Samba Introduction

SAMBA - Cross Platform File Sharing with Linux

What is Samba?


Samba is an Open Source free software suite that provides file sharing and the sharing of printer resources to SMB/CIFS clients. Samba allows Linux/Unix servers to share files/directories with Windows based clients. Samba is available for many platforms including Linux, Unix, Z/os, Mac OS, OS2 and Open VMS. Samba is frequently used for sharing data/files from Linux/Unix platforms in large organisations and data centres, however, many smaller media devices now utilise Samba to allow files to be shared around homes.

The sharing of these files/data is carried out using the protocols CIFS (Common Internet File System) and SMB (Server Message block). It is these protocols that allow the seamless sharing of data across platforms. Samba can be configured to handle all Authentication/Authorisation and permissions of access to these files and print services. The latest version of Samba currently provides Active Directory Domain Controller compatibility. It can handle Group Policies, can be used for SSO (Single Sign On).

Configuration of Samba is generally carried out via a file called smb.conf. This can either be carried out manually by editing the file or by a graphical user interface. One of the most popular GUI interfaces is SWAT (Samba Web Administration Tool).



How to install


In the following example we will use the RHEL (Red Hat Enterprise Linux) Operating System. Samba can easily be installed by issuing the following commands: First lets check that we have Samba available in our repositories. (In this example, I am using Samba from the rpm packages that came with the installation media). If you have access to the RHN, then you will probably download your packages from there.



[root@rhel02 ~]# yum search samba
Loaded plugins: product-id, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
myrepo                                                   | 1.3 kB     00:00 ... 
============================== N/S Matched: samba ==============================
samba-client.i686 : Samba client programs
samba-common.i686 : Files used by both Samba servers and clients
samba-winbind.i686 : Samba winbind
samba-winbind-clients.i686 : Samba winbind clients
sblim-cmpi-samba.i686 : SBLIM WBEM-SMT Samba
ctdb.i686 : A Clustered Database based on Samba's Trivial Database (TDB)
samba.i686 : Server and Client software to interoperate with Windows machines

Here we can see that Samba is available in my custom repository called "myrepo".

First we issue the command "yum install samba*"



