06-13-2020, 02:44 AM
Fedora 32: Simple Local File-Sharing with Samba
<div><p>Sharing files with Fedora 32 using Samba is cross-platform, convenient, reliable, and performant.</p>
<h2>What is ‘Samba’?</h2>
<p><a href="https://www.samba.org/samba/">Samba</a> is a high-quality implementation of <a href="https://en.wikipedia.org/wiki/Server_Message_Block">Server Message Block protocol (SMB)</a>. Originally developed by Microsoft for connecting windows computers together via local-area-networks, it is now extensively used for internal network communications.</p>
<p>Apple used to maintain it’s own independent file sharing called “<a href="https://en.wikipedia.org/wiki/Apple_Filing_Protocol">Apple Filing Protocol (<strong>AFP</strong>)</a>“, however in <a href="https://appleinsider.com/articles/13/06/11/apple-shifts-from-afp-file-sharing-to-smb2-in-os-x-109-mavericks">recent times</a>, it also has also switched to SMB.</p>
<p><strong>In this guide we provide the minimal instructions to enable:</strong></p>
<ul>
<li>Public Folder Sharing (Both Read Only and Read Write)</li>
<li>User Home Folder Access</li>
</ul>
<pre class="wp-block-verse">Note about this guide: The convention '<strong>~]$</strong>' for a local user command prompt, and '<strong>~]#</strong>' for a super user prompt will be used.</pre>
<p> <span id="more-31015"></span> </p>
<h2>Public Sharing Folder</h2>
<p>Having a shared public place where authenticated users on an internal network can access files, or even modify and change files if they are given permission, can be very convenient. This part of the guide walks through the process of setting up a shared folder, ready for sharing with Samba.</p>
<pre class="wp-block-verse has-text-align-left">Please Note: This guide assumes the public sharing folder is on a Modern Linux Filesystem; other filesystems such as NTFS or FAT32 will not work. Samba uses POSIX Access Control Lists (ACLs). For those who wish to learn more about Access Control Lists, please consider reading the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-access_control_lists">Red Hat Enterprise Linux 7: System Administrator's Guide: Chapter 5. Access Control Lists</a>", as it likewise applies to Fedora 32. In General, this is only an issue for anyone who wishes to share a drive or filesystem that was created outside of the normal Fedora Installation process. (such as a external hard drive). <em>It is possible for Samba to share filesystem paths that do not support POSIX ACLs, however this is out of the scope of this guide.</em></pre>
<h3>Create Folder</h3>
<p>For this guide the<strong><em> /srv/public/ </em></strong>folder for sharing will be used.</p>
<blockquote class="wp-block-quote">
<p>The <em>/srv/</em> directory contains site-specific data served by a Red Hat Enterprise Linux system. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the <em>/home/</em> directory.</p>
<p><cite><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-filesystem#s3-filesystem-srv">Red Hat Enterprise Linux 7, Storage Administration Guide: Chapter 2. File System Structure and Maintenance: 2.1.1.8. The /srv/ Directory</a></cite></p></blockquote>
<pre class="wp-block-preformatted"><strong>Make the Folder (will provide an error if the folder already exists).</strong>
~]# mkdir --verbose /srv/public <strong>Verify folder exists:</strong>
~]$ ls --directory /srv/public <strong>Expected Output:</strong>
<em>/srv/public</em></pre>
<h3>Set Filesystem Security Context</h3>
<p>To have <em>read and write</em> access to the public folder the <em>public_content_rw_t </em>security context will be used for this guide. Those wanting <em>read only</em> may use: <em>public_content_t</em>.</p>
<blockquote class="wp-block-quote">
<p>Label files and directories that have been created with the <em>public_content_rw_t</em> type to share them with read and write permissions through vsftpd. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type. Remember that booleans for each service must be enabled before they can write to files labeled with this type.</p>
<p><cite><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-managing_confined_services-file_transfer_protocol#sect-Managing_Confined_Services-File_Transfer_Protocol-Types">Red Hat Enterprise Linux 7, SELinux User’s and Administrator’s Guide: Chapter 16. File Transfer Protocol: 16.1. Types: public_content_rw_t</a></cite></p></blockquote>
<p>Add <em>/srv/public</em> as <em>“public_content_rw_t”</em> in the system’s local filesystem security context customization registry:</p>
<pre class="wp-block-preformatted"><strong>Add new security filesystem security context:</strong>
~]# semanage fcontext --add --type public_content_rw_t "/srv/public(/.*)?" <strong></strong><strong>Verifiy new security filesystem security context:</strong>
~]# semanage fcontext --locallist --list <strong>Expected Output: (should include)</strong>
<em>/srv/public(/.*)? all files system_u:object_r:public_content_rw_t:s0</em></pre>
<p>Now that the folder has been added to the local system’s filesystem security context registry; The <strong>restorecon</strong> command can be used to ‘restore’ the context to the folder:</p>
