Difference between revisions of "Samba"

From Christoph's Personal Wiki
Jump to: navigation, search
(Samba and iptables)
(Example setup)
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
==Samba (smb/cifs) and iptables==
 
==Samba (smb/cifs) and iptables==
If you have a firewall and wish to open it up to Samba on a specific machine (i.e. a single IP address), try the following [[iptables]]:
+
As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of <code>128.35.125.23</code>, your Linux machine ("Samba client") has an IP address of <code>10.0.32.145</code>, and the Linux machine is behind a dedicated firewall (which does NAT).
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 137 -j ACCEPT
+
 
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 137 -j ACCEPT
+
The only [[iptables]] rules you will need to implement are <code>FORWARD</code> all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "<code>ACCEPT</code>".
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 138 -j ACCEPT
+
 
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 138 -j ACCEPT
+
The following two rules will allow the above traffic:
  -A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 139 -j ACCEPT
+
  -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 139 -j ACCEPT
+
  -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT
  -A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 445 -j ACCEPT
+
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 445 -j ACCEPT
+
 
where <code>-s</code> is your "source" IP address and <code>-d</code> is your "destination".
 
where <code>-s</code> is your "source" IP address and <code>-d</code> is your "destination".
  
Line 21: Line 19:
 
==Test-mount your Samba share==
 
==Test-mount your Samba share==
 
As root,
 
As root,
  mount -t cifs //xxx.xxx.xxx.xxx/path /mnt/samba -o username=username
+
  mount -t cifs //128.35.125.23/path /mnt/samba -o username=username
  
 
==Automount a Samba share==
 
==Automount a Samba share==
 
If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>:
 
If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>:
  //xxx.xxx.xxx.xxx/path /mnt/samba cifs username=username,password=password 0 0
+
  //128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0
 
where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup.
 
where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup.
  
Line 35: Line 33:
  
 
Now, edit your <code>/etc/fstab</code> and replace the line with:
 
Now, edit your <code>/etc/fstab</code> and replace the line with:
  //xxx.xxx.xxx.xxx/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0
+
  //128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0
 +
 
 +
==Permissions==
 +
It is possible to set the mount uid, gid, and umasks for file/directory create/deletion/overwrite with the following set of options:
 +
gid=100,file_mode=0644,dir_mode=0755
 +
 
 +
==Example setup==
 +
In this example, I will have two machines:
 +
* A server at: 192.168.0.1
 +
* A desktop at: 192.168.0.2
 +
 
 +
I will configure the server to function as a CIFS server with the following:
 +
* Workgroup: CIFSERVER
 +
* Linux group: sambagroup
 +
* CIFS Share Name: uni
 +
* Directory: /cifs/uni
 +
* No printers shared
 +
* User "stine" has read/write access
 +
* User "hans" has read-only access
 +
 
 +
On the server, run the following commands:
 +
 
 +
$ service iptables start
 +
$ iptables-save
 +
$ vi /etc/sysconfig/iptables
 +
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
 +
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
 +
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
 +
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
 +
$ service iptables restart
 +
$ iptables-save  # double-check the rules
 +
$ yum install -y samba
 +
$ vi /etc/samba/smb.conf
 +
        workgroup = CIFSERVER
 +
        interfaces = lo eth0
 +
        hosts allow = 127. 192.168.0.
 +
        [uni]
 +
        comment = University shares
 +
        path = /cifs/uni
 +
  ;    valid users = @sambagroup # only users of this group can access the share
 +
        public = yes
 +
        writable = yes
 +
        printable = no
 +
        write list = +sambagroup # allow others read-only access
 +
$ mkdir -p /cifs/uni
 +
$ groupadd -r sambagroup
 +
$ chgrp sambagroup /cifs/uni
 +
$ chmod 2775 /cifs/uni
 +
$ chcon -t samba_share_t /cifs/uni  # Or, to make persistent (the following 3 commands):
 +
$ semanage fcontext -a -t public_content_t '/cifs(/.*)?'
 +
$ semanage fcontext -a -t samba_share_t '/cifs/uni(/.*)?'
 +
$ restorecon -FRvv /cifs
 +
$ ls -laZ /cifs
 +
$ ls -laZ /cifs/uni
 +
$ chkconfig smb on
 +
$ service smb start
 +
$ useradd -G sambagroup stine
 +
$ useradd hans
 +
$ smbpasswd -a stine
 +
$ smbclient -L s3 -U stine
 +
Enter stine's password:
 +
Domain=[BUTLER] OS=[Unix] Server=[Samba 3.5.10-125.el6]
 +
 +
    Sharename      Type      Comment
 +
    ---------      ----      -------
 +
    uni            Disk      University shares
 +
    IPC$            IPC      IPC Service (Samba Server Version 3.5.10-125.el6)
 +
    stine          Disk      Home Directories
 +
Domain=[CIFSERVER] OS=[Unix] Server=[Samba 3.5.10-125.el6]
 +
 +
    Server              Comment
 +
    ---------            -------
 +
 +
    Workgroup            Master
 +
    ---------            -------
 +
 
