spy86/Samba install & configure

## Samba install & configure
Install Samba

Check for existing samba package if any using the following commands.

rpm -qa | grep samba
yum list installed | grep samba
If samba is installed, remove it using the below command:

yum remove samba*
Now, install samba using the following command.

yum install samba* -y

1. Configure a fully accessed anonymous share

Now, let us create a fully accessed anonymous share for the users. Any one can read/write in this share.

Create a directory called ‘/samba/anonymous_share’ and set full permission. You can name this share as per your liking.

mkdir -p /samba/anonymous_share
chmod -R 0777 /samba/anonymous_share
Edit Samba configuration file;

vi /etc/samba/smb.conf
Find the following directives, and make the changes as shown below.

[...]

## Add the following lines under [global] section ##
unix charset = UTF-8
dos charset = CP932

## Change the to windows default workgroup ##
workgroup = WORKGROUP

## Uncomment and set the IP Range ##
hosts allow = 127. 192.168.1.

## Uncomment ##
max protocol = SMB2

## Uncomment, and change the value of 'Security' to 'user' ##
security = user

## Add the following line ##
map to guest = Bad User

## Add the following lines at the bottom ##
[Anonymous share]
path = /samba/anonymous_share
writable = yes
browsable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
Start samba services, and enable them to start automatically on every reboot.

systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb
Test the Samba server configuration

We can test the Samba server configuration syntax errors using the command ‘testparm’.

testparm
Sample Output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = UNIXMEN SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes
If all good, you’re good to go now.

Firewall configuration

Allow Samba server default ports through firewall.

firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=138/tcp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=901/tcp
Restart firewall to apply the changes.

firewall-cmd --reload
SELinux Configuration

Turn the samba_enable_home_dirs Boolean on if you want to share home directories via Samba.

setsebool -P samba_enable_home_dirs on
If you create a new directory, such as a new top-level directory, label it with samba_share_t so that SELinux allows Samba to read and write to it. Do not label system directories, such as /etc/ and /home/, with samba_share_t, as such directories should already have an SELinux label.

In our case, we already have created a anonymous directory. So let us label it as shown below.

chcon -t samba_share_t /samba/anonymous_share/
If you don’t want to mess up with the SELinux, just disable it as shown below, and continue.

To disable SELinux, edit file /etc/sysconfig/selinux,

vi /etc/sysconfig/selinux
Set SELinux value to disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

2. Create security enabled share in samba server

What we have seen so far is creating a fully accessed samba share. Anyone can access that share folder, and can create, delete files/folders in that share.

Now, let us create a password protected samba share so that the users should enter the valid username and password to access the share folder.

Create a user called “unixmen” and a group called “smbgroup”.

useradd -s /sbin/nologin unixmen
groupadd smbgroup
Assign the user unixmen to smbgroup, and set samba password to that user.

usermod -a -G smbgroup unixmen
smbpasswd -a unixmen
Create a new share called “/samba/secure_share” and set the permissions to that share.

mkdir /samba/secure_share
chmod -R 0755 /samba/secure_share
chown -R unixmen:smbgroup /samba/secure_share
Edit samba config file;

vi /etc/samba/smb.conf
Add the below lines at the bottom of samba config file.

[secure_share]
path = /samba/secure_share
writable = yes
browsable = yes
guest ok = no
valid users = @smbgroup
Test the samba configuration for any errors.

testparm
Sample output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Processing section "[secure_share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = UNIXMEN SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes

[secure_share]
    path = /samba/secure_share
    valid users = @smbgroup
    read only = No
Label  the /samba/secure_share/ with samba_share_t so that SELinux allows Samba to read and write to it.

chcon -t samba_share_t /samba/secure_share/
Restart samba services.

systemctl restart smb
systemctl restart nmb
	Install Samba

	Check for existing samba package if any using the following commands.

	rpm -qa \| grep samba
	yum list installed \| grep samba
	If samba is installed, remove it using the below command:

	yum remove samba*
	Now, install samba using the following command.

	yum install samba* -y

	1. Configure a fully accessed anonymous share

	Now, let us create a fully accessed anonymous share for the users. Any one can read/write in this share.

	Create a directory called ‘/samba/anonymous_share’ and set full permission. You can name this share as per your liking.

	mkdir -p /samba/anonymous_share
	chmod -R 0777 /samba/anonymous_share
	Edit Samba configuration file;

	vi /etc/samba/smb.conf
	Find the following directives, and make the changes as shown below.

	[...]

	## Add the following lines under [global] section ##
	unix charset = UTF-8
	dos charset = CP932

	## Change the to windows default workgroup ##
	workgroup = WORKGROUP

	## Uncomment and set the IP Range ##
	hosts allow = 127. 192.168.1.

	## Uncomment ##
	max protocol = SMB2

	## Uncomment, and change the value of 'Security' to 'user' ##
	security = user

	## Add the following line ##
	map to guest = Bad User

	## Add the following lines at the bottom ##
	[Anonymous share]
	path = /samba/anonymous_share
	writable = yes
	browsable = yes
	guest ok = yes
	guest only = yes
	create mode = 0777
	directory mode = 0777
	Start samba services, and enable them to start automatically on every reboot.

	systemctl start smb
	systemctl start nmb
	systemctl enable smb
	systemctl enable nmb
	Test the Samba server configuration

