Note: This is an RHCE 7 exam objective.
Configuration Procedure
Install the Samba packages:
# yum groupinstall -y "file-server" # yum install -y samba-client samba-winbind
Create a new /etc/samba/smb.conf file and add the following lines (for a workgroup named MYGROUP, a server called MYSERVER, a local network with IP addresses in 192.168.1.0/24, a user named user01 and a share called shared):
workgroup = MYGROUP server string = Samba Server Version %v netbios name = MYSERVER interfaces = lo eth0 192.168.1.0/24 hosts allow = 127. 192.168.1. log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = tdbsam [shared] comment = Shared directory browseable = yes path = /shared valid users = user01 writable = yes
Note: with “passdb backend = tdbsam“, passwords are stored in the /var/lib/samba/private/passdb.tdb file.
Check the syntax of the configuration file:
# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[shared]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = MYGROUP netbios name = MYSERVER server string = Samba Server Version %v interfaces = lo, eth0, 192.168.1.0/24 log file = /var/log/samba/log.%m max log size = 50 idmap config * : backend = tdb hosts allow = 127., 192.168.1. [shared] comment = Shared directory path = /shared valid users = user01 read only = No
Create the shared directory:
# mkdir /shared
Give full access rights to the new directory:
# chmod 777 /shared
Create a file inside called test:
# echo "This is a test." > /shared/test
Set up the correct SELinux context:
# yum install -y setroubleshoot-server # semanage fcontext -a -t samba_share_t "/shared(/.*)?" # restorecon -R /shared
Add the new service to the firewall:
# firewall-cmd --permanent --add-service=samba
Reload the firewall configuration:
# firewall-cmd --reload
Activate the Samba services at boot:
# systemctl enable smb # systemctl enable nmb # systemctl enable winbind
Start the Samba services:
# systemctl start smb # systemctl start nmb # systemctl start winbind
Create the samba user user01 with the password pass:
# useradd -s /sbin/nologin user01 # smbpasswd -a user01 New SMB password:passRetype new SMB password:passAdded user user01.
Check the configuration:
# smbclient //localhost/shared -U user01%pass Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1] smb: \> ls . D 0 Sun Aug 3 00:19:00 2014 .. D 0 Sat Aug 2 23:16:27 2014 test N 0 Sun Aug 3 00:15:20 2014 47356 blocks of size 65536. 26414 blocks available
Additional Resources
Useful information about SELinux and Samba is available in the RHEL 7 SELinux User’s and Administrator’s Guide.
Fedora documentation‘s got a chapter about Configuring Samba.
You can also read the Samba Howto.
The learnitguide website provides a tutorial about Configuring a Samba server on RHEL 7.
The Lisenet website offers a tutorial about Setting up a Samba Server with SELinux on RHEL 7.
Beyond the exam objectives, at Linux.conf.au 2017, Andrew Bartlett gaves a presentation about the status of Samba (34min/2017).
The Howtoforge website provides a tutorial about Installing a Samba 4 Domain Controller on CentOS 7.
workgroup = MYGROUP
server string = Samba Server Version %v
netbios name = MYSERVER
interfaces = lo eth0 192.168.1.0/24
hosts allow = 127. 192.168.1.
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
[shared]
comment = Shared directory
browseable = yes
path = /shared
valid users = user01
writable = yes
Hi CertDepot,
On hosts allow, ip 127. 192.168.1. shouldn’t have any space (correct value is 127.192.168.1). We’ll I have just copied/pasted it on /etc/samba/smb.conf file as instructed and changed only interfaces based on my test server. I’ve got an error message while running # smbclient //localhost/shared -U user01%pass.
hmmmm not a big deal anyways but just in case there are other visitors on this site having error running the same command. You may consider this one a solution. 🙂 Thanks.
hosts allow = 127. 192.168.1. means allow clients in the 192.168.1.0/24 network to connect to the Samba server and local connection (127.).
I don’t think there is any error at all on this line. There is perhaps another problem somewhere in the configuration.
All went well till the very last step where I need to test configuration. I never get to the smb prompt. At smbclient //localhost/shares -U user01%pass, I get response:
Domain=[SAMBAGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Years ago, I got to deal with a Samba setup and there were few pretty miserable failures despite following official docs of the day, I didn’t have high expectations while following this guide and my suspicions were correct: Samba is still miserable.
Samba is the result of some reverse-engineering work. Given the quality of the initial protocols, from my understanding, the people who produced this work did their best and nobody can complain about it.
Resolved. It was a stanza in the smb.conf. Instead of substituting [shared] with my own custom samba share I created, I went on and copied [shared]. When I put [my_custom_share] as a stanza, I got to the smb prompt.
Great!