<pre class="wp-block-preformatted"><strong>Restore security context to the /srv/public folder:</strong>
$~]# restorecon -Rv /srv/public <strong>Verify security context was correctly applied:</strong>
~]$ ls --directory --context /srv/public/ <strong>Expected Output:</strong>
<em>unconfined_u:object_r:<strong>public_content_rw_t</strong>:s0 /srv/public/</em></pre>
<h3>User Permissions</h3>
<h4>Creating the Sharing Groups</h4>
<p>To allow a user to either have <em>read only</em>, or <em>read and write</em> accesses to the public share folder create two new groups that govern these privileges: <em>public_readonly</em> and <em>public_readwrite</em>.</p>
<p>User accounts can be granted access to <em>read only</em>, or <em>read and write</em> by adding their account to the respective group (and allow login via Samba creating a smb password). This process is demonstrated in the section: “Test Public Sharing (localhost)”.</p>
<pre class="wp-block-preformatted"><strong>Create the public_readonly and public_readwrite groups:</strong>
~]# groupadd public_readonly
~]# groupadd public_readwrite <strong>Verify successful creation of groups:</strong>
~]$ getent group public_readonly public_readwrite <strong>Expected Output: (Note: <em>x:1...:</em> number will probability differ on your System)</strong>
<em>public_readonly:x:1009:
public_readwrite:x:1010:</em></pre>
<h4>Set Permissions</h4>
<p>Now set the appropriate user permissions to the public shared folder:</p>
<pre class="wp-block-preformatted"><strong>Set User and Group Permissions for Folder:</strong>
~]# chmod --verbose 2700 /srv/public
~]# setfacl -m group:public_readonly:r-x /srv/public
~]# setfacl -m default:group:public_readonly:r-x /srv/public
~]# setfacl -m group:public_readwrite:rwx /srv/public
~]# setfacl -m default:group:public_readwrite:rwx /srv/public <strong>Verify user permissions have been correctly applied:</strong>
~]$ getfacl --absolute-names /srv/public <strong>Expected Output:</strong>
<em>file: /srv/public
owner: root
group: root
flags: -s-
user::rwx
group::---
group:public_readonly:r-x
group:public_readwrite:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:public_readonly:r-x
default:group:public_readwrite:rwx
default:mask::rwx
default:other::---</em></pre>
<h2>Samba </h2>
<h3>Installation</h3>
<pre class="wp-block-preformatted">~]# dnf install samba</pre>
<h3>Hostname (systemwide)</h3>
<p>Samba will use the name of the computer when sharing files; it is good to set a hostname so that the computer can be found easily on the local network.</p>
<pre class="wp-block-preformatted"><strong>View Your Current Hostname:</strong>
~]$ hostnamectl status</pre>
<p>If you wish to change your hostname to something more descriptive, use the command:</p>
<pre class="wp-block-preformatted"><strong>Modify your system's hostname (example):</strong>
~]# hostnamectl set-hostname "simple-samba-server"</pre>
<pre class="wp-block-verse has-text-align-left">For a more complete overview of the <strong>hostnamectl</strong> command, please read the previous Fedora Magazine Article: "<a href="https://fedoramagazine.org/set-hostname-fedora/">How to set the hostname on Fedora</a>".</pre>
<h3>Firewall</h3>
<p>Configuring your firewall is a complex and involved task. This guide will just have the most minimal manipulation of the firewall to enable Samba to pass through.</p>
<pre class="wp-block-verse">For those who are interested in learning more about configuring firewalls; please consider reading the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-and-configuring-firewalls_securing-networks">Red Hat Enterprise Linux 8: Securing networks: Chapter 5. Using and configuring firewall</a>", as it generally applies to Fedora 32 as well.</pre>
<pre class="wp-block-preformatted"><strong>Allow Samba access through the firewall:</strong>
~]# firewall-cmd --add-service=samba --permanent
~]# firewall-cmd --reload <strong>Verify Samba is included in your active firewall:</strong>
~]$ firewall-cmd --list-services <strong>Output (should include):</strong>
<em>samba</em></pre>
<h3>Configuration</h3>
<h4>Remove Default Configuration</h4>
<p>The stock configuration that is included with Fedora 32 is not required for this simple guide. In particular it includes support for sharing printers with Samba.</p>
<p>For this guide make a backup of the default configuration and create a new configuration file from scratch.</p>
<pre class="wp-block-preformatted"><strong>Create a backup copy of the existing Samba Configuration:</strong>
~]# cp --verbose --no-clobber /etc/samba/smb.conf /etc/samba/smb.conf.fedora0 <strong>Empty the configuration file:</strong>
~]# > /etc/samba/smb.conf</pre>
<h4>Samba Configuration</h4>
<pre class="wp-block-verse">Please Note: This configuration file does not contain any global definitions; the defaults provided by Samba are good for purposes of this guide.</pre>
<pre class="wp-block-preformatted"><strong>Edit the Samba Configuration File with Vim:</strong>
~]# vim /etc/samba/smb.conf</pre>
<p>Add the following to<em> /etc/samba/smb.conf</em> file:</p>
<pre class="wp-block-preformatted"># smb.conf - Samba Configuration File # The name of the share is in square brackets [],