[root@rhel02 ~]# yum install samba
Loaded plugins: product-id, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package samba.i686 0:3.5.10-125.el6 will be installed
--> Processing Dependency: libtdb.so.1 for package: samba-3.5.10-125.el6.i686
--> Processing Dependency: libtalloc.so.2 for package: samba-3.5.10-125.el6.i686
--> Processing Dependency: libcups.so.2 for package: samba-3.5.10-125.el6.i686
--> Processing Dependency: /usr/bin/perl for package: samba-3.5.10-125.el6.i686
---> Package samba-client.i686 0:3.5.10-125.el6 will be installed
---> Package samba-common.i686 0:3.5.10-125.el6 will be installed
--> Processing Dependency: /usr/bin/pkg-config for package: samba-common-3.5.10-125.el6.i686
---> Package samba-winbind.i686 0:3.5.10-125.el6 will be installed
---> Package samba-winbind-clients.i686 0:3.5.10-125.el6 will be installed
--> Running transaction check
---> Package cups-libs.i686 1:1.4.2-48.el6 will be installed
--> Processing Dependency: libtiff.so.3 for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libpng12.so.0(PNG12_0) for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libpng12.so.0 for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libjpeg.so.62 for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libgnutls.so.26(GNUTLS_1_4) for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libgnutls.so.26 for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libavahi-common.so.3 for package: 1:cups-libs-1.4.2-48.el6.i686
--> Processing Dependency: libavahi-client.so.3 for package: 1:cups-libs-1.4.2-48.el6.i686
---> Package libtalloc.i686 0:2.0.1-1.1.el6 will be installed
---> Package libtdb.i686 0:1.2.1-3.el6 will be installed
---> Package perl.i686 4:5.10.1-127.el6 will be installed
--> Processing Dependency: perl-libs = 4:5.10.1-127.el6 for package: 4:perl-5.10.1-127.el6.i686
--> Processing Dependency: perl-libs for package: 4:perl-5.10.1-127.el6.i686
--> Processing Dependency: perl(version) for package: 4:perl-5.10.1-127.el6.i686
--> Processing Dependency: perl(Pod::Simple) for package: 4:perl-5.10.1-127.el6.i686
--> Processing Dependency: perl(Module::Pluggable) for package: 4:perl-5.10.1-127.el6.i686
--> Processing Dependency: libperl.so for package: 4:perl-5.10.1-127.el6.i686
---> Package pkgconfig.i686 1:0.23-9.1.el6 will be installed
--> Running transaction check
---> Package avahi-libs.i686 0:0.6.25-11.el6 will be installed
---> Package gnutls.i686 0:2.8.5-4.el6_2.2 will be installed
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3) for package: gnutls-2.8.5-4.el6_2.2.i686
--> Processing Dependency: libtasn1.so.3 for package: gnutls-2.8.5-4.el6_2.2.i686
---> Package libjpeg.i686 0:6b-46.el6 will be installed
---> Package libpng.i686 2:1.2.49-1.el6_2 will be installed
---> Package libtiff.i686 0:3.9.4-5.el6_2 will be installed
---> Package perl-Module-Pluggable.i686 1:3.90-127.el6 will be installed
---> Package perl-Pod-Simple.i686 1:3.13-127.el6 will be installed
--> Processing Dependency: perl(Pod::Escapes) >= 1.04 for package: 1:perl-Pod-Simple-3.13-127.el6.i686
---> Package perl-libs.i686 4:5.10.1-127.el6 will be installed
---> Package perl-version.i686 3:0.77-127.el6 will be installed
--> Running transaction check
---> Package libtasn1.i686 0:2.3-3.el6_2.1 will be installed
---> Package perl-Pod-Escapes.i686 1:1.04-127.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                    Arch      Version                 Repository   Size
================================================================================
Installing:
 samba                      i686      3.5.10-125.el6          myrepo      4.9 M
 samba-client               i686      3.5.10-125.el6          myrepo       11 M
 samba-common               i686      3.5.10-125.el6          myrepo       13 M
 samba-winbind              i686      3.5.10-125.el6          myrepo      3.5 M
 samba-winbind-clients      i686      3.5.10-125.el6          myrepo      1.1 M
Installing for dependencies:
 avahi-libs                 i686      0.6.25-11.el6           myrepo       54 k
 cups-libs                  i686      1:1.4.2-48.el6          myrepo      325 k
 gnutls                     i686      2.8.5-4.el6_2.2         myrepo      336 k
 libjpeg                    i686      6b-46.el6               myrepo      132 k
 libpng                     i686      2:1.2.49-1.el6_2        myrepo      184 k
 libtalloc                  i686      2.0.1-1.1.el6           myrepo       18 k
 libtasn1                   i686      2.3-3.el6_2.1           myrepo      239 k
 libtdb                     i686      1.2.1-3.el6             myrepo       29 k
 libtiff                    i686      3.9.4-5.el6_2           myrepo      337 k
 perl                       i686      4:5.10.1-127.el6        myrepo      9.7 M
 perl-Module-Pluggable      i686      1:3.90-127.el6          myrepo       38 k
 perl-Pod-Escapes           i686      1:1.04-127.el6          myrepo       30 k
 perl-Pod-Simple            i686      1:3.13-127.el6          myrepo      210 k
 perl-libs                  i686      4:5.10.1-127.el6        myrepo      591 k
 perl-version               i686      3:0.77-127.el6          myrepo       49 k
 pkgconfig                  i686      1:0.23-9.1.el6          myrepo       67 k

Transaction Summary
================================================================================
Install      21 Package(s)

