Samba Configuration Guide

Samba Configuration Guide

Samba is provides through the smbd, nmbd, and smbclient 

To install samba use yum or rpm to install required packages:
    yum -y install samba samba-common samba-client
    chkconfig smb on

samba utilizes ports 445, 137, 138, and 139 unless forced to only use TCP 445 in the config (netbio,microsoft-ds in /etc/services)

configuration files are in /etc/samba/... but smb.conf is the main config file

system-config-samba and testparm are great tools to assist with samba config and validating syntax
testparm -v will show all parameters
tesparm /etc/samba/smb.conf host1.sysxperts.com 10.1.4.66 # test access from host

samba-swat is a web based configuration tool that may be installed as well - default url is http://localhost:901; however, editing configuration manually is recommended and backing up smb.conf before opening with swat is critical since it removes all comments!!!!!

File and Directory Sharing
shares should have their own [] section i.e. 
[pvalentino]
  comment = Paul's home directory
  path = /home/pvalentino
  public = no
  writable = yes
  printable = no
[data]
    comment = Data
    path = /work/data
    public = no
    write list = @itproject
    create mask = 0660

path=directory to share
public = can be read by guest
browsable = visible in browse lists
writable = rw enabled
printable = is a printer and not a disk 
group = all connections use group as primary group
write list = group with rw permissions
create mask = permissions all files will be created with

If Paul wanted rw for test group and ro for everyone else we'd change
writable = no
write list = @test

Example connection to data share:
    smbclient //server/data -U user
All printers in /etc/cups/printers.conf are shared by default

[printers]
  comment = All printers
  path = /var/spool/samba
  browsable = no
  public = yes
  guest ok = yes
  writable = no 
  printable = yes

for a specific printer you would add:
printer = name of cups queue
path = /var/spool/location - spool jobs

To change from cups you need to modify the printing = parameter in the [global] section


Default authentication method is user but other valid methods include:
  • domain/server - workgroup
  • ads - Active Directory Member
  • share - per share access

user requires setting up smbpasswd and possibly smbusers if you wish to map usernames
example:
smbpasswd -a pvalentino  #pvalentino must already exist in /etc/passwd and one smbpasswd is used all password changes are managed with smbpasswd
tdbdump can be used to view /etc/samba/passdb.tdb since it is a binary file

domain/server requires 
workgroup = name of workgroup
encrypt passwords = yes
password server = server1 server2 server3

ads requires:
realm = your.kerberos.realm
password server = your.kerberos.server  (typically your AD Domain controllers)
and you must join the domain with
net ads join -U Adminuser  and supplying the domain admin account password

smbclient -L hostname # view shared services
like FTP:
smbclient //server/service
cd /dir
get file

nmblookup -U WINS_Server -R name # list specific
nmblookup \* # list all

Checking SELinux

semanage fcontext -l |grep samba #check policy file to determine if samba is selinux aware
getsebool -a |grep samba #check for the booleans

To permit access to user home directories:
    setsebool -P samba_enable_home_dirs on

IPTABLES for Samba

after ESTABLISHED,RELATED entry in /etc/sysconfig/iptables add:
    -A FIREWALL-INPUT -s 10.1.4.0/24 -p tcp --dport 445 -j ACCEPT
and restart iptables:
    service iptables restart

Mounting samba shares in /etc/fstab

First create a credentials file in a safe location readable only by root i.e. /etc/samba/cifscredentials with:
    username=windows-samba_username
    password=thecorrectpassword
    domain=thewindowsdomain

Then add all on one line in /etc/fstab:
    //servername/sharename  /mountpoint  cifs credentials=/etc/samba/cifscredentials,uid=unixuser,gid=unixgroup,file_mode=0774,noauto 0 0

uid and gid sets the uid that will own all files on the mounted filesystem. It
           may be specified as either a username or a numeric uid. For mounts
           to servers which do support the CIFS Unix extensions, such as a
           properly configured Samba server, the server provides the uid, gid
           and mode so this parameter should not be specified unless the
           server and client uid and gid numbering differ.

file_mode provides a form of client side permission checking.

noauto allows the system to boot without prompting for the samba share password.

Mounting samba shares with autofs

In /etc/auto.master add:

/sharename    /etc/auto.sharename  --timeout=999  #change sharename to appropriate name for top level directory

Every entry added to /etc/auto.sharename will be mounted under /sharename 

in /etc/auto.sharename for example add all on one line:
www        -fstype=cifs,credentials=/etc/smbmounts/cifscredentials,uid=webmaster,gid=webmaster,file_mode=0774  ://webserver/webdocs\$

This results in a mountpoint /sharename/www which displays content from a server named webserver with a hidden share called webdocs$ to the local machine as if all files are owned by webmaster:webmaster with rwx,rwx,r permissions.

Example of a file upload:
    smbclient //server/share -U userid
    put /path/to/file
    exit



Posted by Paul Valentino

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)