# this will be shared as //hostname/sharename # There are a three exceptions:
# the [global] section;
# the [homes] section, that is dynamically set to the username;
# the [printers] section, same as [homes], but for printers. # path: the physical filesystem path (or device)
# comment: a label on the share, seen on the network.
# read only: disable writing, defaults to true. # For a full list of configuration options,
# please read the manual: "man smb.conf". [global] [public]
path = /srv/public
comment = Public Folder
read only = No</pre>
<h3>Write Permission</h3>
<p>By default Samba is not granted permission to modify any file of the system. Modify system’s security configuration to allow Samba to modify any filesystem path that has the security context of <em>public_content_rw_t</em>.</p>
<p>For convenience, Fedora has a built-in SELinux Boolean for this purpose called: <em>smbd_anon_write</em>, setting this to <em>true</em> will enable Samba to write in any filesystem path that has been set to the security context of <em>public_content_rw_t</em>.</p>
<p>For those who are wishing Samba only have a read-only access to their public sharing folder, they may choose skip this step and not set this boolean.</p>
<pre class="wp-block-verse">There are many more SELinux boolean that are available for Samba. For those who are interested, please read the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-samba-booleans">Red Hat Enterprise Linux 7: SELinux User's and Administrator's Guide: 15.3. Samba Booleans</a>", it also apply to Fedora 32 without any adaptation.</pre>
<pre class="wp-block-preformatted"><strong>Set SELinux Boolean allowing Samba to write to filesystem paths set with the security context <em>public_content_rw_t</em>:</strong>
~]# setsebool -P smbd_anon_write=1 <strong>Verify bool has been correctly set:</strong>
$ getsebool smbd_anon_write <strong>Expected Output:</strong>
<em>smbd_anon_write --> on</em></pre>
<h2>Samba Services</h2>
<p>The Samba service is divided into two parts that we need to start.</p>
<h3>Samba ‘smb’ Service</h3>
<p>The Samba “Server Message Block” (SMB) services is for sharing files and printers over the local network.</p>
<p>Manual: “<a href="https://www.samba.org/samba/docs/current/man-html/smbd.8.html">smbd – server to provide SMB/CIFS services to clients</a>“</p>
<h3>Enable and Start Services</h3>
<pre class="wp-block-verse">For those who are interested in learning more about configuring, enabling, disabling, and managing services, please consider studying the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-services">Red Hat Enterprise Linux 7: System Administrator's Guide: 10.2. Managing System Services</a>".</pre>
<pre class="wp-block-preformatted"><strong>Enable and start smb and nmb services:</strong>
~]# systemctl enable smb.service
~]# systemctl start smb.service <strong>Verify smb service:</strong>
~]# systemctl status smb.service
</pre>
<h3> Test Public Sharing (localhost)</h3>
<p>To demonstrate allowing and removing access to the public shared folder, create a new user called <em>samba_test_user</em>, this user will be granted permissions first to read the public folder, and then access to read and write the public folder.</p>
<p>The same process demonstrated here can be used to grant access to your public shared folder to other users of your computer.</p>
<p>The <em>samba_test_user</em> will be created as a locked user account, disallowing normal login to the computer.</p>
<pre class="wp-block-preformatted"><strong>Create 'samba_test_user</strong>'<strong>, and lock the account.</strong>
~]# useradd samba_test_user
~]# passwd --lock samba_test_user <strong>Set a Samba Password for this Test User (such as 'test')</strong>:
~]# smbpasswd -a samba_test_user</pre>
<h4>Test Read Only access to the Public Share:</h4>
<pre class="wp-block-preformatted"><strong>Add samba_test_user to the public_readonly group:</strong>
~]# gpasswd --add samba_test_user public_readonly <strong>Login to the local Samba Service (public folder)</strong>:
~]$ smbclient --user=samba_test_user //localhost/public <strong>First, the <em>ls</em> command should succeed,
Second, the <em>mkdir</em> command should not work,
and finally, <em>exit</em>:</strong>
smb: \> ls
smb: \> mkdir error
smb: \> exit <strong>Remove samba_test_user from the public_readonly group:</strong>
gpasswd --delete samba_test_user public_readonly</pre>
<h4>Test Read and Write access to the Public Share:</h4>
<pre class="wp-block-preformatted"><strong>Add samba_test_user to the public_readwrite group:</strong>