Total download size: 46 M
Installed size: 155 M
Is this ok [y/N]: y
Downloading Packages:
--------------------------------------------------------------------------------
Total                                            43 MB/s |  46 MB     00:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : libtalloc-2.0.1-1.1.el6.i686                                1/21 
  Installing : libtdb-1.2.1-3.el6.i686                                     2/21 
  Installing : samba-winbind-clients-3.5.10-125.el6.i686                   3/21 
  Installing : libjpeg-6b-46.el6.i686                                      4/21 
  Installing : 1:perl-Pod-Escapes-1.04-127.el6.i686                        5/21 
  Installing : 3:perl-version-0.77-127.el6.i686                            6/21 
  Installing : 4:perl-libs-5.10.1-127.el6.i686                             7/21 
  Installing : 1:perl-Pod-Simple-3.13-127.el6.i686                         8/21 
  Installing : 1:perl-Module-Pluggable-3.90-127.el6.i686                   9/21 
  Installing : 4:perl-5.10.1-127.el6.i686                                 10/21 
  Installing : libtiff-3.9.4-5.el6_2.i686                                 11/21 
  Installing : libtasn1-2.3-3.el6_2.1.i686                                12/21 
  Installing : gnutls-2.8.5-4.el6_2.2.i686                                13/21 
  Installing : 2:libpng-1.2.49-1.el6_2.i686                               14/21 
  Installing : 1:pkgconfig-0.23-9.1.el6.i686                              15/21 
  Installing : samba-common-3.5.10-125.el6.i686                           16/21 
  Installing : avahi-libs-0.6.25-11.el6.i686                              17/21 
  Installing : 1:cups-libs-1.4.2-48.el6.i686                              18/21 
  Installing : samba-3.5.10-125.el6.i686                                  19/21 
  Installing : samba-client-3.5.10-125.el6.i686                           20/21 
  Installing : samba-winbind-3.5.10-125.el6.i686                          21/21 
Installed products updated.
  Verifying  : samba-common-3.5.10-125.el6.i686                            1/21 
  Verifying  : samba-winbind-clients-3.5.10-125.el6.i686                   2/21 
  Verifying  : samba-client-3.5.10-125.el6.i686                            3/21 
  Verifying  : samba-winbind-3.5.10-125.el6.i686                           4/21 
  Verifying  : libjpeg-6b-46.el6.i686                                      5/21 
  Verifying  : 1:cups-libs-1.4.2-48.el6.i686                               6/21 
  Verifying  : avahi-libs-0.6.25-11.el6.i686                               7/21 
  Verifying  : 1:perl-Module-Pluggable-3.90-127.el6.i686                   8/21 
  Verifying  : samba-3.5.10-125.el6.i686                                   9/21 
  Verifying  : 1:pkgconfig-0.23-9.1.el6.i686                              10/21 
  Verifying  : gnutls-2.8.5-4.el6_2.2.i686                                11/21 
  Verifying  : 3:perl-version-0.77-127.el6.i686                           12/21 
  Verifying  : 4:perl-libs-5.10.1-127.el6.i686                            13/21 
  Verifying  : libtdb-1.2.1-3.el6.i686                                    14/21 
  Verifying  : libtiff-3.9.4-5.el6_2.i686                                 15/21 
  Verifying  : 4:perl-5.10.1-127.el6.i686                                 16/21 
  Verifying  : 2:libpng-1.2.49-1.el6_2.i686                               17/21 
  Verifying  : libtasn1-2.3-3.el6_2.1.i686                                18/21 
  Verifying  : libtalloc-2.0.1-1.1.el6.i686                               19/21 
  Verifying  : 1:perl-Pod-Escapes-1.04-127.el6.i686                       20/21 
  Verifying  : 1:perl-Pod-Simple-3.13-127.el6.i686                        21/21 

Installed:
  samba.i686 0:3.5.10-125.el6                                                   
  samba-client.i686 0:3.5.10-125.el6                                            
  samba-common.i686 0:3.5.10-125.el6                                            
  samba-winbind.i686 0:3.5.10-125.el6                                           
  samba-winbind-clients.i686 0:3.5.10-125.el6                                   

Dependency Installed:
  avahi-libs.i686 0:0.6.25-11.el6                                               
  cups-libs.i686 1:1.4.2-48.el6                                                 
  gnutls.i686 0:2.8.5-4.el6_2.2                                                 
  libjpeg.i686 0:6b-46.el6                                                      
  libpng.i686 2:1.2.49-1.el6_2                                                  
  libtalloc.i686 0:2.0.1-1.1.el6                                                
  libtasn1.i686 0:2.3-3.el6_2.1                                                 
  libtdb.i686 0:1.2.1-3.el6                                                     
  libtiff.i686 0:3.9.4-5.el6_2                                                  
  perl.i686 4:5.10.1-127.el6                                                    
  perl-Module-Pluggable.i686 1:3.90-127.el6                                     
  perl-Pod-Escapes.i686 1:1.04-127.el6                                          
  perl-Pod-Simple.i686 1:3.13-127.el6                                           
  perl-libs.i686 4:5.10.1-127.el6                                               
  perl-version.i686 3:0.77-127.el6                                              
  pkgconfig.i686 1:0.23-9.1.el6     

The necessary packages and any dependencies should now have been successfully installed. Samba is now installed.