 +
Now, on the desktop, run:
 +
$ mount -t cifs -o user=stine //192.168.0.1/uni /mnt
  
 
==External links==
 
==External links==

Latest revision as of 17:57, 8 May 2014

Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License.

Samba (smb/cifs) and iptables

As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of 128.35.125.23, your Linux machine ("Samba client") has an IP address of 10.0.32.145, and the Linux machine is behind a dedicated firewall (which does NAT).

The only iptables rules you will need to implement are FORWARD all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "ACCEPT".

The following two rules will allow the above traffic:

-A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT

where -s is your "source" IP address and -d is your "destination".

Note that,

  • TCP/UDP 137 (NETBIOS Name Service aka netbios-ns)
  • TCP/UDP 138 (NETBIOS Datagram Service aka netbios-dgm)
  • TCP/UDP 139 (NETBIOS session service aka netbios-ssn)
  • TCP/UDP 445 (Microsoft Naked CIFS aka microsoft-ds; Win2k/XP)

Test-mount your Samba share

As root,

mount -t cifs //128.35.125.23/path /mnt/samba -o username=username

Automount a Samba share

If you would like to automount your Samba shares, you can place the line below in your /etc/fstab:

//128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0

where cifs might need to be smbfs, depending on your filesystem setup.

However, if you do not want your username and password in a text file that anyone can read, you can create a file in, for an example, /etc/samba/smbpasswd with the following two lines:

username=username
password=password

Then,

chmod 600 /etc/samba/smbpasswd

Now, edit your /etc/fstab and replace the line with:

//128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0

Permissions

It is possible to set the mount uid, gid, and umasks for file/directory create/deletion/overwrite with the following set of options:

gid=100,file_mode=0644,dir_mode=0755

Example setup

In this example, I will have two machines:

  • A server at: 192.168.0.1
  • A desktop at: 192.168.0.2

I will configure the server to function as a CIFS server with the following:

  • Workgroup: CIFSERVER
  • Linux group: sambagroup
  • CIFS Share Name: uni
  • Directory: /cifs/uni
  • No printers shared
  • User "stine" has read/write access
  • User "hans" has read-only access

On the server, run the following commands:

$ service iptables start
$ iptables-save
$ vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
$ service iptables restart
$ iptables-save  # double-check the rules
$ yum install -y samba
$ vi /etc/samba/smb.conf
       workgroup = CIFSERVER
       interfaces = lo eth0
       hosts allow = 127. 192.168.0.
       [uni]
       comment = University shares
       path = /cifs/uni
  ;     valid users = @sambagroup # only users of this group can access the share
       public = yes
       writable = yes
       printable = no
       write list = +sambagroup # allow others read-only access
$ mkdir -p /cifs/uni
$ groupadd -r sambagroup
$ chgrp sambagroup /cifs/uni
$ chmod 2775 /cifs/uni
$ chcon -t samba_share_t /cifs/uni  # Or, to make persistent (the following 3 commands):
$ semanage fcontext -a -t public_content_t '/cifs(/.*)?'
$ semanage fcontext -a -t samba_share_t '/cifs/uni(/.*)?'
$ restorecon -FRvv /cifs
$ ls -laZ /cifs
$ ls -laZ /cifs/uni
$ chkconfig smb on
$ service smb start
$ useradd -G sambagroup stine
$ useradd hans
$ smbpasswd -a stine
$ smbclient -L s3 -U stine
Enter stine's password:
Domain=[BUTLER] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Sharename       Type      Comment
    ---------       ----      -------
    uni             Disk      University shares
    IPC$            IPC       IPC Service (Samba Server Version 3.5.10-125.el6)
    stine           Disk      Home Directories
Domain=[CIFSERVER] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now, on the desktop, run:

$ mount -t cifs -o user=stine //192.168.0.1/uni /mnt

External links

Firewall