RHEL7: Provide SMB network shares to specific clients.

Share this link

Note: This is an RHCE 7 exam objective.

Configuration Procedure

Install the Samba packages:

# yum groupinstall -y "file-server"
# yum install -y samba-client samba-winbind

Create a new /etc/samba/smb.conf file and add the following lines (for a workgroup named MYGROUP, a server called MYSERVER, a local network with IP addresses in 192.168.1.0/24, a user named user01 and a share called shared):

workgroup = MYGROUP
server string = Samba Server Version %v
netbios name = MYSERVER
interfaces = lo eth0 192.168.1.0/24
hosts allow = 127. 192.168.1.
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
[shared]
comment = Shared directory
browseable = yes
path = /shared
valid users = user01
writable = yes

Note: with “passdb backend = tdbsam“, passwords are stored in the /var/lib/samba/private/passdb.tdb file.

Check the syntax of the configuration file:

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[shared]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    workgroup = MYGROUP
    netbios name = MYSERVER
    server string = Samba Server Version %v
    interfaces = lo, eth0, 192.168.1.0/24
    log file = /var/log/samba/log.%m
    max log size = 50
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.

[shared]
    comment = Shared directory
    path = /shared
    valid users = user01
    read only = No

Create the shared directory:

# mkdir /shared

Give full access rights to the new directory:

# chmod 777 /shared

Create a file inside called test:

# echo "This is a test." > /shared/test

Set up the correct SELinux context:

# yum install -y setroubleshoot-server
# semanage fcontext -a -t samba_share_t "/shared(/.*)?"
# restorecon -R /shared

Add the new service to the firewall:

# firewall-cmd --permanent --add-service=samba

Reload the firewall configuration:

# firewall-cmd --reload

Activate the Samba services at boot:

# systemctl enable smb
# systemctl enable nmb
# systemctl enable winbind

Start the Samba services:

# systemctl start smb
# systemctl start nmb
# systemctl start winbind

Create the samba user user01 with the password pass:

# useradd -s /sbin/nologin user01
# smbpasswd -a user01
New SMB password: pass
Retype new SMB password: pass
Added user user01.

Check the configuration:

# smbclient //localhost/shared -U user01%pass
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
  .                                   D        0  Sun Aug  3 00:19:00 2014
  ..                                  D        0  Sat Aug  2 23:16:27 2014
  test                                N        0  Sun Aug  3 00:15:20 2014

        47356 blocks of size 65536. 26414 blocks available

Additional Resources

Useful information about SELinux and Samba is available in the RHEL 7 SELinux User’s and Administrator’s Guide.
Fedora documentation‘s got a chapter about Configuring Samba.
You can also read the Samba Howto.
The learnitguide website provides a tutorial about Configuring a Samba server on RHEL 7.
The Lisenet website offers a tutorial about Setting up a Samba Server with SELinux on RHEL 7.

Beyond the exam objectives, at Linux.conf.au 2017, Andrew Bartlett gaves a presentation about the status of Samba (34min/2017).
The Howtoforge website provides a tutorial about Installing a Samba 4 Domain Controller on CentOS 7.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00 out of 5)
Loading...
49 comments on “RHEL7: Provide SMB network shares to specific clients.
  1. redhat0329 says:

    workgroup = MYGROUP
    server string = Samba Server Version %v
    netbios name = MYSERVER
    interfaces = lo eth0 192.168.1.0/24
    hosts allow = 127. 192.168.1.
    log file = /var/log/samba/log.%m
    max log size = 50
    security = user
    passdb backend = tdbsam
    [shared]
    comment = Shared directory
    browseable = yes
    path = /shared
    valid users = user01
    writable = yes

    Hi CertDepot,

    On hosts allow, ip 127. 192.168.1. shouldn’t have any space (correct value is 127.192.168.1). We’ll I have just copied/pasted it on /etc/samba/smb.conf file as instructed and changed only interfaces based on my test server. I’ve got an error message while running # smbclient //localhost/shared -U user01%pass.

    hmmmm not a big deal anyways but just in case there are other visitors on this site having error running the same command. You may consider this one a solution. 🙂 Thanks.

    • CertDepot says:

      hosts allow = 127. 192.168.1. means allow clients in the 192.168.1.0/24 network to connect to the Samba server and local connection (127.).
      I don’t think there is any error at all on this line. There is perhaps another problem somewhere in the configuration.

  2. Gjorgi says:

    All went well till the very last step where I need to test configuration. I never get to the smb prompt. At smbclient //localhost/shares -U user01%pass, I get response:
    Domain=[SAMBAGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10]
    tree connect failed: NT_STATUS_BAD_NETWORK_NAME

    Years ago, I got to deal with a Samba setup and there were few pretty miserable failures despite following official docs of the day, I didn’t have high expectations while following this guide and my suspicions were correct: Samba is still miserable.

