way to use alternative file-sharing methods. If only sharing between Linux and other UNIX variants, it is recommended that NFS be used instead. For additional information on Samba, refer to the /usr/share/doc/samba-<version>/ directory.
To configure a Red Hat Enterprise Linux system as a Samba server, the samba RPM package must be installed. The configuration files for Samba are located in the /etc/samba/ directory with the main configuration file being /etc/samba/smb.conf. The options in the [global] section of the file apply to all shares unless an individual share section overrides the global option.
In the [global] section of smb.conf, specify a workgroup and description for the server:
Even though access to a specific share directory is granted via a username and password combination, access can also be restricted to all shares from the server by IP address. To grant only certain systems from accessing the server, use the following option in the [global] section of smb.conf:
hosts allow = <IP addresses>
where <IP addresses> can be the hostnames, IP addresses, or IP address ranges. If hostnames are used, the system must be able to resolve them to IP addresses. All acceptable formats can be listed with the command man 5 hosts_access. The hosts allow option can also be used in the individual share sections.
Use the command man smb.conf to view a complete list of the many configuration options for Samba.
Adding Samba Users
Samba uses its own user database, including passwords. However, a system user with the same username must exist before a corresponding Samba user can be added to the server. To add a Samba user, create a system user with the same username if it doesn’t already exist, and then use the following command as root:
smbpasswd -a <username>
This writes an encrypted password for the user to the /etc/samba/smbpasswd file. By default, Samba encrypts passwords. The use of encrypted passwords does not need to be explicitly included in the configuration file, but it can be set with the following line in the [global] section:
encrypted passwords = yes
If users will be connecting to the Samba shares from a Microsoft Windows system, it is possible to map Windows usernames to Samba usernames. This is useful if the Windows system is configured with different usernames. To map Windows usernames to Samba usernames, add them to /etc/samba/smbusers with the following format:
username = Windows_name1
To map more than one Windows username to the same Linux system username, separate them by spaces:
username = Windows_name1 Windows_name2
Adding a Samba Share
To add a shared directory, include a section in smb.conf:
[sharename] path = <path>
The sharename should be descriptive and easy to remember. Table includes other common options.
LISTING Private Samba Share
comment=Private share for bsf and akf
read only = no
valid users = bsf akf
browseable = no
Testing the Samba Configuration File
After modifying the smb.conf file, test for syntax errors with the testparm command. By default, it looks for the configuration file in /etc/samba/smb.conf. To force it to look at a different file, specify it as a command-line argument such as testparm /etc/samba/smb.conf.new. This allows an administrator to test multiple files or create a new Samba configuration file elsewhere before committing it to the actual configuration file. Listing shows the output of testparm.
LISTING Testing a Samba Configuration File
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Processing section “[tmp]”
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
After the testing is done, it prompts the administrator to press Enter to display the service definitions. If Enter is pressed, the global options are shown followed by a list of configured Samba shares for the server as shown in Listing.
LISTING of Samba Shares
# Global parameters
workgroup = WUDAN
server string = Samba Server
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
cups options = raw
comment = Home Directories
read only = No
browseable = No
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
comment = Temporary file space
path = /tmp
read only = No
Starting and Stopping the Samba Server
To start the Samba server, execute the command service smb start. To stop the server, execute the command service smb stop.
To have the service start automatically at boot time, use chkconfig:
chkconfig smb on
To determine whether or not the Samba server is running, use the command service smb status. If the smb.conf configuration file is modified after the service is started, use the command service smb reload to force a reread of the configuration file so the changes take effect.
Logging Samba Connections
The system log file, /var/log/messages, contains messages from the Samba services smbd, nmbd, and mount.cifs as well as kernel messages about the smb service. By default, a log file is created for each system that connects to the server. The log files are located in the /var/log/samba/ directory, with the naming convention of <client_name>.log for the individual log files. This default is configured in smb.conf with the following line:
log file = /var/log/samba/%m.log
To use one log file for all clients instead, change this line to the following:
log file = /var/log/samba/log.smbd
The log files are rotated once a week and kept on disk for four weeks by the logrotate utility.
Connecting to the Samba Shares
Connecting to a Samba share in Windows varies with the different versions. Refer to the documentation for your version of Windows for detailed information on connecting to a Samba share. The method for connecting to a Windows Samba server and Linux Samba server are the same. This section goes into detail about how to connect to a Samba server, Linux or Windows, from a Red Hat Enterprise Linux system.
Connecting with smbclient
The smbclient command provides an FTP-like interface to the server. It is provided by the samba-client package. Install it via RHN if not already installed.
Before you can connect to a Samba share, you must know its name. If you only know the name of the Samba server, use smbclient to display a list of available shares and the workgroup for the Samba server, and replace the <servername> and <username>:
smbclient -L <servername> -U <username>
The output will look similar to Listing.
