Samba – Set up CIFS Server on RHEL/CentOS 7

If you have directories on your machine that you want to share out to other machines then you can do this by setting up your machine as an NFS server. However with NFS you can only share out folders to machine that are also in the same private network. If you want share folders to other machines over the public internet, then that’s where you need to use the Samba/CIFS protocol. You can follow along this article using this Samba vagrant project on Github.

We will walk through the following example:

+--------------------------+              +--------------------------+
|                          |              |                          |
|      samba-storage       |              |       samba-client       |
|     (IP: 10.0.4.10)      |              |                          |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
|  +------------------+    |              |     +---------------+    |
|  | /samba/export_rw |<----------------------->| /mnt/backups  |    |
|  +------------------+    |              |     +---------------+    |
|                          |              |                          |
|                          |              |                          |
+--------------------------+              +--------------------------+

This article only covers setting up the samba server (which in this example is called samba-storage). We created a separate article on how to set up a samba client.

First you need to install:

$ yum install samba samba-client

For SELinux, we need to enable a few SEBoolean settings:

$ getsebool -a | grep samba | grep export
samba_export_all_ro --> off
samba_export_all_rw --> off
$ getsebool -a | grep samba | grep share | grep nfs
samba_share_nfs --> off

To (p)ersistantly enable these settings we do:

$ setsebool -P samba_export_all_ro on
$ setsebool -P samba_export_all_rw on
$ setsebool -P samba_share_nfs on

Next we create a folder that will get shared out (aka exported):

$ mkdir -p /samba/export_rw
$ ll -dZ /samba/export_rw
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /samba/export_rw

There’s a few things we need to fix for this folder:

1. need to change the owner and group owner
2. need to give full permissions to the group
3. SELinux type attribute needs to be set to samba_share_t

Let’s create a new user which will access this samba share:

$ useradd samba_user1

Next we give this owner of this folder:

chown samba_user1:samba_user1 /samba/export_rw

Next the SELinux type attribute needs to be set to samba_share_t, so in our case we do:

$ semanage fcontext -at samba_share_t "/samba/export_rw(/.*)?"

Then apply this new rule to our export:

$ restorecon -R /samba/export_rw
$ ll -dZ /samba/export_rw
drwxrwxr-x. samba_user1 samba_user1 unconfined_u:object_r:samba_share_t:s0 /samba/export_rw

Next we need allow samba traffic through firewalld:

$ firewall-cmd --permanent --add-service=samba
$ systemctl restart firewalld

Next we need to configure the main samba config file, /etc/samba/smb.conf. To help with understanding how to configure this file, you should take a look at:

$ cat /etc/samba/smb.conf.example   
# also see:
$ man smb.conf    # this is a really long man page!

Before we start editing this file, let’s first create a backup:

$ cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

There’s two things we need to do in this file, first we edit the global section so it contains the following entries:

[global]
        workgroup = SAMBA
        security = user
        server string = Samba server %h
        hosts allow = 127. 10.0.4.
        interfaces = lo enp0s3 enp0s8
        passdb backend = smbpasswd:/etc/samba/smbpasswd.txt
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

At the very end of your /etc/samba/smb.conf, we need to add a section for our exported folder:

[bckp_storage]
  comment = Folder for storing backups
  read only = no
  available = yes
  path = /samba/export_rw
  public = yes
  valid users = samba_user1
  write list = samba_user1
  writable = yes
  browseable = yes

Descriptions for these settings are given in the man page for smb.conf. These are pretty much self explanatory, but you can find more info in the smb.conf man page. Note, in the man page all the parameters are labelled as either (G)lobal or (S)hares depending on which section they are allowed to be used in.

Next you can run the following to do a quick configtest:

$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[bckp_storage]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Next we need to (a)dd our user to the samba user database and give it a samba specific password. We do this by running:

$ smbpasswd -a samba_user1
New SMB password:
Retype new SMB password:
startsmbfilepwent_internal: file /etc/samba/smbpasswd.txt did not exist. File successfully created.
Added user samba_user1.

Note, smbpasswd command only works for existing machine level user accounts. If the OS level user doesn’t exist then you get a ‘Failed to add entry for user xxxxxx’ error message. Also this machine level user only needs to exist on the Samba server itself, and not the Samba client.

To confirm this user now exists in the samba database, you can run the following command to (v)erbosely (L)ist all users:

$ pdbedit -Lv
---------------
Unix username:        samba_user1
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1438882573-2886693097-939080548-3004
Primary Group SID:    S-1-5-21-1438882573-2886693097-939080548-513
Full Name:
Home Directory:       \\samba-storage\samba_user1
HomeDir Drive:
Logon Script:
Profile Path:         \\samba-storage\samba_user1\profile
Domain:               SAMBA-STORAGE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Sat, 17 Mar 2018 12:20:58 UTC
Password can change:  Sat, 17 Mar 2018 12:20:58 UTC
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Now we can go ahead and start the samba daemon:

$ systemctl enable smb
ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
$ systemctl start smb      

Now you can locally test whether your new export is now available:

[root@samba-storage samba]# smbclient -L //localhost -U samba_user1
Enter SAMBA\samba_user1's password:
Domain=[SAMBA-STORAGE] OS=[Windows 6.1] Server=[Samba 4.6.2]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	bckp_storage    Disk      Folder for storing backups
	IPC$            IPC       IPC Service (Samba server samba-storage)
	samba_user1     Disk      Home Directories
Domain=[SAMBA-STORAGE] OS=[Windows 6.1] Server=[Samba 4.6.2]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

This shows that the Samba share ‘bckp_storage’ is now ready to be shared out. The next thing to do is to set up a Samba Client to access this share.

Summary

There’s a lot of steps involved in setting up a samba server. So let’s summarise all these steps:

01. install rpms
02. enable 3 sebool settings.
03. create the Linux user that will access the samba share.
04. create folder to share
05. change folders ownership to samba user
06. change folder chmod perms
07. update selinux file context for the folder
08. update the main samba config file – global settings a
09. update the main samba config file – by adding new stanza
10. do config test of updated samba config file.
11. create samba password for the samba user.
12. check samba password database to confirm the samba user now exists.
13. update firewall
14. start and enable the samba daemon.
15. Check if samba share is now available.

[post-content post_name=rhsca-quiz]

In this quiz, we’ll assume the folder we want to share is /samba/export_rw.