    • CertDepot says:

      Samba is the result of some reverse-engineering work. Given the quality of the initial protocols, from my understanding, the people who produced this work did their best and nobody can complain about it.

  3. Gjorgi says:

    Resolved. It was a stanza in the smb.conf. Instead of substituting [shared] with my own custom samba share I created, I went on and copied [shared]. When I put [my_custom_share] as a stanza, I got to the smb prompt.

  4. beginner says:

    Hi Guys, this is a great tutorial. Thanks for putting it together. I have a question about the client side. Is there a _netdev option that is needed if I were to add samba in to the fstab? I’ve been looking for examples online with little luck. I was assuming that if you used the cifs mount type it would know to about the network dependency.

    • CertDepot says:

      In the Samba or NFS cases, I don’t think you normally need to specify the _netdev option.

      • Lisenet says:

        If a filesystem resides on a device that requires network access, the _netdev options should be used to prevent the system from attempting to mount the filesystems until the network has been enabled on the system.

        So if your clients mount filesystems over the network (iSCSI, NFS, Samba etc), you should use the _netdev option.

        • CertDepot says:

          I totally agree with you for iSCSI remote blocks or files. I’m not so sure concerning NFS and Samba remote file systems (the previous question was about Samba).
          When setting up a NFS client, I don’t remember that the _netdev option was needed. For Samba, as I don’t do it regularly, I could be wrong. 😉

          • Lisenet says:

            It seems that under NFSv3 (type nfs), the _netdev option tells the system to wait to mount until the network is available. Actually, the _netdev option doesn’t tell the system to mount the filesystem when network comes up, it simply says don’t attempt to mount it at all if the network isn’t up.

            With a type of nfs4 this option is ignored. Moreover, under systemd, remote mounts are pulled by remote-fs.target.

          • CertDepot says:

            Interesting. Thanks.

  5. mohit.3616 says:

    How can I connect linux to Windows?

  6. kkroopani says:

    I am getting permission denied when I login from client, does anyone know why?

    mount -v -t cifs //192.168.2.27/home /mnt/smbshr/ -o username=smbuser
    Password for smbuser@//192.168.2.27/home: ********

    group = MYGROUP
    server string = Samba Server AKA Linux-server %v
    interfaces = lo eth0 192.168.2.0/24
    idmap config * : backend = tdb
    hosts allow = 127. 192.168.2.

    [home]
    comment = homedir
    path = /home
    valid users = MYDOMAIN\%S
    read only = No

  7. Tarlan says:

    Hi guys,

    Is Kerberized Samba Shares providing RHCE exam ?

  8. alexritm says:

    local users or LDAP users should be granted access to the share? so, is it necessary to tune “passdb backend” option?

  9. bsteiner36 says:

    Anyone have issues where the user id’s on the server and the client are mismatched and it causes issues with mounting or having correct permissions?
    server1 passwd tom:1001:1001
    server2 passwd tom:1002:1002

    • Lisenet says:

      What issues does it cause?

      • bsteiner36 says:

        For example
        Server1 passwd tom:1001:1001 , larry1002:1002
        Server2 passwd larry:1001:1001 , tom:1002:1002

        When I log into server2 with the mounted share as tom it shows larry has privileges and vice versa.

    • hunter86_bg says:

      This is a completely natural behaviour.
      With Samba you have 2 control mechanisms:
      1) Linux File System ACLs -> useless if the UID/GID of users do not match on different machines , but a great way to control in a LDAP environment.You need the “inherit acls = yes” option.
      2) SAMBA control mechanism via “read list =” , “write list =” ,”valid users =” ,etc. If you rely on samba – you should set file system permissions to 777 ,as any user/group who has wrong UID/GID will be treated as “others”.

      I’d recommend you to use the second one – as any UID/GID mismatch will not be a problem with proper smb.conf. The first method is way easier , but you can rely on it only in a situation where centralised user management is used.

      Note: When you use “hosts allow= somedomain.com” and “hosts deny= somedomain.com” stanzas – you need “hostname lookups = yes” or you will need to use only IPs!

  10. samuel.sappa says:

    hi CertDepot,
    In my lab I found that share name must be same with the dir name we shared. Is normal behavior in samba (I’m using VirtualBox for my lab)?

    Thanks for your info

    • hunter86_bg says:

      I had exported shares with different name (for example folder “/data” with exportname “//sambaserver/guestzone”) without a problem.

    • Sam says:

      I agree with hunter86_bg. I only got that issue when I got typos. Else check the version of the current Operating System, try update!

      • hunter86_bg says:

        I’ve done Samba with dir name different from share even in RHEL 7.0 during my prep for RHCE. It’s most probably a typo or SELinux.