Hi Guys, this is a great tutorial. Thanks for putting it together. I have a question about the client side. Is there a _netdev option that is needed if I were to add samba in to the fstab? I’ve been looking for examples online with little luck. I was assuming that if you used the cifs mount type it would know to about the network dependency.
In the Samba or NFS cases, I don’t think you normally need to specify the _netdev option.
If a filesystem resides on a device that requires network access, the _netdev options should be used to prevent the system from attempting to mount the filesystems until the network has been enabled on the system.
So if your clients mount filesystems over the network (iSCSI, NFS, Samba etc), you should use the _netdev option.
I totally agree with you for iSCSI remote blocks or files. I’m not so sure concerning NFS and Samba remote file systems (the previous question was about Samba).
When setting up a NFS client, I don’t remember that the _netdev option was needed. For Samba, as I don’t do it regularly, I could be wrong. 😉
It seems that under NFSv3 (type nfs), the _netdev option tells the system to wait to mount until the network is available. Actually, the _netdev option doesn’t tell the system to mount the filesystem when network comes up, it simply says don’t attempt to mount it at all if the network isn’t up.
With a type of nfs4 this option is ignored. Moreover, under systemd, remote mounts are pulled by remote-fs.target.
Interesting. Thanks.
How can I connect linux to Windows?
What would you like to do exactly?
Last week me and my friends appeared for the EX300 Red Hat Certified Engineer Exam, but none of us were able to get full marks for the “SAMBA network share question” on successfully completing all configurations and setups.
Can I follow the above method for my reexamination?
I wouldn’t only rely on my tutorial on this topic but would also use Tomas’s: https://www.lisenet.com/2016/samba-server-on-rhel-7/
I haven’t updated my tutorial for a long time and it could be improved.
Did you get a breakdown by topic areas in your RHCE score report?
I am getting permission denied when I login from client, does anyone know why?
mount -v -t cifs //192.168.2.27/home /mnt/smbshr/ -o username=smbuser
Password for smbuser@//192.168.2.27/home: ********
group = MYGROUP
server string = Samba Server AKA Linux-server %v
interfaces = lo eth0 192.168.2.0/24
idmap config * : backend = tdb
hosts allow = 127. 192.168.2.
[home]
comment = homedir
path = /home
valid users = MYDOMAIN\%S
read only = No
I’m able to mount the share by using your configuration above ensuring the home directory of my Samba user is created.
What’s the home directory for the user smbuser that you use? It must exist on the Samba server.
/home/smbuser
SELinux is preventing you from accessing the share. Inform SELinux of the custom changes. Use the following command.
# semanage fcontext –a –t samba_share_t “/home/smbuser(/.*)?”
# restorecon –R –v /home/smbuser
Hi guys,
Is Kerberized Samba Shares providing RHCE exam ?
Is Kerberized Samba part of the RHCE objectives?
It was at the beginning of the RHCE v7 exam but this objective was removed a few months later.
local users or LDAP users should be granted access to the share? so, is it necessary to tune “passdb backend” option?
Anyone have issues where the user id’s on the server and the client are mismatched and it causes issues with mounting or having correct permissions?
server1 passwd tom:1001:1001
server2 passwd tom:1002:1002
What issues does it cause?
For example
Server1 passwd tom:1001:1001 , larry1002:1002
Server2 passwd larry:1001:1001 , tom:1002:1002
When I log into server2 with the mounted share as tom it shows larry has privileges and vice versa.
This is a completely natural behaviour.
With Samba you have 2 control mechanisms:
1) Linux File System ACLs -> useless if the UID/GID of users do not match on different machines , but a great way to control in a LDAP environment.You need the “inherit acls = yes” option.
2) SAMBA control mechanism via “read list =” , “write list =” ,”valid users =” ,etc. If you rely on samba – you should set file system permissions to 777 ,as any user/group who has wrong UID/GID will be treated as “others”.
I’d recommend you to use the second one – as any UID/GID mismatch will not be a problem with proper smb.conf. The first method is way easier , but you can rely on it only in a situation where centralised user management is used.
Note: When you use “hosts allow= somedomain.com” and “hosts deny= somedomain.com” stanzas – you need “hostname lookups = yes” or you will need to use only IPs!
You beat me to it. Exactly the point I wanted to make.
Makes perfect sense. I guess I wasn’t aware that the write list and read list were separate from the file system permissions. I tested this and it works great. Thank you for the explanation.
The SElinux configuration could be an issue as well. Double check these settings.
hi CertDepot,
In my lab I found that share name must be same with the dir name we shared. Is normal behavior in samba (I’m using VirtualBox for my lab)?
Thanks for your info
I had exported shares with different name (for example folder “/data” with exportname “//sambaserver/guestzone”) without a problem.
I agree with hunter86_bg. I only got that issue when I got typos. Else check the version of the current Operating System, try update!
I’ve done Samba with dir name different from share even in RHEL 7.0 during my prep for RHCE. It’s most probably a typo or SELinux.
