Sharing Files between RHEL 8 and Windows Systems with Samba

From Techotopia
Revision as of 16:16, 17 June 2019 by Neil (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
PreviousTable of ContentsNext
Using NFS to Share RHEL 8 Files with Remote SystemsAn Overview of Virtualization Techniques


You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book


Although Linux has made some inroads into the desktop market, its origins and future are very much server-based. It is not surprising therefore that RHEL 8 has the ability to act as a file server. It is also extremely common for RHEL and Windows systems to be used side by side in networked environments. It is a common requirement, therefore, that files on a RHEL 8 system be accessible to Linux, UNIX and Windows-based systems over network connections. Similarly, shared folders and printers residing on Windows systems may also need to be accessible from RHEL 8 based systems.

Windows systems share resources such as file systems and printers using a protocol known as SMB). In order for a RHEL 8 system to serve such resources over a network to a Windows system and vice versa it must, therefore, support SMB. This is achieved using technology called Samba. In addition to providing integration between Linux and Windows systems, Samba may also be used to provide folder sharing between Linux systems (as an alternative to NFS which was covered in the previous chapter).

In this chapter we will look at the steps necessary to share file system resources and printers on a RHEL 8 system with remote Windows and Linux systems, and to access Windows resources from RHEL 8.


Contents


Samba and Samba Client

Samba allows both RHEL 8 resources to be shared with Windows systems and Windows resources to be shared with RHEL 8 systems. RHEL accesses Windows resources using the Samba client. RHEL resources, on the other hand, are shared with Windows systems by installing and configuring the Samba service.

Installing Samba on a RHEL 8 System

The default settings used during the RHEL 8 installation process do not typically install the necessary Samba packages. Unless you specifically requested that Samba be installed it is unlikely that you have Samba installed on your system. To check whether Samba is installed, open a terminal window and run the following rpm command:

# rpm -q samba samba-common samba-client

If any of the Samba packages are not installed, rpm will return with “package is not installed”. That being the case, these can be installed using the dnf command-line tool:

# dnf install samba samba-common samba-client 

Configuring the RHEL 8 Firewall to Enable Samba

Next, the firewall currently protecting the RHEL 8 system needs to be configured to allow Samba traffic. To achieve this, run the firewall-cmd command as follows:

# firewall-cmd --permanent --add-port={139/tcp,445/tcp}
# firewall-cmd --reload

Before starting the Samba service a number of configuration steps are necessary to define how the RHEL system will appear to Windows systems, and the resources which are to be shared with remote clients. The majority of these configuration tasks take place within the /etc/samba/smb.conf file.

Configuring the smb.conf File

smbpasswd command-line tool. While the loss of system-config-samba may be mourned by those who relied on it, the tool’s simplicity actually masked many of the more advanced features of Samba. In practice, much more can be achieved by taking the time to understand the intricacies of the smb.conf file.

Samba is a highly flexible and configurable system that provides many different options for controlling how resources are shared on Windows networks. This flexibility can lead to the sense that Samba is overly complex to work with. In reality, however, many of the configuration options are not needed by the typical installation, and the learning curve to set up a basic configuration is actually quite short.

For the purposes of this chapter we will look at joining a RHEL 8 system to a Windows workgroup and setting up a directory as a shared resource that can be accessed by a specific user. This is a configuration known as a standalone Samba server. More advanced configurations such as integrating Samba within an Active Directory environment are also available, though these are outside the scope of this book.

The first step in configuring Samba is to edit the /etc/samba/smb.conf file.

Configuring the [global] Section

The smb.conf file is divided into sections. The first section is the [global] section where settings can be specified that apply to the entire Samba configuration. While these settings are global, each option may be overridden within other sections of the configuration file.

The first task is to define the name of the Windows workgroup on which the RHEL 8 resources are to be shared. This is controlled via the workgroup = directive of the [global] section which by default is configured as follows:

workgroup = SAMBA

Begin by changing this to the actual name of the workgroup. For example, if the workgroup is named WORKGROUP (the default for most Windows networks):

[global]
        workgroup = WORKGROUP
        security = user
 
        passdb backend = tdbsam
.
.

In addition to the workgroup setting, the other settings indicate that this is a standalone server on which the shared resources will be protected by user passwords. Before moving on to configuring the resources to be shared, a number of other parameters also need to be added to the [global] section as follows:

[global]
        workgroup = WORKGROUP
        security = user
        netbios name = LinuxServer
        passdb backend = tdbsam
        
        log file = /var/log/samba/%m.log
        log level = 1
.
.

The “netbios name” property specifies the name by which the server will be visible to other systems on the network, while the log settings simply specify a file location into which log output is to be recorded.