        • samuel.sappa says:

          Thank you for explanation guys, yep it’s working recently using different both the shared dir and shared name. Maybe typo,space,SELinux or something like that
          I’m now preparing to retake the RHCE exam next month.
          God help me pass this one, though exam indeed

          • samuel.sappa says:

            It’s weird now it won’t work again
            here’s my smb.conf:
            1.—-share name different with path—
            [model]
            path = /sharedsmb
            valid users = susan
            writable = yes
            browseable = yes

            using this configuration when I mount from client I got

            mount.cifs kernel mount options: ip=192.168.14.4,unc=\server1sharedsmb,user=susan,pass=********
            Retrying with upper case share name
            mount.cifs kernel mount options: ip=192.168.14.4,unc=\SERVER1SHAREDSMB,user=susan,pass=********
            mount error(6): No such device or address

            but when I’m using this
            —-share name and path using same name—
            [sharedsmb]
            path = /sharedsmb
            valid users = susan
            writable = yes
            browseable = yes

            it’s working. But I’m in doubt with this configuration. When I’m going to use multiple dir (path = /sharedsmb/client) it won’t be working since I cannot name it using multiple dir [sharedsmb/client] for shared name

            sure the SELinux, firewall, and the connection is ok (because when using second configuration I can write files within mount dir and file also exists in server

            is there any configuration I missed or somethings else

            Thank you for your help

          • samuel.sappa says:

            Now I’m find out what’s wrong, from the client side when we want to mount to server we must mount using the share name not the dir name (we shared)

            in my case when I want to mount configuration I must use
            mount -o username=susan //server1/model

            all this time when mounting to server I was using the dir name, that’s why if I make the share name and dir the same it work whsen not it won’t, because I’m mounting using the shared dir not the name of share

            maybe Certdepot already wrote it but I did not pay attention (my bad habit)

            hope useful for rest of us

          • Sam says:

            There is a method to scan the target server for shared directories.
            I am a little rusty on this one, you will need to check out the man pages

            smbclient -L localhost
            smbtree

            hope this helps

  11. sasaman344 says:

    Hi Everyone,

    If you have encountered the “NT_STATUS_LOGON_FAILURE” error when you try to connect to your share, that basically means that the samba service is trying to contact a domain controller, which in my case – did not exist.

    Hence, You need to remove the following lines from your “smb.conf” file:
    security = user
    workgroup = WORKGROUP

    And it would work perfectly!

    BTW, Certdepot your site is awesome and very helpful!
    Taking the exam on the 25th this month.

  12. asifshabir says:

    While configuring Samba server , How to achieve this task ————— The data share must be available to example.com
    domain clients only. ————-

    • Lisenet says:

      By using the “hosts allow” directive. Hosts can be specified by a host name or by a source IP address. Host names are checked by reverse-resolving the IP address of the incoming connection attempt.

      • asifshabir says:

        Thanks for your reply

        This hostname to ip resolution will work using DNS or a simple entry in /etc/hosts will do the trick ?
        I have tried using /etc/hosts, but it seem not to work.
        Thanks for clarification

        • Lisenet says:

          Both methods are supported. Try adding the following to the [global] section:

          hostname lookups = yes
          name resolve order = hosts

          Restart the daemons and give it a go, it should work.

  13. aliaj00 says:

    hey guys, I am trying to do a share with extended attributes “acls” like the following:
    ——————-
    [group-share]
    path = /var/group-share
    comment = timi samba share test
    read only = no
    browseable = yes
    map acl inherit = yes
    ——————
    The folder has:

    [root@system1 var]# ls -lartshZ | grep grou
    drwxrwx—+ root root unconfined_u:object_r:default_t:s0 group-share
    [root@system1 var]# getfacl group-share/
    # file: group-share/
    # owner: root
    # group: root
    user::rwx
    user:timi:rwx
    group::r-x
    mask::rwx
    other::—
    default:user::rwx
    default:user:timi:rwx
    default:group::r-x
    default:mask::rwx
    default:other::—

    [root@system1 var]#
    ————————–
    The user timi has the smbpasswd of password and I can mount it:

    [root@system2 /]# mount -t cifs -o username=timi,password=password //system1/group-share /mnt
    —————————
    But I cannot access the content.
    [root@system2 /]# cd /mnt/
    [root@system2 mnt]# ls
    ls: reading directory .: Permission denied
    [root@system2 mnt]# touch test
    touch: cannot touch ‘test’: Permission denied
    [root@system2 mnt]# mkdir test
    mkdir: cannot create directory ‘test’: Permission denied
    [root@system2 mnt]#

    Can someone help me out. On sander van vugt’s videos he mentions a scenario like this but I am unable to do it.

    Tim

  14. student says:

    On exam do we need to know about kerberized samba config?

    • CertDepot says:

      No, I don’t think so. At the beginning (S2 2014), it was part of the objectives but there was a bug in the RHEL distribution that made it almost impossible to configure. Then, they removed it from the objectives (I hope they also fixed the bug 😉 ).

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...