~]# gpasswd --add samba_test_user public_readwrite <strong>Login to the local Samba Service (public folder):</strong>
~]$ smbclient --user=samba_test_user //localhost/public <strong>First, the <em>ls</em> command should succeed,
Second, the <em>mkdir</em> command should work,
Third, the rmdir command should work,
and finally, <em>exit</em>:</strong>
smb: \> ls
smb: \> mkdir success
smb: \> rmdir success
smb: \> exit <strong>Remove samba_test_user from the public_readwrite group:
</strong>~]# gpasswd --delete samba_test_user public_readwrite</pre>
<p>After testing is completed, for security, disable the <strong>samba_test_user</strong>‘s ability to login in via samba.</p>
<pre class="wp-block-preformatted"><strong>Disable samba_test_user login via samba:</strong>
~]# smbpasswd -d samba_test_user</pre>
<h2>Home Folder Sharing</h2>
<p>In this last section of the guide; Samba will be configured to share a user home folder.</p>
<p>For example: If the user bob has been registered with <em>smbpasswd</em>, bob’s home directory <em>/home/bob</em>, would become the share <em>//server-name/bob</em>.</p>
<p>This share will only be available for bob, and no other users.</p>
<pre class="wp-block-verse">This is a very convenient way of accessing your own local files; however naturally it carries at a security risk.</pre>
<h3>Setup Home Folder Sharing</h3>
<h4>Give Samba Permission for Public Folder Sharing</h4>
<pre class="wp-block-preformatted"><strong>Set SELinux Boolean allowing Samba to read and write to home folders:</strong>
~]# setsebool -P samba_enable_home_dirs=1 <strong>Verify bool has been correctly set:</strong>
$ getsebool samba_enable_home_dirs <strong>Expected Output:</strong>
<em>samba_enable_home_dirs --> on</em></pre>
<h4>Add Home Sharing to the Samba Configuration</h4>
<p><strong>Append the following to the systems smb.conf file:</strong></p>
<pre class="wp-block-preformatted"># The home folder dynamically links to the user home. # If 'bob' user uses Samba:
# The homes section is used as the template for a new virtual share: # [homes]
# ... (various options) # A virtual section for 'bob' is made:
# Share is modified: [homes] -> [bob]
# Path is added: path = /home/bob
# Any option within the [homes] section is appended. # [bob]
# path = /home/bob
# ... (copy of various options) # here is our share,
# same as is included in the Fedora default configuration. [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes</pre>
<h4>Reload Samba Configuration</h4>
<pre class="wp-block-preformatted"><strong>Tell Samba to reload it's configuration:</strong>
~]# smbcontrol all reload-config</pre>
<h3>Test Home Directory Sharing</h3>
<pre class="wp-block-preformatted"><strong>Switch to samba_test_user and create a folder in it's home directory:</strong>
~]# su samba_test_user
samba_test_user:~]$ cd ~
samba_test_user:~]$ mkdir --verbose test_folder
samba_test_user:~]$ exit <strong>Enable samba_test_user to login via Samba:</strong>
~]# smbpasswd -e samba_test_user <strong>Login to the local Samba Service (samba_test_user home folder):</strong>
$ smbclient --user=samba_test_user //localhost/samba_test_user <strong>Test (all commands should complete without error):</strong>
smb: \> ls
smb: \> ls test_folder
smb: \> rmdir test_folder
smb: \> mkdir home_success
smb: \> rmdir home_success
smb: \> exit <strong>Disable samba_test_user</strong> <strong>from login in via Samba</strong>:
~]# smbpasswd -d samba_test_user</pre>
</div>
https://www.sickgaming.net/blog/2020/06/...ith-samba/
<div><p>Sharing files with Fedora 32 using Samba is cross-platform, convenient, reliable, and performant.</p>
<h2>What is ‘Samba’?</h2>
<p><a href="https://www.samba.org/samba/">Samba</a> is a high-quality implementation of <a href="https://en.wikipedia.org/wiki/Server_Message_Block">Server Message Block protocol (SMB)</a>. Originally developed by Microsoft for connecting windows computers together via local-area-networks, it is now extensively used for internal network communications.</p>
<p>Apple used to maintain it’s own independent file sharing called “<a href="https://en.wikipedia.org/wiki/Apple_Filing_Protocol">Apple Filing Protocol (<strong>AFP</strong>)</a>“, however in <a href="https://appleinsider.com/articles/13/06/11/apple-shifts-from-afp-file-sharing-to-smb2-in-os-x-109-mavericks">recent times</a>, it also has also switched to SMB.</p>
<p><strong>In this guide we provide the minimal instructions to enable:</strong></p>
<ul>
<li>Public Folder Sharing (Both Read Only and Read Write)</li>
<li>User Home Folder Access</li>
</ul>