Configuring a Shared Resource

The next step is to configure the shared resources (in other words the resources that will be accessible from other systems on the Windows network). In order to achieve this, the section is given a name by which it will be referred to when shared. For example, if we plan to share the /sampleshare directory of our RHEL 8 system, we might entitle the section [sampleshare]. In this section a variety of configuration options are possible. For the purposes of this example, however, we will simply define the directory that is to be shared, indicate that the directory is both browsable and writable and declare the resource public so that guest users are able to gain access:

[sampleshare]
        comment = Example Samba share
        path = /sampleshare
        browseable = Yes
        public = yes
        writable = yes

To restrict access to specific users, the “valid users” property may be used, for example:

valid users = demo, bobyoung, marcewing

Removing Unnecessary Shares

The smb.conf file is pre-configured with sections for sharing printers and the home folders of the users on the system. If these resources do not need to be shared, the corresponding sections can be commented out so that they are ignored by Samba. In the following example, the [homes] section has been commented out:

.
.
#[homes]
#       comment = Home Directories
#       valid users = %S, %D%w%S
#       browseable = No
#       read only = No
#       inherit acls = Yes
.
.

You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book

Configuring SELinux for Samba

SELinux is a system integrated by default into the Linux kernel on all RHEL 8 systems and which provides an extra layer of security and protection to the operating system and user files.

Traditionally, Linux security has been based on the concept of allowing users to decide who has access to their files and other resources for which they have ownership. Consider, for example, a file located in the home directory of, and owned by, a particular user. That user is able to control the access permissions of that file in terms of whether other users on the system are able to read and write to or, in the case of a script or binary, execute the file. This type of security is referred to as discretionary access control since access to resources is left to the discretion of the user.

With SELinux, however, access is controlled by the system administrator and cannot be overridden by the user. This is referred to as mandatory access control and is defined by the administrator using SELinux policy. To continue the previous example, the owner of a file is only able to perform tasks on that file if SELinux policy defined either by default by the system, or by the administrator, permits it.

The current status of SELinux on a RHEL 8 system may be identified using the sestatus tool as follows:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:            enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

SELinux can be run in either enforcing or permissive mode. When enabled, enforcing mode denies all actions that are not permitted by SELinux policy. Permissive mode, on the other hand, allows actions that would normally have been denied to proceed but records the violation in a log file.

SELinux security is based on the concept of context labels. All resources on a system (including processes and files) are assigned SELinux context labels consisting of user, role, type and optional security level. The SELinux context of files or folders, for example, may be viewed as follows:

$ ls -Z /home/demo
 unconfined_u:object_r:user_home_t:s0 Desktop
 unconfined_u:object_r:user_home_t:s0 Documents

Similarly, the ps command may be used to identify the context of a running process, in this case the ls command:

$ ps -eZ | grep ls
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 14311 tty1 00:00:18 ls

When a process (such as the above ls command) attempts to access a file or folder, the SELinux system will check the policy to identify whether or not access is permitted. Now consider the context of the Samba service:

$ ps -eZ | grep smb
system_u:system_r:smbd_t:s0     14129 ?        00:00:00 smbd
system_u:system_r:smbd_t:s0     14132 ?        00:00:00 smbd-notifyd

SELinux implements security in a number of ways, the most common of which is referred to as type enforcement. In basic terms, when a process attempts to perform a task on an object (for example writing to a file), SELinux checks the context types of both the process and the object and verifies that the security policy allows the action to be taken. If a process of type A, for example, attempts to write to a file of type B, it will only be permitted to do so if SELinux policy specifically states that a process of type A may perform a write operation to a file of type B. In SELinux enforcement, all actions are denied by default unless a rule exists specifically allowing the action to be performed.

The issue with SELinux and Samba is that SELinux policy is not configured to allow processes of type smb_t to perform actions on files of any type other than samba_share_t. The /home/demo directory listed above, for example, will be inaccessible to the Samba service because it has a type of user_home_t. To make files or folders on the system accessible to the Samba service, the enforcement type of those specific resources must be changed to samba_share_t.

For the purposes of this example, we will create the /sampleshare directory referenced previously in the smb.conf file and change the enforcement type so that it is accessible to the Samba service. Begin by creating the directory as follows:

# mkdir /sampleshare

Next, check the current SELinux context on the directory:

$ ls -aZ /sampleshare/
unconfined_u:object_r:default_t:s0 .

In this instance, the context label of the folder has been assigned a type of default_t. To make the folder sharable by Samba, the enforcement type needs to be set to samba_share_t using the semanage tool as follows:

# semanage fcontext -a -t samba_share_t "/sampleshare(/.*)?"

Note the use of a wildcard in the restorecon command, making use of the -R flag to apply the change recursively through any sub-directories:

# restorecon -R -v /sampleshare
Relabeled /sampleshare from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:samba_share_t:s0

Once these changes have been made, the folder is configured to comply with SELinux policy for the smb process and is ready to be shared by Samba.

