DokuWiki » Infrastructure » Operating System » CentOS 9

h1. Install Procedure for samba

h2. Requirements

To install samba you will need the following:

* a installed and supported operating system (e.g. CentOS 9.x)

* root-access

* a fast internet connection

h2. Preliminary Note

this is based on http://jehurst.wordpress.com/2011/01/17/rhel-6-for-the-clueless-samba-server/

and the samba for groups part is taken from https://www.techrepublic.com/article/how-to-set-up-samba-shares-for-groups/

I’ve found a couple of tutorials on Samba, but neither one had all the right information. After fighting with it a bit, this is what I did to get it working.

h2. Install 

Install Samba by logging into a Terminal as root:

<pre><code class="bash">

dnf install samba

</code></pre>

if you want to have access to samba-shares you also want to

<pre><code class="bash">

dnf install samba-client

</code></pre>

h2. Setup 

h3. Setup SeLinux

If SeLinux is active, then it might be necessary to set some samba-related variables depending on the share-location.

This and more information can be found at http://selinuxproject.org/page/SambaRecipes

<pre><code class="bash">

setsebool -P samba_domain_controller on

</code></pre>

The @samba_export_all@ Flag will allow to share any folder on the machine, use with care.

<pre><code class="bash">

setsebool -P samba_export_all_rw=1

</code></pre>

<pre><code class="bash">

setsebool -P samba_enable_home_dirs=1

</code></pre>

h3. Setup a shared directory

Create shared directory; I used /mnt/shared:

<pre><code class="bash">

mkdir /mnt/shared

chown -R nobody:nobody /mnt/shared

chmod a+w /home/shared

chcon -t samba_share_t /mnt/shared

</code></pre>

That last line insures the SELinux security system knows to allow outside systems to poke around in that folder. Now anyone using this computer can move files in and out of the folder, as well as the Samba users.

h3. Setup a samba user

Add a Samba user. This is a different task than simply adding a user account. There is a GUI tool for adding Linux user accounts to the machine for them to use the computer itself. However, Samba users must be handled differently, so that the system forces them to use the Samba server.

<pre><code class="bash">

useradd -c "Real Name" -d /home/samba-username -s /sbin/nologin samba-username

</code></pre>

That’s all one line. As usual, substitute the actual Real Name and samba-username in the command above. Then create the Samba password. Remember what we said about coming up with good passwords:

<pre><code class="bash">

smbpasswd -a samba-username

</code></pre>

It will prompt for the password, which you type in blindly:

<pre><code class="bash">

New SMB password:

Retype new SMB password:

Added user username.

</code></pre>

Edit smbusers:

<pre><code class="bash">

vim /etc/samba/smbusers

</code></pre>

This will open the default text editor. Scan down the file until you see something like this:

<pre><code class="bash">

root = administrator admin

nobody = guest pcguest smbguest

</code></pre>

Immediately below this, add a line with this format:

<pre><code class="bash">

username = samba-username

</code></pre>

so CentOS recognizes the person logging in from the Winbox by their samba-username.

h3. Setup a samba config

Then open: 

<pre><code class="bash">

vim /etc/samba/smb.conf

</code></pre>

Find the section headed '[global]'. Change the workgroup name to whatever your Windows computer will be seeking. Default is workgroup in lower case letters. You’ll need to remove the semicolon in front of the next line and provide a proper hostname for the netbios name, which would be the name you gave your RHEL computer during installation, again in lower case. Remove the semicolon from the next line and the IP address numbers from the sample; all we need are the two interfaces lo eth0. Below that is a line with hostsallow as a model. Below that, start a new line with the same indentation:

<pre><code class="bash">

hosts allow = 127. 192.168.1.

</code></pre>

The “127.” is the IP address for everything on your own machine. The other (192.168.1.) is the private LAN network I use for my home router; by leaving off the last section after the dot, it automatically includes every computer with that prefix, which is reserved for LANs.

If you want to bind to specific interfaces only you maybe want to consider

<pre><code class="bash">

interfaces = lo vboxnet0 192.168.56.1/24

bind interfaces only = yes

</code></pre>

Go all the way to the bottom of the file and add some lines. I named my shared directory “shared”. Thus, the section heading should be named the same:

<pre><code class="ini">

[shared]

path = /home/shared

writeable = yes

browseable = yes

read only = No

guest ok = Yes

public = Yes

valid users = username1 username2

create mask = 0666

directory mask = 0777

</code></pre>

if you want to have a trash-bin on the share, you might consider adding following section:

<pre><code class="bash">

vfs object = recycle

  recycle:repository = .deleted/%U

  recycle:keeptree = Yes

  recycle:touch = Yes

  recycle:versions = Yes

  recycle:maxsixe = 0

  recycle:exclude = *.tmp

  recycle:exclude_dir = /tmp

  recycle:noversions = *.bak

</code></pre>

h2. Firewall

Now change the firewall to allow Samba to get through. You can use the tool in System > Administration > Firewall. Simply scan down the list to Samba and checkmark the box. Optionally checkmark IPP printer sharing. Then hit “Apply”.