Thank you for explanation guys, yep it’s working recently using different both the shared dir and shared name. Maybe typo,space,SELinux or something like that
I’m now preparing to retake the RHCE exam next month.
God help me pass this one, though exam indeed
It’s weird now it won’t work again
here’s my smb.conf:
1.—-share name different with path—
[model]
path = /sharedsmb
valid users = susan
writable = yes
browseable = yes
using this configuration when I mount from client I got
mount.cifs kernel mount options: ip=192.168.14.4,unc=\server1sharedsmb,user=susan,pass=********
Retrying with upper case share name
mount.cifs kernel mount options: ip=192.168.14.4,unc=\SERVER1SHAREDSMB,user=susan,pass=********
mount error(6): No such device or address
but when I’m using this
—-share name and path using same name—
[sharedsmb]
path = /sharedsmb
valid users = susan
writable = yes
browseable = yes
it’s working. But I’m in doubt with this configuration. When I’m going to use multiple dir (path = /sharedsmb/client) it won’t be working since I cannot name it using multiple dir [sharedsmb/client] for shared name
sure the SELinux, firewall, and the connection is ok (because when using second configuration I can write files within mount dir and file also exists in server
is there any configuration I missed or somethings else
Thank you for your help
Now I’m find out what’s wrong, from the client side when we want to mount to server we must mount using the share name not the dir name (we shared)
in my case when I want to mount configuration I must use
mount -o username=susan //server1/model
all this time when mounting to server I was using the dir name, that’s why if I make the share name and dir the same it work whsen not it won’t, because I’m mounting using the shared dir not the name of share
maybe Certdepot already wrote it but I did not pay attention (my bad habit)
hope useful for rest of us
There is a method to scan the target server for shared directories.
I am a little rusty on this one, you will need to check out the man pages
smbclient -L localhost
smbtree
hope this helps
Hi Everyone,
If you have encountered the “NT_STATUS_LOGON_FAILURE” error when you try to connect to your share, that basically means that the samba service is trying to contact a domain controller, which in my case – did not exist.
Hence, You need to remove the following lines from your “smb.conf” file:
security = user
workgroup = WORKGROUP
And it would work perfectly!
BTW, Certdepot your site is awesome and very helpful!
Taking the exam on the 25th this month.
While configuring Samba server , How to achieve this task ————— The data share must be available to example.com
domain clients only. ————-
By using the “hosts allow” directive. Hosts can be specified by a host name or by a source IP address. Host names are checked by reverse-resolving the IP address of the incoming connection attempt.
Thanks for your reply
This hostname to ip resolution will work using DNS or a simple entry in /etc/hosts will do the trick ?
I have tried using /etc/hosts, but it seem not to work.
Thanks for clarification
Both methods are supported. Try adding the following to the [global] section:
hostname lookups = yes
name resolve order = hosts
Restart the daemons and give it a go, it should work.
Thanks,
Works Perfect !!!!
I think it better if you add this on your tutorial as well.
hey guys, I am trying to do a share with extended attributes “acls” like the following:
——————-
[group-share]
path = /var/group-share
comment = timi samba share test
read only = no
browseable = yes
map acl inherit = yes
——————
The folder has:
[root@system1 var]# ls -lartshZ | grep grou
drwxrwx—+ root root unconfined_u:object_r:default_t:s0 group-share
[root@system1 var]# getfacl group-share/
# file: group-share/
# owner: root
# group: root
user::rwx
user:timi:rwx
group::r-x
mask::rwx
other::—
default:user::rwx
default:user:timi:rwx
default:group::r-x
default:mask::rwx
default:other::—
[root@system1 var]#
————————–
The user timi has the smbpasswd of password and I can mount it:
[root@system2 /]# mount -t cifs -o username=timi,password=password //system1/group-share /mnt
—————————
But I cannot access the content.
[root@system2 /]# cd /mnt/
[root@system2 mnt]# ls
ls: reading directory .: Permission denied
[root@system2 mnt]# touch test
touch: cannot touch ‘test’: Permission denied
[root@system2 mnt]# mkdir test
mkdir: cannot create directory ‘test’: Permission denied
[root@system2 mnt]#
Can someone help me out. On sander van vugt’s videos he mentions a scenario like this but I am unable to do it.
Tim
At a quick glance you are missing valid user tag for groups.
ie valid users = @sharegrp
I know it’s for RHEL 6 but it is a good reference
https://www.certdepot.net/smb-provide-network-shares-suitable-group-collaboration/
On exam do we need to know about kerberized samba config?
No, I don’t think so. At the beginning (S2 2014), it was part of the objectives but there was a bug in the RHEL distribution that made it almost impossible to configure. Then, they removed it from the objectives (I hope they also fixed the bug 😉 ).