Fedora 19 Samba Standalone Server With tdbsam Backend

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2013-08-06 18:51. :: Fedora | Samba | Storage

Fedora 19 Samba Standalone Server With tdbsam Backend

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 07/26/2013

This tutorial explains the installation of a Samba fileserver on Fedora 19 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm using a Fedora 19 system here with the hostname server1.example.com and the IP address 192.168.0.100.

Please make sure that SELinux is disabled:

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

2 Installing Samba

Connect to your server on the shell and install the Samba packages:

yum install cups-libs samba samba-common samba-client

Edit the smb.conf file:

vi /etc/samba/smb.conf

Make sure you see the following lines in the [global] section:

[...]
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#

        security = user
        passdb backend = tdbsam


[...]

This enables Linux system users to log in to the Samba server.

Then create the system startup links for Samba and start it:

systemctl enable smb.service
systemctl start smb.service

 

3 Adding Samba Shares

Now I will add a share that is accessible by all users.

Create the directory for sharing the files and change the group to the users group:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

vi /etc/samba/smb.conf

[...]
[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes

If you want all users to be able to read and write to their home directories via Samba, add the following lines to /etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):

[...]
[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700

Now we restart Samba:

systemctl restart smb.service

 

4 Adding And Managing Users

In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.

useradd tom -m -G users

Set a password for tom in the Linux system user database. If the user tom should not be able to log into the Linux system, skip this step.

passwd tom

-> Enter the password for the new user.

Now add the user to the Samba user database:

smbpasswd -a tom

-> Enter the password for the new user.

Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or \\192.168.0.100\tom for tom's home directory) using the username tom and the chosen password and store files on the Linux server either in tom's home directory or in the public shared directory.

 

5 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Wed, 2013-09-11 07:55.
given that selinux is the MAJOR security component of the system overall... how do you propose the safety of sharing files over the network being worth opening the machine without selinux on it if that machine is connected to the internet?
Doesn't that leave the entire network vulnerable to compromise through the share? Sounds like one heck of a trade off... is there really no way to allow selinux to run and use this package to share files locally over the LAN?
Submitted by Anonymous (not registered) on Sat, 2013-10-05 12:52.

selinux is treating symptoms and if you're running samba exposed to the world, then you have other worries entirely.

 Shouldn't be too hard to train selinux to handle samba though, but why would you bother?

Submitted by Bjorn Roesbeke (not registered) on Tue, 2014-06-24 02:04.

There are options for SELinux to give Samba certain permissions.

[root@myserver /]# getsebool -a | grep "samba"
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off

For example, this is how SELinux can be configured to allow Samba access to users' home directories.

[root@myserver /]# setsebool samba_enable_home_dirs 1

If it doesn't work, check the logs!

[root@myserver /]# tail /var/log/messages 
[root@myserver /]# grep "denied" /var/log/audit/audit.log

Heck, /etc/samba/smb.conf even tells you how to do it!

# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.

That's all.

Stop disabling SELinux.

Submitted by goudeuk (not registered) on Mon, 2013-09-09 17:23.

Hi

 

Thank you for the nice How-To.

Just to add that the samba and samba-client should also be allowed through the firewall for the user to be able to map the samba share from a windows machine.

 Many thanks

Submitted by Raymond (not registered) on Wed, 2014-01-08 01:46.

thank you for this tutorial. worked like a charm on FC 20