Basic Example of a Samba Share that is available to all users


In this example we are going to share a directory with anyone who has access to the same network.

First lets create a directory called "/home/lol/share" using the command mkdir -p /home/share/lol



[root@rhel02 ~]# mkdir -p /home/lol/share
[root@rhel02 ~]# ls -ld !$
ls -ld /home/lol/share
drwxr-xr-x. 2 root root 4096 Mar 20 10:21 /home/lol/share

Changing the Permissions of a directory


Although the permissions are read only, If you needed to write to the share directory, you would need to issue the relevant chmod command: chmod 777 /home/lol/share In a production environment, you would use user authentication and you may define groups and grant privileges.... Remember Samba can not override the permissions set on directories. For more information relating to file permissions, visit our page on Linux File Permissions

After issuing the relevant chmod command, our permissions on the "share" directory now look like:



[root@rhel02 home]# ls -ld /home/lol/share
drwxrwxrwx. 2 lol lol 4096 Mar 21 10:00 /home/lol/share

Next we need to create a file that we are going to share with everyone.



[root@rhel02 /]# cd ~lol/share
[root@rhel02 share]# ls -l /etc > listing.txt
[root@rhel02 share]# ls -l
total 8
-rw-r--r--. 1 root root 7984 Mar 20 10:25 listing.txt

Configuration Time


Now lets make a back up of the default configuration file. We do this as the original file contains some very useful information if you are new to Samba. This way we can always refer back:



[root@rhel02 ~]# cd /etc/samba
[root@rhel02 samba]# ls -l
total 20
-rw-r--r--. 1 root root   20 Apr 25  2012 lmhosts
-rw-r--r--. 1 root root 9778 Apr 25  2012 smb.conf
-rw-r--r--. 1 root root   97 Apr 25  2012 smbusers
[root@rhel02 samba]# cp smb.conf old.smb.conf

smb.conf - Samba Configuration File


The file we are going to configure is called "smb.conf". This file can be located at /etc/samba/smb.conf

In the following example we are simply going to create a samba share for the directory we created in the earlier steps. This directory will then be accessible to any users who are on the same network.



[global]
	
hosts allow = 127.0.0.1  192.168.0.0/24
security = SHARE
workgroup =  WORKGROUP

# --------------------------- Logging Options -----------------------------
#
# Max Log Size let you specify the max size log files should reach
	
	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50
	

[samba]

path = /home/lol/share
writable = yes
guest ok = yes 
guest only = yes
public = yes
create mode = 0777
directory mode = 0777
share modes = yes 

global - settings


In the above example, we can see that our smb.conf configuration file is split into two distinct sections. Firstly we have the global settings and then our shares follow. The square brackets around a name are used to identify unique sections. In our example we can see the "[global]" and "[samba]" sections.

The global section normally appears in every Samba configuration file. Generally the "global" section is used for server-wide settings. Any settings here would also be applied to all Samba shares unless the specific Samba share specifies a different setting. Although the global section is generally used, it is not compulsory to have it defined. However, this section is often included for reasons of clarity.

In the example above the option hosts allow is used. This global setting indicates that anyone on the network 192.168.0.0/24 can connect to this share.

The security = share setting indicates that no password information is required to access our share.


