Fedora 32: Simple Local File-Sharing with Samba CIFS Linux
Article Number: 713 | Rating: Unrated | Last Updated: Sun, Dec 6, 2020 7:55 PM
What is ‘Samba’?
Note about this guide: The convention '~]$' for a local user command prompt, and '~]#' for a super user prompt will be used.
Public Sharing Folder
Please Note: This guide assumes the public sharing folder is on a Modern Linux Filesystem; other filesystems such as NTFS or FAT32 will not work. Samba uses POSIX Access Control Lists (ACLs). For those who wish to learn more about Access Control Lists, please consider reading the documentation: "Red Hat Enterprise Linux 7: System Administrator's Guide: Chapter 5. Access Control Lists", as it likewise applies to Fedora 32. In General, this is only an issue for anyone who wishes to share a drive or filesystem that was created outside of the normal Fedora Installation process. (such as a external hard drive). It is possible for Samba to share filesystem paths that do not support POSIX ACLs, however this is out of the scope of this guide.
RED HAT ENTERPRISE LINUX 7, STORAGE ADMINISTRATION GUIDE: CHAPTER 2. FILE SYSTEM STRUCTURE AND MAINTENANCE: 18.104.22.168. THE /SRV/ DIRECTORY
Make the Folder (will provide an error if the folder already exists). ~]# mkdir --verbose /srv/public Verify folder exists: ~]$ ls --directory /srv/public Expected Output: /srv/public
Set Filesystem Security Context
RED HAT ENTERPRISE LINUX 7, SELINUX USER’S AND ADMINISTRATOR’S GUIDE: CHAPTER 16. FILE TRANSFER PROTOCOL: 16.1. TYPES: PUBLIC_CONTENT_RW_T
Add new security filesystem security context: ~]# semanage fcontext --add --type public_content_rw_t "/srv/public(/.*)?" Verifiy new security filesystem security context: ~]# semanage fcontext --locallist --list Expected Output: (should include) /srv/public(/.*)? all files system_u:object_r:public_content_rw_t:s0
Restore security context to the /srv/public folder: $~]# restorecon -Rv /srv/public Verify security context was correctly applied: ~]$ ls --directory --context /srv/public/ Expected Output: unconfined_u:object_r:public_content_rw_t:s0 /srv/public/
Creating the Sharing Groups
Create the public_readonly and public_readwrite groups: ~]# groupadd public_readonly ~]# groupadd public_readwrite Verify successful creation of groups: ~]$ getent group public_readonly public_readwrite Expected Output: (Note: x:1...: number will probability differ on your System) public_readonly:x:1009: public_readwrite:x:1010:
Set User and Group Permissions for Folder: ~]# chmod --verbose 2700 /srv/public ~]# setfacl -m group:public_readonly:r-x /srv/public ~]# setfacl -m default:group:public_readonly:r-x /srv/public ~]# setfacl -m group:public_readwrite:rwx /srv/public ~]# setfacl -m default:group:public_readwrite:rwx /srv/public Verify user permissions have been correctly applied: ~]$ getfacl --absolute-names /srv/public Expected Output: file: /srv/public owner: root group: root flags: -s- user::rwx group::--- group:public_readonly:r-x group:public_readwrite:rwx mask::rwx other::--- default:user::rwx default:group::--- default:group:public_readonly:r-x default:group:public_readwrite:rwx default:mask::rwx default:other::---
~]# dnf install samba
View Your Current Hostname: ~]$ hostnamectl status
Modify your system's hostname (example): ~]# hostnamectl set-hostname "simple-samba-server"
For a more complete overview of the hostnamectl command, please read the previous Fedora Magazine Article: "How to set the hostname on Fedora".
For those who are interested in learning more about configuring firewalls; please consider reading the documentation: "Red Hat Enterprise Linux 8: Securing networks: Chapter 5. Using and configuring firewall", as it generally applies to Fedora 32 as well.
Allow Samba access through the firewall: ~]# firewall-cmd --add-service=samba --permanent ~]# firewall-cmd --reload Verify Samba is included in your active firewall: ~]$ firewall-cmd --list-services Output (should include): samba
Remove Default Configuration
Create a backup copy of the existing Samba Configuration: ~]# cp --verbose --no-clobber /etc/samba/smb.conf /etc/samba/smb.conf.fedora0 Empty the configuration file: ~]# > /etc/samba/smb.conf
Please Note: This configuration file does not contain any global definitions; the defaults provided by Samba are good for purposes of this guide.