LISTING Output from smbclient -L
Domain=[JADEFOX] OS=[Unix] Server=[Samba 3.0.14a-2]
Sharename Type Comment
--------- ---- -------
tmp Disk Temporary file space
IPC$ IPC IPC Service (Jadefox)
ADMIN$ IPC IPC Service (Jadefox)
printer Printer printer
tfox Disk Home Directories
Domain=[JADEFOX] OS=[Unix] Server=[Samba 3.0.23c-2]
If the -U <username> option is not used, the connection is attempted as a guest user. If a username is specified, enter the correct password when prompted.
To connect to a specific share using smbclient, use the following:
smbclient //<servername>/<sharename> -U <username>
A successful connection is indicated by the smb: \> prompt. Once connected, the
commands are similar to a command-line FTP client. Table lists common commands .
TABLE Common smbclient Commands
Samba and SELinux
Samba file sharing is protected by SELinux, a mandatory access control security mechanism. If SELinux is set to the enforcing mode, the files shared via Samba must be labeled with the correct SELinux security context. After configuring Samba to share a directory, execute the following command to change the security context of the files in the shared directory:
chcon -R -t samba_share_t <directory>
If the directory is inside a home directory, you might need to set the security context of the entire home directory:
chcon -R -t samba_share_t <home_directory>
Execute the following command to allow home directories or directories inside home directories to be shared:
setsebool -P samba_enable_home_dirs=1
If more than one file sharing protocol is configured to share the same set of files such as FTP and Samba, the security context of the files must be set to public_content_t or public_content_rw_t instead. Additional SELinux booleans must be enabled as well.
To use Samba to mount home directories from a Samba server, the use_samba_home_dirs boolean must be set to 1 on each system mounting the home directories.
Any of these SELinux booleans can also be modified by running the SELinux Management Tool. Start it by selecting Administration, SELinux Management from the System menu on the top panel of the desktop or by executing the system-config-selinux command.
Enter the root password when prompted if running as a non-root user. Select Boolean from the list on the left. On the right, click the triangle icon next to Samba. The SELinux booleans affecting Samba appear. A check box appears next to each boolean enabled. Changes take place immediately after modifying the check box.
The SELinux booleans that affect Samba are described in the samba_selinux man
page viewable with the man samba_selinux command. Allowing Samba Connections Before configuring the Samba server, configure your firewall settings to allow the incoming connections. The following ports must be opened:
. UDP port 137 for netbios-ns, the NETBIOS Name Service
. UDP port 138 for netbios-dgm, the NETBIOS Datagram Service
. TCP port 139 for netbios-ssn, the NETBIOS session service
. TCP port 445 for microsoft-ds, the Microsoft Domain Service
If custom IPTables rules are being used. If the default security level is enabled instead of custom IPTables rules, use the Security Level Configuration tool to allow Samba connections. Start it by selecting Administration, Security Level and Firewall from the System menu on the top panel of the desktop or by executing the system-config-securitylevel command. Enter the root password when prompted if running as a non-root user. In the Other ports area, click Add to specify each Samba port.
Mounting the Samba Share
To mount a Samba share to a local directory similar to mounting an NFS share, use the following command (you must be root):
mount -t cifs //servername/sharename /mountpoint -o username=<username>
Replace the servername, sharename, mountpoint, and username. You will be prompted for the password. Remember that the user must exist as a Samba user on the Samba server.
After it is mounted, the files on the mount can be accessed just like local files in the directory given as the mount point. All updates to the share automatically appear on the clients.
To unmount the share, use the command umount /mointpoint (replace /mountpoint). This mount is not persistent—it will not be remounted on reboot.
Alternatively, the mount.cifs command from the samba-client package can perform the same mount. It is just a shortcut to mount -t cifs. It must be run as the root user as well:
mount.cifs //servername/sharename /mountpoint -o username=<username>
To create a persistent mount that is automatically mounted at boot time, add an entry to etc/fstab:
//servername/sharename /mountpoint cifs defaults 0 0
Replace servername, sharename, and mountpoint. To make the mount read-write, replace defaults with rw. Because including the password is a security risk, and just giving the username will prompt for a password, this configuration mounts the share as a guest user.
Because mounting as a guest only gives the user the permissions of user nobody on the Samba server, it is possible to configure a credentials file that includes the username and password (and any other options necessary for the mount):
//servername/sharename /mountpoint cifs credentials=/etc/smbcreds 0 0
This configuration will refer to the file /etc/smbcreds for Samba options. The file should include the following lines (replace <username> and <password>):
This file can have a different filename and be located anywhere on the filesystem.
However, to prevent other users from getting the password be sure to change the permissions of the credential file with the command chmod 600 <filename> so only the owner can read it. For extra security, be sure the password used is not used for access to other systems in case it is compromised or read by someone else.
Yet another option for configuring a Samba mount is to use autofs. The share can be mounted in any directory reserved for autofs. For example, to mount it in
/misc/<mount_dir>/, make sure the following line exists and is not commented out in /etc/auto.master:
Then, in /etc/auto.misc, add the following line:
mount_dir -fstype=cifs,credentials=/etc/smbcreds ://<servername>/<sharename>
As shown, a credentials file can also be used with autofs. If the autofs service is already started, be sure to reload the configuration files with the command service autofs reload.