Logging Options


Logging options can also be specified. It is always a good idea to use logging options as this will help you to debug/identify any connection issues. The location of the log file is specified as "log file = /var/log/samba/log.%m". The %m parameter appends the name of the connecting computer to the log file:



[root@rhel02 samba]# pwd
/var/log/samba
[root@rhel02 samba]# ls -l
total 16
drwx------. 4 root root 4096 Mar 20 11:03 cores
-rw-r--r--. 1 root root    0 Mar 24 09:16 log.__ffff_192.168.0.4
-rw-r--r--. 1 root root    0 Mar 24 09:16 log.mandie-tosh
-rw-r--r--. 1 root root  358 Mar 24 09:33 log.nmbd
-rw-r--r--. 1 root root  824 Mar 24 09:33 log.smbd
drwx------. 2 root root 4096 Mar 24 09:16 old

[root@rhel02 samba]# cd old
[root@rhel02 old]# ls -l
total 56
-rw-r--r--. 1 root root 17889 Mar 24 09:16 log.__ffff_192.168.0.4-20140324
-rw-r--r--. 1 root root   598 Mar 24 09:16 log.mandie-tosh-20140324
-rw-r--r--. 1 root root  5632 Mar 24 09:16 log.nmbd-20140324
-rw-r--r--. 1 root root 21028 Mar 24 09:16 log.smbd-20140324

From the above we can see that individual connections are recording (log.mandie-tosh), also there are individual files for log.smbd and log.nmbd. Older copies of these log files are stored in the directory "old". All of these files are very useful if you are having connection issues or you need to verify that a connection has been made.


Samba Share - [samba]


The name of the Samba share in the above example is called "samba". The name of the share is indicated by the presence of the square brackets around the name.

The "path = /home/lol/share" parameter specifies the location of the directory that is to be used as a share. This is the full path - directory structure on the Linux server that you are sharing out.

The "guest" options are used to specify that anyone can access this share.


Test Samba Configuration


Whenever you make any changes to the /etc/samba/smb.conf file, you should always run the command "testparm". This special command will check the syntax of your smb.conf file.



[root@rhel02 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[samba]"
WARNING: The "share modes" option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	security = SHARE
	log file = /var/log/samba/log.%m
	max log size = 50
	hosts allow = 127.0.0.1, 192.168.0.0/24

[samba]
	path = /home/lol/samba
	read only = No
	create mask = 0777
	directory mask = 0777
	guest only = Yes
	guest ok = Yes

Starting Samba Services



[root@rhel02 samba]# service smb start
Starting SMB services:                                     [  OK  ]
[root@rhel02 samba]# service nmb start
Starting NMB services:                                     [  OK  ]

Set Samba to Start Automatically at System Boot


To enable Samba to start automatically at system boot we must issue the following "chkconfig" commands. First we use the "chkconfig --list" command to show the current runlevels associated with Samba. Initially we can see that the service smb and nmb will not automatically start. To rectify this we use the "chkconfig --level 2345 smb on" and "chkconfig --level 2345 nmb on" commands to start our services at the requested runlevels.


 
[root@centos-65 ~]# chkconfig --list smb
smb            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@centos-65 ~]# chkconfig --list nmb
nmb            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@centos-65 ~]# chkconfig --level 2345 smb on
[root@centos-65 ~]# chkconfig --level 2345 nmb on
[root@centos-65 ~]# chkconfig --list smb
smb            	0:off	1:off	2:on	3:on	4:on	5:on	6:off
[root@centos-65 ~]# chkconfig --list nmb
nmb            	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If you don't add the services "smb" and "nmb" to start automatically, your Samba shares will not be available after a system re-boot.



Firewall Settings for Samba


Before you can start using Samba, you may need to consider your firewall settings. Various ports will need to be opened to allow Samba to work. Below is a quick list of ports that are generally needed.


Service Name Port Number and Protocol Description
netbios-ns 137/tcp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS session service
microsoft-ds 445/tcp Needed by Active Directory

You can list the ports required by looking for the NETBIOS entries within the /etc/services file:



[root@rhel02 samba]# grep -i NETBIOS /etc/services 
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp

Firewall Rules


Most systems today use a firewall as a layer of protection to their systems. Most Linux distributions utilise "iptables" as a way of configuring firewall rules. In the example below we will look at modifying the default RHEL rules that came with the minimum server installation.

Before making any changes to firewall rules, It is always good idea to make a backup copy of the current firewall rules. This can easily be done with the following commands:



[root@rhel02 samba]# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.20032014.old
[root@rhel02 samba]# ls /etc/sysconfig/iptables*
/etc/sysconfig/iptables               /etc/sysconfig/iptables-config
/etc/sysconfig/iptables.20032014.old  /etc/sysconfig/iptables.old

By using the "cp" command, we have made a copy of the current iptables file and added today's date. (Amend accordingly)


Current Firewall Configuration Settings


Below are the contents of the default firewall rules that came with the minimal server installation. For more details relating to "iptables" and its configuration,
see our iptables guide: Guide to using iptables



# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

To allow the following ports we identified earlier to be opened, we need to add the following lines to our iptables file.