<pre class="wp-block-verse">Note about this guide: The convention '<strong>~]$</strong>' for a local user command prompt, and '<strong>~]#</strong>' for a super user prompt will be used.</pre>
<p> <span id="more-31015"></span> </p>
<h2>Public Sharing Folder</h2>
<p>Having a shared public place where authenticated users on an internal network can access files, or even modify and change files if they are given permission, can be very convenient. This part of the guide walks through the process of setting up a shared folder, ready for sharing with Samba.</p>
<pre class="wp-block-verse has-text-align-left">Please Note: This guide assumes the public sharing folder is on a Modern Linux Filesystem; other filesystems such as NTFS or FAT32 will not work. Samba uses POSIX Access Control Lists (ACLs). For those who wish to learn more about Access Control Lists, please consider reading the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-access_control_lists">Red Hat Enterprise Linux 7: System Administrator's Guide: Chapter 5. Access Control Lists</a>", as it likewise applies to Fedora 32. In General, this is only an issue for anyone who wishes to share a drive or filesystem that was created outside of the normal Fedora Installation process. (such as a external hard drive). <em>It is possible for Samba to share filesystem paths that do not support POSIX ACLs, however this is out of the scope of this guide.</em></pre>
<h3>Create Folder</h3>
<p>For this guide the<strong><em> /srv/public/ </em></strong>folder for sharing will be used.</p>
<blockquote class="wp-block-quote">
<p>The <em>/srv/</em> directory contains site-specific data served by a Red Hat Enterprise Linux system. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the <em>/home/</em> directory.</p>
<p><cite><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/ch-filesystem#s3-filesystem-srv">Red Hat Enterprise Linux 7, Storage Administration Guide: Chapter 2. File System Structure and Maintenance: 2.1.1.8. The /srv/ Directory</a></cite></p></blockquote>
<pre class="wp-block-preformatted"><strong>Make the Folder (will provide an error if the folder already exists).</strong>
~]# mkdir --verbose /srv/public <strong>Verify folder exists:</strong>
~]$ ls --directory /srv/public <strong>Expected Output:</strong>
<em>/srv/public</em></pre>
<h3>Set Filesystem Security Context</h3>
<p>To have <em>read and write</em> access to the public folder the <em>public_content_rw_t </em>security context will be used for this guide. Those wanting <em>read only</em> may use: <em>public_content_t</em>.</p>
<blockquote class="wp-block-quote">
<p>Label files and directories that have been created with the <em>public_content_rw_t</em> type to share them with read and write permissions through vsftpd. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type. Remember that booleans for each service must be enabled before they can write to files labeled with this type.</p>
<p><cite><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-managing_confined_services-file_transfer_protocol#sect-Managing_Confined_Services-File_Transfer_Protocol-Types">Red Hat Enterprise Linux 7, SELinux User’s and Administrator’s Guide: Chapter 16. File Transfer Protocol: 16.1. Types: public_content_rw_t</a></cite></p></blockquote>
<p>Add <em>/srv/public</em> as <em>“public_content_rw_t”</em> in the system’s local filesystem security context customization registry:</p>
<pre class="wp-block-preformatted"><strong>Add new security filesystem security context:</strong>
~]# semanage fcontext --add --type public_content_rw_t "/srv/public(/.*)?" <strong></strong><strong>Verifiy new security filesystem security context:</strong>
~]# semanage fcontext --locallist --list <strong>Expected Output: (should include)</strong>
<em>/srv/public(/.*)? all files system_u:object_r:public_content_rw_t:s0</em></pre>
<p>Now that the folder has been added to the local system’s filesystem security context registry; The <strong>restorecon</strong> command can be used to ‘restore’ the context to the folder:</p>
<pre class="wp-block-preformatted"><strong>Restore security context to the /srv/public folder:</strong>
$~]# restorecon -Rv /srv/public <strong>Verify security context was correctly applied:</strong>
~]$ ls --directory --context /srv/public/ <strong>Expected Output:</strong>
<em>unconfined_u:object_r:<strong>public_content_rw_t</strong>:s0 /srv/public/</em></pre>
<h3>User Permissions</h3>
<h4>Creating the Sharing Groups</h4>
<p>To allow a user to either have <em>read only</em>, or <em>read and write</em> accesses to the public share folder create two new groups that govern these privileges: <em>public_readonly</em> and <em>public_readwrite</em>.</p>
