Linux Explorers

Configure Samba for the Red Hat Certified Engineer Exam

This page describes how to configure a samba server for the RHCE exam.  There are two objectives under this topic and they are:

• Provide network shares to specific clients.
• Provide network shares suitable for group collaboration.

 

Configure a Samba Share

This section will show an example of how to configure a samba share for the objective of:

• Provide network shares to specific clients.

Install the Samba Software

1) Install samba software

The first thing you will need to do is to install the samba software and this can be done using the following command:

yum -y install samba

 

Edit the smb.conf Configuration File

2) The next step is to edit the configuration file.  Open the configuration with the editor of your preference for example:

nano /etc/samba/smb.conf

The first thing to do is to edit the “hosts allow” section. This specifies which subnets will be allowed to access the samba share.  Be sure to include the proper address here.

examples:
hosts allow =  127. 192.168.1.

 

3) Add a section for the directory you would like to share.  For this example we will share the directory /test_share

The section is labeled:

#======================= Share Definitions ===============

[test_share]
comment = test share
path = /test_share/
browseable = yes
writeable = yes
public = yes
read only = no
valid users = john

 

 Add Samba Users

4) Next you will need to add the user(s) to the samba service.

smbpasswd -a john

 

Configuring SELinux

Once the configuration file is set you won’t be able to share the directory unless “SELinux” is configured properly.  SELinux adds an extra later of security to Linux to help protect your system.  There are a few ways of doing this.

A)
The first possibility is to disable SELinux all together or set it to permissive mode.  This is not recommended as it will leave the system in a vulnerable state. SElinux can be disabled or set to permissive mode by editing the “/etc/selinux/config”

Note:  If you are practicing for the RHCE exam SELinux must be enabled or else you will likely fail the exam.  You have to be able to work with SELinux enabled for this objective and all of the others.

Set the following values in the “/etc/selinux/config” file to change the SELinux modes.

SELINUX=enforcing    #SELinux security policy is enforced.

SELINUX=permissive #SELinux prints warnings instead of enforcing them.

SELINUX=disabled    #SELinux is Disabled

If you decided to make any changes you will need to reboot for the changes to take effect.

 

Again permissive and disabled mode will allow you to share all the directories on a system but leave the system vulnerable and is not recommended.

 B)
Directories can also be shared with SELinux enabled and enabling SELinux “boolean” values.  This is a better option than disabling SELinux entirely but can expose all of the directories to the Samba service. You can get a listing of the boolean values associated with samba with the command:

getsebool -a | grep samba

samba_create_home_dirs –> off
samba_domain_controller –> off
samba_enable_home_dirs –> off
samba_export_all_ro –> off
samba_export_all_rw –> off
samba_run_unconfined –> off
samba_share_fusefs –> off
samba_share_nfs –> off
use_samba_home_dirs –> off
virt_use_samba –> off

The two that are interested in for sharing the directory are:

samba_export_all_ro     #Makes all directories available to samba with read-only permissions
samba_export_all_rw  #Makes all directories available to samba with read-write permissions

These permissions will take precedent of the settings in the Samba smb.conf config file.  For example if the smb.conf file lists the directory as “writable” but the SElinux boolean for “samba_export_all_ro” (read only) is enabled, the directory will be read only for the Samba users.

You can turn on the boolean value with the following commands:

setsebool -P samba_export_all_ro on
or
setsebool -P samba_export_all_rw on

You can turn an boolean off with this command syntax:

setsebool -P <boolean_name> on
example
setsebool -P samba_export_all_rw off

 

 

C)
The last option I’ll go over is setting the SELinux context simply for the directory you want to share.  It will only allow the Samba service to access the directory that has the appropriate security contexts.  For this ensure that the booleans values discussed in the previous section are set to “off” and also that SELinux is in enforcing mode.

chcon -t samba_share_t /test_share

This command will change the SELinux contexts on the “/test_share” directory so that its contents can be accessed with the Samba service.  Again this is the best option for security as it only shares the directories that you specify. This may also be the best option to use with the RHCE exam.

Configure the Iptables Service

4) The next step is to open the ports used by samba in the firewall. You can do thies by adding the following lines to the /etc/sysconfig/iptables file:

-A INPUT -m state –state NEW -m tcp -p tcp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW-m tcp  -p tcp –dport 445 -j ACCEPT

-A INPUT -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 445 -j ACCEPT

 

 

Save the file and exit your text editor.

Note: You could also disable the firewall to avoid doing this step but it will cause you to fail the RHCE exam as the firewall must be enabled.

Restart the Services

Once all of the configuration files are configured its time to reset the various services.  These steps are often overlooked  but are the most important.  On the RHCE Exam your configuration must survive a reboot and you can do so with the steps below:

A)    First set the service so that it starts at boot

chkconfig smb on

B)    Start the smb service to activate it.  If you have already activated it you should restart it to load the new settings.

service smb start
or
service smb restart

 

C)    Restart the Iptables service to load the new firewall settings
service iptables restart