Edit the Samba Configuration File with Vim: ~]# vim /etc/samba/smb.conf
# smb.conf - Samba Configuration File # The name of the share is in square brackets , # this will be shared as //hostname/sharename # There are a three exceptions: # the [global] section; # the [homes] section, that is dynamically set to the username; # the [printers] section, same as [homes], but for printers. # path: the physical filesystem path (or device) # comment: a label on the share, seen on the network. # read only: disable writing, defaults to true. # For a full list of configuration options, # please read the manual: "man smb.conf". [global] [public] path = /srv/public comment = Public Folder read only = No
There are many more SELinux boolean that are available for Samba. For those who are interested, please read the documentation: "Red Hat Enterprise Linux 7: SELinux User's and Administrator's Guide: 15.3. Samba Booleans", it also apply to Fedora 32 without any adaptation.
Set SELinux Boolean allowing Samba to write to filesystem paths set with the security context public_content_rw_t: ~]# setsebool -P smbd_anon_write=1 Verify bool has been correctly set: $ getsebool smbd_anon_write Expected Output: smbd_anon_write --> on
Samba ‘smb’ Service
Enable and Start Services
For those who are interested in learning more about configuring, enabling, disabling, and managing services, please consider studying the documentation: "Red Hat Enterprise Linux 7: System Administrator's Guide: 10.2. Managing System Services".
Enable and start smb and nmb services: ~]# systemctl enable smb.service ~]# systemctl start smb.service Verify smb service: ~]# systemctl status smb.service
Test Public Sharing (localhost)
Create 'samba_test_user', and lock the account. ~]# useradd samba_test_user ~]# passwd --lock samba_test_user Set a Samba Password for this Test User (such as 'test'): ~]# smbpasswd -a samba_test_user
Test Read Only access to the Public Share:
Add samba_test_user to the public_readonly group: ~]# gpasswd --add samba_test_user public_readonly Login to the local Samba Service (public folder): ~]$ smbclient --user=samba_test_user //localhost/public First, the ls command should succeed, Second, the mkdir command should not work, and finally, exit: smb: \> ls smb: \> mkdir error smb: \> exit Remove samba_test_user from the public_readonly group: gpasswd --delete samba_test_user public_readonly
Test Read and Write access to the Public Share:
Add samba_test_user to the public_readwrite group: ~]# gpasswd --add samba_test_user public_readwrite Login to the local Samba Service (public folder): ~]$ smbclient --user=samba_test_user //localhost/public First, the ls command should succeed, Second, the mkdir command should work, Third, the rmdir command should work, and finally, exit: smb: \> ls smb: \> mkdir success smb: \> rmdir success smb: \> exit Remove samba_test_user from the public_readwrite group: ~]# gpasswd --delete samba_test_user public_readwrite
Disable samba_test_user login via samba: ~]# smbpasswd -d samba_test_user
Home Folder Sharing
This is a very convenient way of accessing your own local files; however naturally it carries at a security risk.
Setup Home Folder Sharing
Give Samba Permission for Public Folder Sharing
Set SELinux Boolean allowing Samba to read and write to home folders: ~]# setsebool -P samba_enable_home_dirs=1 Verify bool has been correctly set: $ getsebool samba_enable_home_dirs Expected Output: samba_enable_home_dirs --> on
Add Home Sharing to the Samba Configuration
# The home folder dynamically links to the user home. # If 'bob' user uses Samba: # The homes section is used as the template for a new virtual share: # [homes] # ... (various options) # A virtual section for 'bob' is made: # Share is modified: [homes] -> [bob] # Path is added: path = /home/bob # Any option within the [homes] section is appended. # [bob] # path = /home/bob # ... (copy of various options) # here is our share, # same as is included in the Fedora default configuration. [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
Reload Samba Configuration
Tell Samba to reload it's configuration: ~]# smbcontrol all reload-config
Test Home Directory Sharing
Switch to samba_test_user and create a folder in it's home directory: ~]# su samba_test_user samba_test_user:~]$ cd ~ samba_test_user:~]$ mkdir --verbose test_folder samba_test_user:~]$ exit Enable samba_test_user to login via Samba: ~]# smbpasswd -e samba_test_user Login to the local Samba Service (samba_test_user home folder): $ smbclient --user=samba_test_user //localhost/samba_test_user Test (all commands should complete without error): smb: \> ls smb: \> ls test_folder smb: \> rmdir test_folder smb: \> mkdir home_success smb: \> rmdir home_success smb: \> exit Disable samba_test_user from login in via Samba: ~]# smbpasswd -d samba_test_user