Difference between revisions of "Samba"
(→Example setup) |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License. | Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License. | ||
− | ==Samba and iptables== | + | ==Samba (smb/cifs) and iptables== |
− | + | As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of <code>128.35.125.23</code>, your Linux machine ("Samba client") has an IP address of <code>10.0.32.145</code>, and the Linux machine is behind a dedicated firewall (which does NAT). | |
− | -A FORWARD -s | + | |
− | + | The only [[iptables]] rules you will need to implement are <code>FORWARD</code> all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "<code>ACCEPT</code>". | |
− | -A FORWARD -s | + | |
− | + | The following two rules will allow the above traffic: | |
− | + | -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT | |
− | + | -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT | |
− | + | where <code>-s</code> is your "source" IP address and <code>-d</code> is your "destination". | |
− | - | + | |
+ | Note that, | ||
+ | *<code>TCP/UDP 137</code> (NETBIOS Name Service aka <code>netbios-ns</code>) | ||
+ | *<code>TCP/UDP 138</code> (NETBIOS Datagram Service aka <code>netbios-dgm</code>) | ||
+ | *<code>TCP/UDP 139</code> (NETBIOS session service aka <code>netbios-ssn</code>) | ||
+ | *<code>TCP/UDP 445</code> (Microsoft Naked CIFS aka <code>microsoft-ds</code>; Win2k/XP) | ||
+ | |||
+ | ==Test-mount your Samba share== | ||
+ | As root, | ||
+ | mount -t cifs //128.35.125.23/path /mnt/samba -o username=username | ||
==Automount a Samba share== | ==Automount a Samba share== | ||
If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>: | If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>: | ||
− | // | + | //128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0 |
where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup. | where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup. | ||
Line 24: | Line 33: | ||
Now, edit your <code>/etc/fstab</code> and replace the line with: | Now, edit your <code>/etc/fstab</code> and replace the line with: | ||
− | // | + | //128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0 |
+ | |||
+ | ==Permissions== | ||
+ | It is possible to set the mount uid, gid, and umasks for file/directory create/deletion/overwrite with the following set of options: | ||
+ | gid=100,file_mode=0644,dir_mode=0755 | ||
+ | |||
+ | ==Example setup== | ||
+ | In this example, I will have two machines: | ||
+ | * A server at: 192.168.0.1 | ||
+ | * A desktop at: 192.168.0.2 | ||
+ | |||
+ | I will configure the server to function as a CIFS server with the following: | ||
+ | * Workgroup: CIFSERVER | ||
+ | * Linux group: sambagroup | ||
+ | * CIFS Share Name: uni | ||
+ | * Directory: /cifs/uni | ||
+ | * No printers shared | ||
+ | * User "stine" has read/write access | ||
+ | * User "hans" has read-only access | ||
+ | |||
+ | On the server, run the following commands: | ||
+ | |||
+ | $ service iptables start | ||
+ | $ iptables-save | ||
+ | $ vi /etc/sysconfig/iptables | ||
+ | -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT | ||
+ | -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT | ||
+ | -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT | ||
+ | -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT | ||
+ | $ service iptables restart | ||
+ | $ iptables-save # double-check the rules | ||
+ | $ yum install -y samba | ||
+ | $ vi /etc/samba/smb.conf | ||
+ | workgroup = CIFSERVER | ||
+ | interfaces = lo eth0 | ||
+ | hosts allow = 127. 192.168.0. | ||
+ | [uni] | ||
+ | comment = University shares | ||
+ | path = /cifs/uni | ||
+ | ; valid users = @sambagroup # only users of this group can access the share | ||
+ | public = yes | ||
+ | writable = yes | ||
+ | printable = no | ||
+ | write list = +sambagroup # allow others read-only access | ||
+ | $ mkdir -p /cifs/uni | ||
+ | $ groupadd -r sambagroup | ||
+ | $ chgrp sambagroup /cifs/uni | ||
+ | $ chmod 2775 /cifs/uni | ||
+ | $ chcon -t samba_share_t /cifs/uni # Or, to make persistent (the following 3 commands): | ||
+ | $ semanage fcontext -a -t public_content_t '/cifs(/.*)?' | ||
+ | $ semanage fcontext -a -t samba_share_t '/cifs/uni(/.*)?' | ||
+ | $ restorecon -FRvv /cifs | ||
+ | $ ls -laZ /cifs | ||
+ | $ ls -laZ /cifs/uni | ||
+ | $ chkconfig smb on | ||
+ | $ service smb start | ||
+ | $ useradd -G sambagroup stine | ||
+ | $ useradd hans | ||
+ | $ smbpasswd -a stine | ||
+ | $ smbclient -L s3 -U stine | ||
+ | Enter stine's password: | ||
+ | Domain=[BUTLER] OS=[Unix] Server=[Samba 3.5.10-125.el6] | ||
+ | |||
+ | Sharename Type Comment | ||
+ | --------- ---- ------- | ||
+ | uni Disk University shares | ||
+ | IPC$ IPC IPC Service (Samba Server Version 3.5.10-125.el6) | ||
+ | stine Disk Home Directories | ||
+ | Domain=[CIFSERVER] OS=[Unix] Server=[Samba 3.5.10-125.el6] | ||
+ | |||
+ | Server Comment | ||
+ | --------- ------- | ||
+ | |||
+ | Workgroup Master | ||
+ | --------- ------- | ||
+ | |||
+ | Now, on the desktop, run: | ||
+ | $ mount -t cifs -o user=stine //192.168.0.1/uni /mnt | ||
==External links== | ==External links== | ||
Line 35: | Line 121: | ||
*[[wikipedia:Samba]] | *[[wikipedia:Samba]] | ||
*[[wikibooks:Samba]] | *[[wikibooks:Samba]] | ||
+ | ===Firewall=== | ||
+ | *[http://www.auditmypc.com/port/udp-port-2399.asp UDP 2399] (port) | ||
[[Category:Linux Command Line Tools]] | [[Category:Linux Command Line Tools]] |
Latest revision as of 17:57, 8 May 2014
Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License.
