Configure Samba for the Red Hat Certified Engineer Exam
This page describes how to configure a samba server for the RHCE exam. There are two objectives under this topic and they are:
- Provide network shares to specific clients.
- Provide network shares suitable for group collaboration.
Configure a Samba Share
This section will show an example of how to configure a samba share for the objective of:
- Provide network shares to specific clients.
Install the Samba Software
1) Install samba software
The first thing you will need to do is to install the samba software and this can be done using the following command:
yum -y install samba
Edit the smb.conf Configuration File
2) The next step is to edit the configuration file. Open the configuration with the editor of your preference for example:
The first thing to do is to edit the “hosts allow” section. This specifies which subnets will be allowed to access the samba share. Be sure to include the proper address here.
hosts allow = 127. 192.168.1.
3) Add a section for the directory you would like to share. For this example we will share the directory /test_share
The section is labeled:
#======================= Share Definitions ===============
comment = test share
path = /test_share/
browseable = yes
writeable = yes
public = yes
read only = no
valid users = john
Add Samba Users
4) Next you will need to add the user(s) to the samba service.
smbpasswd -a john
Once the configuration file is set you won’t be able to share the directory unless “SELinux” is configured properly. SELinux adds an extra later of security to Linux to help protect your system. There are a few ways of doing this.
The first possibility is to disable SELinux all together or set it to permissive mode. This is not recommended as it will leave the system in a vulnerable state. SElinux can be disabled or set to permissive mode by editing the “/etc/selinux/config”
Note: If you are practicing for the RHCE exam SELinux must be enabled or else you will likely fail the exam. You have to be able to work with SELinux enabled for this objective and all of the others.
Set the following values in the “/etc/selinux/config” file to change the SELinux modes.
SELINUX=enforcing #SELinux security policy is enforced.
SELINUX=permissive #SELinux prints warnings instead of enforcing them.
SELINUX=disabled #SELinux is Disabled
If you decided to make any changes you will need to reboot for the changes to take effect.
Again permissive and disabled mode will allow you to share all the directories on a system but leave the system vulnerable and is not recommended.
Directories can also be shared with SELinux enabled and enabling SELinux “boolean” values. This is a better option than disabling SELinux entirely but can expose all of the directories to the Samba service. You can get a listing of the boolean values associated with samba with the command:
getsebool -a | grep samba
samba_create_home_dirs –> off
samba_domain_controller –> off
samba_enable_home_dirs –> off
samba_export_all_ro –> off
samba_export_all_rw –> off
samba_run_unconfined –> off
samba_share_fusefs –> off
samba_share_nfs –> off
use_samba_home_dirs –> off
virt_use_samba –> off
The two that are interested in for sharing the directory are:
samba_export_all_ro #Makes all directories available to samba with read-only permissions
samba_export_all_rw #Makes all directories available to samba with read-write permissions
These permissions will take precedent of the settings in the Samba smb.conf config file. For example if the smb.conf file lists the directory as “writable” but the SElinux boolean for “samba_export_all_ro” (read only) is enabled, the directory will be read only for the Samba users.
You can turn on the boolean value with the following commands:
setsebool -P samba_export_all_ro on
setsebool -P samba_export_all_rw on
You can turn an boolean off with this command syntax:
setsebool -P <boolean_name> on
setsebool -P samba_export_all_rw off
The last option I’ll go over is setting the SELinux context simply for the directory you want to share. It will only allow the Samba service to access the directory that has the appropriate security contexts. For this ensure that the booleans values discussed in the previous section are set to “off” and also that SELinux is in enforcing mode.
chcon -t samba_share_t /test_share
This command will change the SELinux contexts on the “/test_share” directory so that its contents can be accessed with the Samba service. Again this is the best option for security as it only shares the directories that you specify. This may also be the best option to use with the RHCE exam.
Configure the Iptables Service
4) The next step is to open the ports used by samba in the firewall. You can do thies by adding the following lines to the /etc/sysconfig/iptables file:
-A INPUT -m state –state NEW -m tcp -p tcp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW-m tcp -p tcp –dport 445 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 445 -j ACCEPT
Save the file and exit your text editor.
Note: You could also disable the firewall to avoid doing this step but it will cause you to fail the RHCE exam as the firewall must be enabled.
Restart the Services
Once all of the configuration files are configured its time to reset the various services. These steps are often overlooked but are the most important. On the RHCE Exam your configuration must survive a reboot and you can do so with the steps below:
A) First set the service so that it starts at boot
chkconfig smb on
B) Start the smb service to activate it. If you have already activated it you should restart it to load the new settings.
service smb start
service smb restart
C) Restart the Iptables service to load the new firewall settings
service iptables restart