Samba the Use SELinux and Firewall Configuration
If
you are accustomed to Windows systems, you should already know what ports you
need to open on the firewall.
Step 1. Use the iptables command to create your firewall rules:
#
iptables -I INPUT 5 -p tcp -m tcp --dport 137 -j ACCEPT
#
iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT
#
iptables -I INPUT 5 -p udp -m udp --dport 139 -j ACCEPT
#
iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
Step 2. Save the rules you just created:
Saving
firewall rules to /etc/sysconfig/iptables: [
OK ]
Step 3. Restart the firewall service for the changes to take effect:
#
service iptables restart
iptables:
Flushing firewall rules: [ OK ]
iptables:
Setting chains to policy ACCEPT: filter [
OK ]
iptables:
Unloading modules: [
OK ]
iptables:
Applying firewall rules: [
OK ]
These
four ports are very common to Windows administrators, as they are heavily used
in Windows environments. Next, you need to deal with the SELinux protection for
the Samba service. Due to the complexities of Samba and its integration with
Windows, there are quite a few different Boolean values that you need to change.
Table shows the Booleans available for Samba.
Step 1. Query for available Boolean options:
#
getsebool -a | egrep ‘(samba)|(smb)|(nmb)|(win)’
allow_httpd_mod_auth_ntlm_winbind
--> off
allow_smbd_anon_write
--> off
samba_create_home_dirs
--> off
samba_domain_controller
--> off
samba_enable_home_dirs
--> off
samba_export_all_ro
--> off
samba_export_all_rw
--> off
samba_run_unconfined
--> off
samba_share_fusefs
--> off
samba_share_nfs
--> off
use_samba_home_dirs
--> off
virt_use_samba
--> off
wine_mmap_zero_ignore
--> off
Step 2. You need to change only a few settings for the shares to work
properly:
#
setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
Step
3. Verify that the changes have been made:
#
getsebool -a | egrep ‘(samba)|(smb)|(nmb)|(win)’
allow_httpd_mod_auth_ntlm_winbind
--> off
allow_smbd_anon_write
--> off
samba_create_home_dirs
--> off
samba_domain_controller
--> off
samba_enable_home_dirs
--> off
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_run_unconfined
--> off
samba_share_fusefs
--> off
samba_share_nfs
--> off
use_samba_home_dirs
--> off
virt_use_samba
--> off
wine_mmap_zero_ignore
--> off
Don’t
forget that you can always look up the available Boolean options in the
/selinux/booleans
directory if you forget which options you need. Another huge benefit with Samba
is that if you read the comments in the main config file, it tells you which
Boolean values need to be enabled for the different services that Samba can
provide. When creating directories that you’d like to make into a Samba share,
you can mark them as a Samba share with the correct SELinux context:
#
chcon -Rt samba_share_t /opt/company_data
Now the directory is
accessible to the Samba service. Samba configuration Step by Step Part-1
0 comments:
Post a Comment