Contents
Samba (smb/cifs) and iptables
As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of 128.35.125.23
, your Linux machine ("Samba client") has an IP address of 10.0.32.145
, and the Linux machine is behind a dedicated firewall (which does NAT).
The only iptables rules you will need to implement are FORWARD
all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "ACCEPT
".
The following two rules will allow the above traffic:
-A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT
where -s
is your "source" IP address and -d
is your "destination".
Note that,
TCP/UDP 137
(NETBIOS Name Service akanetbios-ns
)TCP/UDP 138
(NETBIOS Datagram Service akanetbios-dgm
)TCP/UDP 139
(NETBIOS session service akanetbios-ssn
)TCP/UDP 445
(Microsoft Naked CIFS akamicrosoft-ds
; Win2k/XP)
As root,
mount -t cifs //128.35.125.23/path /mnt/samba -o username=username
If you would like to automount your Samba shares, you can place the line below in your /etc/fstab
:
//128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0
where cifs
might need to be smbfs
, depending on your filesystem setup.
However, if you do not want your username and password in a text file that anyone can read, you can create a file in, for an example, /etc/samba/smbpasswd
with the following two lines:
username=username password=password
Then,
chmod 600 /etc/samba/smbpasswd
Now, edit your /etc/fstab
and replace the line with:
//128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0
Permissions
It is possible to set the mount uid, gid, and umasks for file/directory create/deletion/overwrite with the following set of options:
gid=100,file_mode=0644,dir_mode=0755
Example setup
In this example, I will have two machines:
- A server at: 192.168.0.1
- A desktop at: 192.168.0.2
I will configure the server to function as a CIFS server with the following:
- Workgroup: CIFSERVER
- Linux group: sambagroup
- CIFS Share Name: uni
- Directory: /cifs/uni
- No printers shared
- User "stine" has read/write access
- User "hans" has read-only access
On the server, run the following commands:
$ service iptables start $ iptables-save $ vi /etc/sysconfig/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT $ service iptables restart $ iptables-save # double-check the rules $ yum install -y samba $ vi /etc/samba/smb.conf workgroup = CIFSERVER interfaces = lo eth0 hosts allow = 127. 192.168.0. [uni] comment = University shares path = /cifs/uni ; valid users = @sambagroup # only users of this group can access the share public = yes writable = yes printable = no write list = +sambagroup # allow others read-only access $ mkdir -p /cifs/uni $ groupadd -r sambagroup $ chgrp sambagroup /cifs/uni $ chmod 2775 /cifs/uni $ chcon -t samba_share_t /cifs/uni # Or, to make persistent (the following 3 commands): $ semanage fcontext -a -t public_content_t '/cifs(/.*)?' $ semanage fcontext -a -t samba_share_t '/cifs/uni(/.*)?' $ restorecon -FRvv /cifs $ ls -laZ /cifs $ ls -laZ /cifs/uni $ chkconfig smb on $ service smb start $ useradd -G sambagroup stine $ useradd hans $ smbpasswd -a stine $ smbclient -L s3 -U stine Enter stine's password: Domain=[BUTLER] OS=[Unix] Server=[Samba 3.5.10-125.el6] Sharename Type Comment --------- ---- ------- uni Disk University shares IPC$ IPC IPC Service (Samba Server Version 3.5.10-125.el6) stine Disk Home Directories Domain=[CIFSERVER] OS=[Unix] Server=[Samba 3.5.10-125.el6] Server Comment --------- ------- Workgroup Master --------- -------
Now, on the desktop, run:
$ mount -t cifs -o user=stine //192.168.0.1/uni /mnt
External links
- Official Samba Web Site
- Using Samba 2nd ed. licensed under GFDL
- Setting up Samba
- File and Printer sharing using Samba on Suse Linux
- Configuring Windows Vista to map drives to Samba Shares
- "Samba beats Windows", a study comparing the two
- wikipedia:Samba
- wikibooks:Samba
Firewall
- UDP 2399 (port)