	We can test the Samba server configuration syntax errors using the command ‘testparm’.

	testparm
	Sample Output:

	Load smb config files from /etc/samba/smb.conf
	rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
	Processing section "[homes]"
	Processing section "[printers]"
	Processing section "[Anonymous share]"
	Loaded services file OK.
	WARNING: You have some share names that are longer than 12 characters.
	These may not be accessible to some older clients.
	(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
	Server role: ROLE_STANDALONE
	Press enter to see a dump of your service definitions

	[global]
	dos charset = CP932
	netbios name = UNIXMEN SAMBA SERVER
	server string = Samba Server Version %v
	map to guest = Bad User
	log file = /var/log/samba/log.%m
	max log size = 50
	server max protocol = SMB2
	idmap config * : backend = tdb
	hosts allow = 127., 192.168.1.
	cups options = raw

	[homes]
	comment = Home Directories
	read only = No
	browseable = No

	[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	print ok = Yes
	browseable = No

	[Anonymous share]
	path = /samba/anonymous_share
	read only = No
	create mask = 0777
	directory mask = 0777
	guest only = Yes
	guest ok = Yes
	If all good, you’re good to go now.

	Firewall configuration

	Allow Samba server default ports through firewall.

	firewall-cmd --permanent --add-port=137/tcp
	firewall-cmd --permanent --add-port=138/tcp
	firewall-cmd --permanent --add-port=139/tcp
	firewall-cmd --permanent --add-port=445/tcp
	firewall-cmd --permanent --add-port=901/tcp
	Restart firewall to apply the changes.

	firewall-cmd --reload
	SELinux Configuration

	Turn the samba_enable_home_dirs Boolean on if you want to share home directories via Samba.

	setsebool -P samba_enable_home_dirs on
	If you create a new directory, such as a new top-level directory, label it with samba_share_t so that SELinux allows Samba to read and write to it. Do not label system directories, such as /etc/ and /home/, with samba_share_t, as such directories should already have an SELinux label.

	In our case, we already have created a anonymous directory. So let us label it as shown below.

	chcon -t samba_share_t /samba/anonymous_share/
	If you don’t want to mess up with the SELinux, just disable it as shown below, and continue.

	To disable SELinux, edit file /etc/sysconfig/selinux,

	vi /etc/sysconfig/selinux
	Set SELinux value to disabled.

	# This file controls the state of SELinux on the system.
	# SELINUX= can take one of these three values:
	# enforcing - SELinux security policy is enforced.
	# permissive - SELinux prints warnings instead of enforcing.
	# disabled - No SELinux policy is loaded.
	SELINUX=disabled
	# SELINUXTYPE= can take one of these two values:
	# targeted - Targeted processes are protected,
	# mls - Multi Level Security protection.
	SELINUXTYPE=targeted

	2. Create security enabled share in samba server

	What we have seen so far is creating a fully accessed samba share. Anyone can access that share folder, and can create, delete files/folders in that share.

	Now, let us create a password protected samba share so that the users should enter the valid username and password to access the share folder.

	Create a user called “unixmen” and a group called “smbgroup”.

	useradd -s /sbin/nologin unixmen
	groupadd smbgroup
	Assign the user unixmen to smbgroup, and set samba password to that user.

	usermod -a -G smbgroup unixmen
	smbpasswd -a unixmen
	Create a new share called “/samba/secure_share” and set the permissions to that share.

	mkdir /samba/secure_share
	chmod -R 0755 /samba/secure_share
	chown -R unixmen:smbgroup /samba/secure_share
	Edit samba config file;

	vi /etc/samba/smb.conf
	Add the below lines at the bottom of samba config file.

	[secure_share]
	path = /samba/secure_share
	writable = yes
	browsable = yes
	guest ok = no
	valid users = @smbgroup
	Test the samba configuration for any errors.

	testparm
	Sample output:

	Load smb config files from /etc/samba/smb.conf
	rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
	Processing section "[homes]"
	Processing section "[printers]"
	Processing section "[Anonymous share]"
	Processing section "[secure_share]"
	Loaded services file OK.
	WARNING: You have some share names that are longer than 12 characters.
	These may not be accessible to some older clients.
	(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
	Server role: ROLE_STANDALONE
	Press enter to see a dump of your service definitions

	[global]
	dos charset = CP932
	netbios name = UNIXMEN SAMBA SERVER
	server string = Samba Server Version %v
	map to guest = Bad User
	log file = /var/log/samba/log.%m
	max log size = 50
	server max protocol = SMB2
	idmap config * : backend = tdb
	hosts allow = 127., 192.168.1.
	cups options = raw

	[homes]
	comment = Home Directories
	read only = No
	browseable = No

	[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	print ok = Yes
	browseable = No

	[Anonymous share]
	path = /samba/anonymous_share
	read only = No
	create mask = 0777
	directory mask = 0777
	guest only = Yes
	guest ok = Yes

	[secure_share]
	path = /samba/secure_share
	valid users = @smbgroup
	read only = No
	Label the /samba/secure_share/ with samba_share_t so that SELinux allows Samba to read and write to it.

	chcon -t samba_share_t /samba/secure_share/
	Restart samba services.

	systemctl restart smb
	systemctl restart nmb