Creating a Samba User

Any user that requires access to a Samba shared resource must be configured as a Samba User and assigned a password. This task is achieved using the smbpasswd command-line tool. Consider, for example, that a user named demo is required to be able to access the /sampleshare directory of our RHEL 8 system from a Windows system. In order to fulfill this requirement we must add demo as a Samba user as follows:

# smbpasswd -a demo
New SMB password:
Retype new SMB password:
Added user demo.

Now that we have completed the configuration of a very basic Samba server, it is time to test our configuration file and then start the Samba services.

Testing the smb.conf File

The settings in the smb.conf file may be checked for errors using the testparm command-line tool as follows:

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[sampleshare]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
 
Press enter to see a dump of your service definitions
 
# Global parameters
[global]
	log file = /var/log/samba/%m.log
	netbios name = LINUXSERVER
	printcap name = cups
	security = USER
	wins support = Yes
	idmap config * : backend = tdb
	cups options = raw
 
[sampleshare]
	comment = Example Samba share
	guest ok = Yes
	path = /sampleshare
	read only = No
 
[homes]
	browseable = No
	comment = Home Directories
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S
 
[printers]
	browseable = No
	comment = All Printers
	create mask = 0600
	path = /var/tmp
	printable = Yes
 
[print$]
	comment = Printer Drivers
	create mask = 0664
	directory mask = 0775
	force group = @printadmin
	path = /var/lib/samba/drivers
	write list = @printadmin root

Starting the Samba and NetBIOS Name Services

In order for a RHEL 8 server to operate within a Windows network both the Samba (SMB) and NetBOIS nameservice (NMB) services must be started. Optionally, also enable the services so that they start each time the system boots:

# systemctl enable smb
# systemctl start smb
# systemctl enable nmb
# systemctl start nmb

Before attempting to connect from a Windows system, use the smbclient utility to verify that the share is configured:

You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book

# smbclient -U demo -L localhost 
Enter WORKGROUP\demo’s password: 
 
	Sharename       Type      Comment
	---------       ----      -------
	sampleshare     Disk      Example Samba share
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.1)
	demo            Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
 
	Server               Comment
	---------            -------
 
	Workgroup            Master
	---------            -------
	WORKGROUP            LINUXSERVER

Accessing Samba Shares

Now that the Samba resources are configured and the services are running, it is time to access the shared resource from a Windows system. On a suitable Windows system on the same workgroup as the RHEL 8 system, open Windows Explorer and navigate to the Network panel. At this point, explorer should search the network and list any systems using the SMB protocol that it finds. The following figure illustrates a RHEL 8 system named LINUXSERVER located using Windows Explorer on a Windows 10 system:


Rhel 8 samba share on windows.png


Figure 18-1

Double clicking on the LINUXSERVER host will prompt for the name and password of a user with access privileges. In this case it is the demo account that we configured using the smbpasswd tool:


Rhel 8 samba windows login.png


Figure 18-2

Entering the username and password will result in the shared resources configured for that user appearing in the explorer window, including the previously configured /sampleshare resource:


Rhel 8 samba folder on windows.png


Figure 18-3

Double clicking on the /sampleshare shared resource will display a listing of the files and directories contained therein.

Accessing Windows Shares from RHEL 8

As previously mentioned, Samba is a two way street, allowing not only Windows systems to access files and printers hosted on a RHEL 8 system, but also allowing the RHEL 8 system to access shared resources on Windows systems. This is achieved using the samba-client package which was installed at the start of this chapter. If it is not currently installed, install it from a terminal window as follows:

# dnf install samba-client

Shared resources on a Windows system can be accessed either from the RHEL desktop using the Files application, or from the command-line prompt using the smbclient and mount tools. The steps in this section assume that appropriate network sharing settings have been enabled on the Windows system.

To access any shared resources on a Windows system using the desktop, begin by launching the Files application and selecting the Other Locations option. This will display the screen shown in Figure 18-4 below including an icon for the Windows Network (if one is detected):


Rhel 8 connect to windows share.png


Figure 18-4

Selecting the Windows Network option will display the Windows systems detected on the network and allow access to any shared resources.


Rhel 8 files windows 10 share.png


Figure 18-5

Alternatively, the Connect to Server option may be used to connect to a specific system. Note that the name or IP address of the remote system must be prefixed by smb:// and may be followed by the path to a specific shared resource, for example:

smb://WinServer10/Documents

In the absence of a desktop environment, a remote Windows share may be mounted from the command-line using the mount command and specifying the cifs filesystem type. The following command, for example, mounts a share named Documents located on a Windows system named WindowsServer at a local mount point named /winfiles:

# mount -t cifs //WinServer/Documents /winfiles -o user=demo

Summary

In this chapter we have looked at the steps necessary to configure a RHEL 8 system to act as both a Samba client and server allowing the sharing of resources with Windows based systems. Topics covered included the installation of Samba client and server packages and configuration of Samba as a standalone server. In addition, the basic concepts of SELinux were introduced together with the steps to provide Samba with access to a shared resource.


You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book



PreviousTable of ContentsNext
Using NFS to Share RHEL 8 Files with Remote SystemsAn Overview of Virtualization Techniques