<p>User accounts can be granted access to <em>read only</em>, or <em>read and write</em> by adding their account to the respective group (and allow login via Samba creating a smb password). This process is demonstrated in the section: “Test Public Sharing (localhost)”.</p>
<pre class="wp-block-preformatted"><strong>Create the public_readonly and public_readwrite groups:</strong>
~]# groupadd public_readonly
~]# groupadd public_readwrite <strong>Verify successful creation of groups:</strong>
~]$ getent group public_readonly public_readwrite <strong>Expected Output: (Note: <em>x:1...:</em> number will probability differ on your System)</strong>
<em>public_readonly:x:1009:
public_readwrite:x:1010:</em></pre>
<h4>Set Permissions</h4>
<p>Now set the appropriate user permissions to the public shared folder:</p>
<pre class="wp-block-preformatted"><strong>Set User and Group Permissions for Folder:</strong>
~]# chmod --verbose 2700 /srv/public
~]# setfacl -m group:public_readonly:r-x /srv/public
~]# setfacl -m default:group:public_readonly:r-x /srv/public
~]# setfacl -m group:public_readwrite:rwx /srv/public
~]# setfacl -m default:group:public_readwrite:rwx /srv/public <strong>Verify user permissions have been correctly applied:</strong>
~]$ getfacl --absolute-names /srv/public <strong>Expected Output:</strong>
<em>file: /srv/public
owner: root
group: root
flags: -s-
user::rwx
group::---
group:public_readonly:r-x
group:public_readwrite:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:public_readonly:r-x
default:group:public_readwrite:rwx
default:mask::rwx
default:other::---</em></pre>
<h2>Samba </h2>
<h3>Installation</h3>
<pre class="wp-block-preformatted">~]# dnf install samba</pre>
<h3>Hostname (systemwide)</h3>
<p>Samba will use the name of the computer when sharing files; it is good to set a hostname so that the computer can be found easily on the local network.</p>
<pre class="wp-block-preformatted"><strong>View Your Current Hostname:</strong>
~]$ hostnamectl status</pre>
<p>If you wish to change your hostname to something more descriptive, use the command:</p>
<pre class="wp-block-preformatted"><strong>Modify your system's hostname (example):</strong>
~]# hostnamectl set-hostname "simple-samba-server"</pre>
<pre class="wp-block-verse has-text-align-left">For a more complete overview of the <strong>hostnamectl</strong> command, please read the previous Fedora Magazine Article: "<a href="https://fedoramagazine.org/set-hostname-fedora/">How to set the hostname on Fedora</a>".</pre>
<h3>Firewall</h3>
<p>Configuring your firewall is a complex and involved task. This guide will just have the most minimal manipulation of the firewall to enable Samba to pass through.</p>
<pre class="wp-block-verse">For those who are interested in learning more about configuring firewalls; please consider reading the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-and-configuring-firewalls_securing-networks">Red Hat Enterprise Linux 8: Securing networks: Chapter 5. Using and configuring firewall</a>", as it generally applies to Fedora 32 as well.</pre>
<pre class="wp-block-preformatted"><strong>Allow Samba access through the firewall:</strong>
~]# firewall-cmd --add-service=samba --permanent
~]# firewall-cmd --reload <strong>Verify Samba is included in your active firewall:</strong>
~]$ firewall-cmd --list-services <strong>Output (should include):</strong>
<em>samba</em></pre>
<h3>Configuration</h3>
<h4>Remove Default Configuration</h4>
<p>The stock configuration that is included with Fedora 32 is not required for this simple guide. In particular it includes support for sharing printers with Samba.</p>
<p>For this guide make a backup of the default configuration and create a new configuration file from scratch.</p>
<pre class="wp-block-preformatted"><strong>Create a backup copy of the existing Samba Configuration:</strong>
~]# cp --verbose --no-clobber /etc/samba/smb.conf /etc/samba/smb.conf.fedora0 <strong>Empty the configuration file:</strong>
~]# > /etc/samba/smb.conf</pre>
<h4>Samba Configuration</h4>
<pre class="wp-block-verse">Please Note: This configuration file does not contain any global definitions; the defaults provided by Samba are good for purposes of this guide.</pre>
<pre class="wp-block-preformatted"><strong>Edit the Samba Configuration File with Vim:</strong>
~]# vim /etc/samba/smb.conf</pre>
<p>Add the following to<em> /etc/samba/smb.conf</em> file:</p>
<pre class="wp-block-preformatted"># smb.conf - Samba Configuration File # The name of the share is in square brackets [],