Place the following lines after the entry which allows ssh communication (line with --dport 22) :



-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Your firewall rules should now look like the output below:



# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Once the necessary changes have been made and saved, you will need to restart the firewall to pick up the new settings.


Restarting your Firewall


To restart your firewall and pick-up the new rules, we need to issue the following command as root: "service iptables restart".



[root@rhel02 sysconfig]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Next we need to identify whether SELinux is being used. (see SELinux notes below)


SELinux


What is SELinux? SELinux is a Linux Security Kernel module that provides a means of supporting access control security policies. SELinux is often used to tighten security on critical systems. A Linux kernel with SELinux enabled enforces mandatory access control policies.

If you are running SELinux, you may need to make the following changes to your SELinux configuration.


Checking for SELinux


To display your current SELinux status, you can issue the command "sestatus":



[root@rhel02 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

In the example above we can see that we have SELinux "enabled" and the current mode is "enforcing".

There are several modes that SELinux may be running under. These are as follows:

Enforcing - The Security Policy is always Enforced.

Permissive - Permissive simulates the Enforcing Policy by displaying only warning messages. This mode does not enforce any policies.

Disabled - Completely disables SELinux (Not recommended)

To quickly "Enable" or "Disable" SELinux, you can issue the "setenforce command along with the relevant argument (see below)

usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

You can also Enable/Disable SELinux in the following way below (1 = Enabled - 0 = Disabled):



# cat /selinux/enforce
1

# echo 0 > /selinux/enforce

# cat /selinux/enforce
0

The "cat" command is used to display the current setting. The echo command is used to assign a value of either "0" or "1".


Display Samba specific SELinux settings


To view any specific SELinux settings for Samba/smb you can issue the "getsebool -a" command. This command when used in conjunction with "grep" will list only settings relevant to Samba.



[root@rhel02 lol]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

[root@rhel02 lol]# getsebool -a | grep smb
allow_smbd_anon_write --> off

Enabling SELinux settings for Samba


To modify any of the above parameters, we can issue a command "setsebool -P parameter on|off

The following command will enable access to the home directory area:



[root@rhel02 lol]# setsebool -P samba_enable_home_dirs on

Now if we run the command again to display our settings we can see that this parameter has now been enabled (switched on).



[root@rhel02 lol]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

Display selinux settings for a directory


The "Z" option when added to the normal "ls" command will display SELinux settings: ls -ldZ /path



[root@rhel02 lol]# ls -ldZ /home/lol/share
drwxr-xr-x. lol lol unconfined_u:object_r:user_home_t:s0 /home/lol/share

Sharing other Directories with Samba - SELinux


If you are sharing a directory other than a home area, you will need to issue the following command:

# chcon -t samba_shar_t /path

This command will grant permission to write into this area. Warning, do not use this command against system binaries!

Again, you can check that this command was successful by issuing the ls -ldZ /path command. (Amend /path accordingly)

** For more information regarding SELinux persistent settings, please refer to our SELinux Introduction


Accessing the share from Windows


Now to test our share, we need to use a computer attached to the same network. In the following example, I have used a laptop running Windows 7. To access the share, I simply typed \\192.168.0.17\ into the search box from the start menu. The IP address used is that of the RHEL Linux server running Samba. The names of any shares should now be displayed. In this example we can see our share "samba"..

Below is a screen shot of the Samba share under Windows 7:


Samba Share

Documentation - Further reading


As you can see from the example above, Samba can be a very useful tool to use. However, it would be impossible to cover every different set-up scenario. Thankfully there is some excellent documentation that can be found at the Samba Official Website.


Official Samba Documentation


Configuring Samba using SWAT - Samba Web Administration Tool


If you would rather use a Graphical tool (GUI) to configure your samba shares, then a popular choice is SWAT (Samba Web Administration Tool).
For details on how to install and use visit our SWAT user guide: SWAT Installation and Users Guide