The goal is to create a network share on a Linux server using Samba that will be available to a Windows workstation with the ability to map a drive to that Linux share. There are many, many articles with a procedure, most are dated and incomplete, however, here is a procedure that worked for this test using CentOS 5.7 and Microsoft Windows 7 from bits and pieces from several articles.
Check to see if Samba is installed.
ps ax | grep smbd
If installed, the result should resemble this.
20324 ? Ss 0:00 smbd -D 20331 ? S 0:00 smbd -D 20367 ? S 0:01 smbd -D 21346 pts/1 S+ 0:00 grep smbd
If not installed, install Samba
yum -y install samba /sbin/service smb start /sbin/chkconfig smb on mkdir /data mkdir /data/share chmod 766 /data/share mv /etc/samba/smb.conf /etc/samba/smb.conf.backup vi /etc/samba/smb.conf
Copy the following into the smb.conf file where the section begins [global]
[global] workgroup = workgroup netbios name = linuxshare security = share load printers = no default service = global path = /home available = no encrypt passwords = yes
At the bottom of the smb.conf file, copy and paste the following.
[share] writeable = yes admin users = windowsuser path = /home/share force user = root valid users = windowsuser public = yes available = yes
Create the user windowsuser, as used in this example.
/usr/sbin/useradd windowsuser passwd windowsuser # use the same password for both smbpasswd -a windowsuser /sbin/service smb restart
To delete the user, windowsuser.
/usr/sbin/userdel windowsuser smbpasswd -x windowsuser
Use an existing user. Determine list of users on the Linux machine.
cat /etc/passwd |grep "/home"
Select the user then create a Samba password for that user as demonstrated in the step above with the smbpasswd command.
Restart smb
service smb restart
Firewall Exceptions
Samba requires four ports to be accessible. If the firewall tables do not contain the available ports, then these commands will work. Basically, each command will verify the iptables to see if the port exception exists. If it doesn’t then the exception will be appended to the iptables, else the exception will not be added.
grep -q "dport 137" /etc/sysconfig/iptables 2> /dev/null || sed -ie "/-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited/i\ -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT" /etc/sysconfig/iptables grep -q "dport 138" /etc/sysconfig/iptables 2> /dev/null || sed -ie "/-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited/i\ -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT" /etc/sysconfig/iptables grep -q "dport 139" /etc/sysconfig/iptables 2> /dev/null || sed -ie "/-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited/i\ -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p tcp --dport 139 -j ACCEPT" /etc/sysconfig/iptables grep -q "dport 445" /etc/sysconfig/iptables 2> /dev/null || sed -ie "/-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited/i\ -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p tcp --dport 445 -j ACCEPT" /etc/sysconfig/iptables
Restart the firewall
service iptables restart
SELinux
Security-Enhanced Linux (“SELinux”) secures the Samba server via flexible mandatory access control. SELinux Samba policy defaults to least privilege access. Several Booleans and file contexts are available to customize the way Samba SELinux works.
This will keep permissive mode until next reboot.
setenforce 0
Since the share is in the /home folder then the following command is applicable.
setsebool -P samba_enable_home_dirs on
To see what other available values are use this command.
getsebool -a | grep samba
If sharing files or directores other than several predifined or home directories then the value samba_share_t should be used. For example:
chcon -t samba_share_t /your/path/example
Testing
To check if the share is available on localhost. Use the following command, and when prompted enter the root password.
smbclient -L localhost
To check to see if the share is available on localhost. Create a folder in /mnt like this.
mkdir /mnt/share
Then mount it.
mount.cifs //localhost/share /mnt/share
From Windows
Open Windows Explorer and type in the IP address of the Linux server and there should be a share called share. Fully accessible. If not, the following command worked within a Command Prompt box.
net use \\linuxserver\share /USER:windowsuser
When prompted type in the windowsuser account password. Then go to Windows Explorer and try again. Tested. Worked.
If Windows cannot connect to the Samba share, it may be because the smb.conf parameter fro workgroup does not match the workgroup parameter on the Windows machine. To check this setting, use the following command.
testparm -s | grep workgroup
The result will look something like this.
Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Loaded services file OK. Server role: ROLE_STANDALONE workgroup = MYWORKGROUP
Source(s)
http://www.jonathanmanning.com/2011/04/16/how-to-install-samba-on-centos-with-batch-script-to-map-drive-on-windows/
http://www.unix.com/shell-programming-scripting/84255-adding-new-iptables.html http://nixcraft.com/networking-firewalls-security/13433-explain-selinux-setsebool-getsebool-commands.html http://wiki.linuxquestions.org/wiki/Setting_up_a_Samba_Server#Installing_the_Samba_Server http://fedoraproject.org/wiki/SELinux/samba http://danwalsh.livejournal.com/14195.html https://www.centos.org/modules/newbb/viewtopic.php?topic_id=33994
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#READONLY
http://ubuntuforums.org/showthread.php?t=1685824
http://lists.samba.org/archive/samba/2000-August/020253.html
http://www.comptechdoc.org/os/linux/manual4/sambausers.html
http://www.linuxquestions.org/linux/answers/Networking/How_to_list_all_your_USERs
http://wiki.samba.org/index.php/Samba_&_Active_Directory
http://www-01.ibm.com/support/docview.wss?uid=swg21298167