# this will be shared as //hostname/sharename # There are a three exceptions:
# the [global] section;
# the [homes] section, that is dynamically set to the username;
# the [printers] section, same as [homes], but for printers. # path: the physical filesystem path (or device)
# comment: a label on the share, seen on the network.
# read only: disable writing, defaults to true. # For a full list of configuration options,
# please read the manual: "man smb.conf". [global] [public]
path = /srv/public
comment = Public Folder
read only = No</pre>
<h3>Write Permission</h3>
<p>By default Samba is not granted permission to modify any file of the system. Modify system’s security configuration to allow Samba to modify any filesystem path that has the security context of <em>public_content_rw_t</em>.</p>
<p>For convenience, Fedora has a built-in SELinux Boolean for this purpose called: <em>smbd_anon_write</em>, setting this to <em>true</em> will enable Samba to write in any filesystem path that has been set to the security context of <em>public_content_rw_t</em>.</p>
<p>For those who are wishing Samba only have a read-only access to their public sharing folder, they may choose skip this step and not set this boolean.</p>
<pre class="wp-block-verse">There are many more SELinux boolean that are available for Samba. For those who are interested, please read the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-samba-booleans">Red Hat Enterprise Linux 7: SELinux User's and Administrator's Guide: 15.3. Samba Booleans</a>", it also apply to Fedora 32 without any adaptation.</pre>
<pre class="wp-block-preformatted"><strong>Set SELinux Boolean allowing Samba to write to filesystem paths set with the security context <em>public_content_rw_t</em>:</strong>
~]# setsebool -P smbd_anon_write=1 <strong>Verify bool has been correctly set:</strong>
$ getsebool smbd_anon_write <strong>Expected Output:</strong>
<em>smbd_anon_write --> on</em></pre>
<h2>Samba Services</h2>
<p>The Samba service is divided into two parts that we need to start.</p>
<h3>Samba ‘smb’ Service</h3>
<p>The Samba “Server Message Block” (SMB) services is for sharing files and printers over the local network.</p>
<p>Manual: “<a href="https://www.samba.org/samba/docs/current/man-html/smbd.8.html">smbd – server to provide SMB/CIFS services to clients</a>“</p>
<h3>Enable and Start Services</h3>
<pre class="wp-block-verse">For those who are interested in learning more about configuring, enabling, disabling, and managing services, please consider studying the documentation: "<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-services">Red Hat Enterprise Linux 7: System Administrator's Guide: 10.2. Managing System Services</a>".</pre>
<pre class="wp-block-preformatted"><strong>Enable and start smb and nmb services:</strong>
~]# systemctl enable smb.service
~]# systemctl start smb.service <strong>Verify smb service:</strong>
~]# systemctl status smb.service
</pre>
<h3> Test Public Sharing (localhost)</h3>
<p>To demonstrate allowing and removing access to the public shared folder, create a new user called <em>samba_test_user</em>, this user will be granted permissions first to read the public folder, and then access to read and write the public folder.</p>
<p>The same process demonstrated here can be used to grant access to your public shared folder to other users of your computer.</p>
<p>The <em>samba_test_user</em> will be created as a locked user account, disallowing normal login to the computer.</p>
<pre class="wp-block-preformatted"><strong>Create 'samba_test_user</strong>'<strong>, and lock the account.</strong>
~]# useradd samba_test_user
~]# passwd --lock samba_test_user <strong>Set a Samba Password for this Test User (such as 'test')</strong>:
~]# smbpasswd -a samba_test_user</pre>
<h4>Test Read Only access to the Public Share:</h4>
<pre class="wp-block-preformatted"><strong>Add samba_test_user to the public_readonly group:</strong>
~]# gpasswd --add samba_test_user public_readonly <strong>Login to the local Samba Service (public folder)</strong>:
