Monday, 12 August 2013

Centos 6/RHEL install and configure Samba file sharing

A common way to share files across different computer systems is to install and configure Samba as a standalone file server.

Standalone servers are configured to provide local authentication and access control to all the resources they maintain.
 
They are independent of all domain controllers and where a standalone server is expected to function like a workgroup server, a simple configuration is all that is required in order that all data served will be readily accessible to the entire user base.

Samba is a very popular open source distribution and we look at how to deliver an instant approach to file sharing that provides seamless integration for any number of users on any type of modern computer across your entire working environment.

This assumes that you are using a Static IP address.

If you are running a firewall, you will need to confirm that the firewall has been disabled, removed, or the appropriate ports are open. Similarly, if you are running SELinux, then you should confirm that it has been disabled or it is now running in permissive mode.

First download and install the necessary packages
   
$ sudo yum install samba samba-client samba-commmon

Now rename the original configuration file

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

Create a new configuration file in your preferred text editor

See Vi and Vim commands

$ sudo vi/etc/samba/smb.conf

Build your new configuration by adding the following lines, substituting the values shown with your own

[global]
unix charset = UTF-8
dos charset = CP932
workgroup = <WORKGROUP_NAME>
server string = <MY_SERVERS_NAME>
176
Chapter 6
netbios name = <MY_SERVERS_NAME>
dns proxy = no
wins support = no
interfaces = 127.0.0.0/8 XXX.XXX.XXX.XXX/24 ethX
bind interfaces only = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d

MY_SERVERS_NAME refers to the name of your server. In most
situations this could be in the form of FILESERVER or SERVER1
and so on.
ethX refers to the name of your primary Ethernet interface. In
most situations this could be eth0 although here I am on wlan0.
XXX.XXX.XXX.XXX/XX refers to the primary network address.
This will be something similar to 192.168.1.100/24.

Now configure Samba as a standalone server. Continue to
add the following lines to your main configuration file

security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\
spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no

We do not want to configure Samba as a domain
master or master browser so we add the following

domain master = no
local master = no
preferred master = no
os level = 8

Now add support for home directory sharing by enabling valid users to access their home directories. This feature will support the appropriate read/write permissions and all folders will remain private from other users. Add the following.

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mask =0755
directory mask =0755

Save and close the file then enable Samba on boot.

$ sudo chkconfig smb on && chkconfig nmb on

Start the Samba server by typing as root

# service smb start && service nmb start

You can test the configuration changes by typing the following

$ testparm

Disable Printing

Samba provides support for printing by default and it will try to connect to a printer regardless as to whether a printer is connected to your server or not. So, unless you are intending to
install CUPS, you should consider disabling printer sharing in order to avoid any unnecessary error messages being recorded in the Samba logfiles.

Log in as root and open the main Samba configuration file

# vi/etc/samba/smb.conf

Scroll down to the end of the global section and comment oot the section on printer support

load printers = no
printing = bsd
printcap name = /dev/null
disablespoolss = yes
show add printer wizard = no

If using the default Samba configuration, comment out the following

;load printers = yes
;printing = cups
;printcap name = cups
182
Chapter 6
Then remove or comment out the [printers] section, like so:
;[printers]
;comment = All Printers
;path = /var/spool/samba
;browseable = no
;public = yes
;guest ok = no
;writable = no
;printable = yes
;printer admin = root

Save and close the file then restart the server

# service smb restart && service nmb restart

Relaxing the rules for SELinux

SELinux will prevent users from accessing their home directory. There is the option to disable SELinux, but if you do intend to keep this service running you will be required to relax the conditions that SELinux employs on your server.

So log in as root and check the mode by typing

# getenforce

If it is set to Enforcing, then reset it to Permissive by typing the following

# setenforce 0

Now type the following command to enable the home directories

# setsebool samba_enable_home_dirs on

In addition to this, if you are trying to enable Samba as a domain controller, use

# setsebool -P samba_domain_controller on

Remember, if SELinux is enabled and you do not execute the preceding commands, your users will continue to experience errors when trying to access the server.

Opening the firewall

If you are running IPTables, you will need to configure your firewall in order to allow access to your Samba server. To do this, log in as root and type the following commands to open ports

137, 138, 139, and 445

iptables -A INPUT -s XXX.XXX.XXX.0/24 -m state –state NEW -p udp --dport
137 -j ACCEPT
iptables -A INPUT -s XXX.XXX.XXX.0/24 -m state –state NEW -p udp --dport
138 -j ACCEPT
iptables -A INPUT -s XXX.XXX.XXX.0/24 -m state –state NEW -p tcp --dport
139 -j ACCEPT
iptables -A INPUT -s XXX.XXX.XXX.0/24 -m state –state NEW -p tcp --dport
445 -j ACCEPT

Now save your new rules by typing

# service iptables save

Restart IPTables

# service iptables restart

Assigning the master browser

In a mixed operating system environment it is not always advisable to make Samba the master browser, but it may be the case that this small addition may serve to improve the
overall performance of both CentOS and your network in general.

To do this, log in as root and open the main Samba configuration file in your favorite text editor as below.

# vi/etc/samba/smb.conf

Now scroll down to the global section and make the following changes

domain master = no
local master = yes
preferred master = yes
wins support = no
os level = 65

Save and close the file, then restart the server

# service smb restart && service nmb restart

If you have more than one Samba server running on your network, then only one server should be elected as the primary master browser and given the os level stated earlier.

Adding user to password

The password to access the Samba can be setup to use the same or different password than your local account. In the image below you will see the -a option, this will tell Samba to add the users account which in this case is centoslive to the smbpasswd.