<pre><code class="bash">

firewall-config

</code></pre>

or in Textmode

<pre><code class="bash">

firewall-cmd

</code></pre>

<pre><code class="bash">

firewall-cmd --permanent --zone=public --add-service=samba

firewall-cmd --reload

</code></pre>

h2. Service

enable and start of the services with

<pre><code class="bash">

systemctl enable smb.service

systemctl enable nmb.service

systemctl restart smb.service

systemctl restart nmb.service

</code></pre>

h2. Test 

following commands might be helpful:

<pre><code class="bash">

findsmb

smbclient //host/share -U username

</code></pre>

h1. Samba working with groups

Create the necessary directory and group

Before we configure Samba, let's create the necessary directory and group. We'll then add users to the group.

I'll be creating a new share called editorial. Create a new directory with the command:

sudo mkdir -p /opt/editorial

Now let's create the group editorial with the command:

sudo groupadd editorial

Now we change the group ownership and permissions of the directory with the commands:

sudo chgrp editorial /opt/editorial

​sudo chmod -R 770 /opt/editorial

Now we add users to the new group with the command:

sudo usermod -a -G editorial USER

Where USER is the username to add to the group.

If you ever need to remove a user from a group, this can be done with the command:

sudo userdel USER GROUP

Where USER is the username and GROUP is the group name.

Finally, we must add the users to Samba. This is done with the smbpasswd command like so:

sudo smbpasswd -a USER

​sudo smbpasswd -e USER

Where USER is the username to be added. The first command adds the user and the second command enables the user. When issuing the first of the above commands, you will be prompted to create a new Samba password for the user.

Configure Samba

Now we come to the actual Samba configuration. The first thing we're going to do is make a backup copy of our Samba configuration file. Issue the command:

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.BAK

Now create a new configuration file with the following command:

sudo nano /etc/samba/smb.conf

In this new file, we'll add the following contents to share out our editorial directory to the group editorial (customize as needed):

[global}

​workgroup = WORKGROUP

​server string = Editorial Server

​netbios name = Ubuntu

​security = user

​map to guest = bad user

​dns proxy = no

#### SHARES ####

[editorial]

​path = /opt/editorial

​browsable = yes

​writable = yes

​guest ok = yes

​read only = no

​valid users = @editorial

Save and close that file. Restart Samba with the commands:

sudo systemctl restart smbd.service

​sudo systemctl restart nmbd.service

You can now point one of your machines to the newly configured Samba share. So long as the user is a member of the editorial group, they'll be able to log on with their username and samba password.

Even more flexibility

By working with groups in Samba, you can make your admin life slightly easier, while making Samba more flexible. With this way you can add and remove users to the group with ease (which, in turn, would revoke their access to the Samba share).

h1. Samba Migrate 

h2. Data

rsync with option -a will transfer the files with all necessary permissions

<pre><code class="shell">

rsync -a --verbose source target

</code></pre>

h2. User Accounts

I run a Samba file server on Ubuntu in my company. Moving from an old to a new server means I have to copy the share-data and the samba config file /etc/smb.conf.

Moving the user accounts is not hard if you know where to look. I'm not running a domain controller active directory, ldap or anything. That means, my user data is in these files:

    /etc/passwd (users)

    /etc/shadow (hashed passwords)

    /etc/skel (the template for /home/$newuser/)

    /etc/group (system groups)

    /var/lib/samba/passdb.tdb

Copy Users and Passwords

Don't just copy /etc/passwd and /etc/shadow. Instead copy paste the lines of the users to the corresponding files on your new server. In my case those where the users with in id of 1000 and higher. Don't copy paste the system users.

Copy Samba passwords

Samba can't use /etc/shadow because it uses a different hash algorithm. So each user has an entry in passdb.tdb. That file is binary but in my case it was okay to copy it completely.

The location has changed. On my old server passdb.tdb was in /var/lib/samba/ and the new server has it in /var/lib/samba/private/. If you want to find the right location this command might help

$ smbd -b |grep -e 'PRIVATE_DIR'

PRIVATE_DIR: /var/lib/samba/private

After copying the passdb.tdb file, I restarted samba

$ service smbd restart

I did not copy the /etc/group file (yet). So far, the transition went smoothly, the users did not have to reset their password.

Changing passwords by hand

In case you want to change a user password, it is a good idea to use

$ smbpasswd -U username

that will also update the regular password of that user on this linux machine if /etc/samba/smb.conf has the setting

unix password sync = yes