~]$ smbclient --user=samba_test_user //localhost/public <strong>First, the <em>ls</em> command should succeed,
Second, the <em>mkdir</em> command should not work,
and finally, <em>exit</em>:</strong>
smb: \> ls
smb: \> mkdir error
smb: \> exit <strong>Remove samba_test_user from the public_readonly group:</strong>
gpasswd --delete samba_test_user public_readonly</pre>
<h4>Test Read and Write access to the Public Share:</h4>
<pre class="wp-block-preformatted"><strong>Add samba_test_user to the public_readwrite group:</strong>
~]# gpasswd --add samba_test_user public_readwrite <strong>Login to the local Samba Service (public folder):</strong>
~]$ smbclient --user=samba_test_user //localhost/public <strong>First, the <em>ls</em> command should succeed,
Second, the <em>mkdir</em> command should work,
Third, the rmdir command should work,
and finally, <em>exit</em>:</strong>
smb: \> ls
smb: \> mkdir success
smb: \> rmdir success
smb: \> exit <strong>Remove samba_test_user from the public_readwrite group:
</strong>~]# gpasswd --delete samba_test_user public_readwrite</pre>
<p>After testing is completed, for security, disable the <strong>samba_test_user</strong>‘s ability to login in via samba.</p>
<pre class="wp-block-preformatted"><strong>Disable samba_test_user login via samba:</strong>
~]# smbpasswd -d samba_test_user</pre>
<h2>Home Folder Sharing</h2>
<p>In this last section of the guide; Samba will be configured to share a user home folder.</p>
<p>For example: If the user bob has been registered with <em>smbpasswd</em>, bob’s home directory <em>/home/bob</em>, would become the share <em>//server-name/bob</em>.</p>
<p>This share will only be available for bob, and no other users.</p>
<pre class="wp-block-verse">This is a very convenient way of accessing your own local files; however naturally it carries at a security risk.</pre>
<h3>Setup Home Folder Sharing</h3>
<h4>Give Samba Permission for Public Folder Sharing</h4>
<pre class="wp-block-preformatted"><strong>Set SELinux Boolean allowing Samba to read and write to home folders:</strong>
~]# setsebool -P samba_enable_home_dirs=1 <strong>Verify bool has been correctly set:</strong>
$ getsebool samba_enable_home_dirs <strong>Expected Output:</strong>
<em>samba_enable_home_dirs --> on</em></pre>
<h4>Add Home Sharing to the Samba Configuration</h4>
<p><strong>Append the following to the systems smb.conf file:</strong></p>
<pre class="wp-block-preformatted"># The home folder dynamically links to the user home. # If 'bob' user uses Samba:
# The homes section is used as the template for a new virtual share: # [homes]
# ... (various options) # A virtual section for 'bob' is made:
# Share is modified: [homes] -> [bob]
# Path is added: path = /home/bob
# Any option within the [homes] section is appended. # [bob]
# path = /home/bob
# ... (copy of various options) # here is our share,
# same as is included in the Fedora default configuration. [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes</pre>
<h4>Reload Samba Configuration</h4>
<pre class="wp-block-preformatted"><strong>Tell Samba to reload it's configuration:</strong>
~]# smbcontrol all reload-config</pre>
<h3>Test Home Directory Sharing</h3>
<pre class="wp-block-preformatted"><strong>Switch to samba_test_user and create a folder in it's home directory:</strong>
~]# su samba_test_user
samba_test_user:~]$ cd ~
samba_test_user:~]$ mkdir --verbose test_folder
samba_test_user:~]$ exit <strong>Enable samba_test_user to login via Samba:</strong>
~]# smbpasswd -e samba_test_user <strong>Login to the local Samba Service (samba_test_user home folder):</strong>
$ smbclient --user=samba_test_user //localhost/samba_test_user <strong>Test (all commands should complete without error):</strong>
smb: \> ls
smb: \> ls test_folder
smb: \> rmdir test_folder
smb: \> mkdir home_success
smb: \> rmdir home_success
smb: \> exit <strong>Disable samba_test_user</strong> <strong>from login in via Samba</strong>:
~]# smbpasswd -d samba_test_user</pre>
</div>
https://www.sickgaming.net/blog/2020/06/...ith-samba/