From Fedora Project Wiki
No edit summary
 
(21 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== How to create a SAMBA share ==
== How to create a Samba share ==


=== Prerequisites ===
=== Install and enable Samba ===
The following commands install Samba and set it to run via systemctl. This also sets the firewall to allow access to Samba from other computers.


<pre>
<pre>
sudo dnf install samba
$ sudo dnf install samba


sudo systemctl enable smb --now
$ sudo systemctl enable smb --now


firewall-cmd --get-active-zones
$ firewall-cmd --get-active-zones
sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
$ sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
sudo firewall-cmd --reload
$ sudo firewall-cmd --reload
 
sudo systemctl enable smb --now


$ sudo systemctl enable smb --now
</pre>
</pre>


Line 20: Line 20:
In this example you will share a directory under your home and accessible only by your user.
In this example you will share a directory under your home and accessible only by your user.


Note: using the standard samba configuration (no backends, no modules), samba doesn't use the operating system users for authentication. So you have to create the samba user ''replicating'' the system one. However, the same system username must exists in order to handle filesystem permissions.
Samba does not use the operating system users for authentication, so your user account must be duplicated in Samba. So if your account is "jane" on the host, the user "jane" must also be added to Samba. The usernames must be the same, however the passwords do not.  


If your user name is "jane", you have to add the same username to samba. Please note: the samba password could be different from the system password.
Create a user called "jane" in Samba:
<pre>
$ sudo smbpasswd -a jane
</pre>


sudo smbpasswd -a jane
Create a directory to be the share for Jane, and set the correct SELinux context:
<pre>
$ mkdir /home/jane/share


$ sudo semanage fcontext --add --type "samba_share_t" ~/share
$ sudo restorecon -R ~/share
</pre>
</pre>


Add the share definition to the /etc/samba/smb.conf configuration file
Samba configuration lives in the /etc/samba/smb.conf file. Adding the following section at the end of the file will instruct Samba to set up a share for Jane called "share" at the /home/jane/share directory just created.
 
<pre>
<pre>
[share]
[share]
         comment = My Share
         comment = My Share
Line 41: Line 46:
         directory mask = 0755
         directory mask = 0755
         write list = user
         write list = user
mkdir /home/jane/share
sudo semanage fcontext --add --type "samba_share_t" ~/share
sudo restorecon -R ~/share
sudo systemctl restart smb
</pre>
</pre>
 
Restart Samba for the changes to take effect:
<pre>
$ sudo systemctl restart smb
</pre>


=== Sharing a directory for many users ===
=== Sharing a directory for many users ===


In this example you will share a directory (outside your home) and you will create a group of users with the right to read/write to the share.
In this example, you will share a directory (outside your home directory) and create a group of users with the right to read/write to the share.


Create a system group
Remember that a Samba user must also be a system user, in order to respect filesystem permissions. This example creates a system group "myfamily" for two new users "jack" and "maria".


sudo groupadd  myfamily
<pre>
$ sudo groupadd myfamily
$ sudo useradd  -G myfamily jack
$ sudo useradd -G myfamily maria
</pre>
'''Tip:''' You can create these users without a system password in order to prevent access to the system via SSH or local login.


Remember: the samba user has to be also a system user, in order to respect filesystem permissions.
Adding jack and maria to Samba:
 
<pre>
sudo useradd  myfamily jack
$ sudo smbpasswd -a jack
sudo useradd  myfamily maria
$ sudo smbpasswd -a maria
 
</pre>
You can avoid to set a system password for such users, in order to prevent access the system via SSH or local login.


Setting up the shared folder:
<pre>
<pre>
sudo smbpasswd -a jack
$ sudo mkdir /home/share
sudo smbpasswd -a maria
$ sudo chgrp myfamily /home/share
 
$ sudo chmod 770 /home/share
sudo mkdir /home/share
$ sudo semanage fcontext --add --type "samba_share_t" /home/share
sudo chgrp myfamily /home/share
$ sudo restorecon -R /home/share
sudo chmod 770 /home/share
sudo semanage fcontext --add --type "samba_share_t" /home/share
sudo restorecon -R /home/share
</pre>
</pre>


Add this stanza to the /etc/samba/smb.conf, each share has its own section in the configuration file:
Each share is described by its own section in the /etc/samba/smb.conf file. Add this section to the bottom of the file:


<pre>
<pre>
Line 92: Line 95:
</pre>
</pre>


Explanation:
Explanation of the above:
 
* valid users: only users of the group family have access rights. The @ denotes a group name.
valid users <-- only users of the group family have access rights (the @ sign denote a group name)
* force group = +myfamily: files and directories are created with this group, instead of the user group.
force group = myfamily <--- force the creation of files and directories with this group, instead of with the user group
* create mask = 0660: files in the share are created with permissions to allow all group users to read and write files created by other users.
create mask = 0660 <--- files on the filesystem are created with these permissions, so all the group users can read and write the files created by other users
* directory mask = 0770: as before, but for directories.
directory mask = 0770 <--- as before but for directories


Restart Samba for the changes to take effect:


<pre>
$ sudo systemctl restart smb
</pre>


=== Change a samba user password ===
=== Change a samba user password ===


Remember: system and samba password could be different. The system user is mandatory in order to handle filesystem permissions.
Remember: the system user and Samba user passwords can be different. The system user is mandatory in order to handle filesystem permissions.
 
<pre>
sudo smbpasswd maria
$ sudo smbpasswd maria
</pre>


=== Remove a samba user ===
=== Remove a samba user ===
 
<pre>
sudo smbpasswd -x maria
$ sudo smbpasswd -x maria
 
</pre>
If you don't need the system user, remove it as well:
If you don't need the system user, remove it as well:
 
<pre>
sudo userdel -r maria
$ sudo userdel -r maria
</pre>


=== Troubleshooting and logs  ===
=== Troubleshooting and logs  ===


Samba log files are located in `/var/log/samba/`
Samba log files are located in `/var/log/samba/`
<pre>
$ tail -f /var/log/samba/log.smbd
</pre>
You can increase the verbosity by adding this to the [global] section of `/etc/samba/smb.conf`:
<pre>
[global]
        loglevel = 5
</pre>
To validate the syntax of the configuration file `/etc/samba/smb.conf` use the command `testparm`.
Example output:
<pre>
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
</pre>
To display current samba connections, use the `smbstatus` command.
Example output:
<pre>
Samba version 4.12.3
PID    Username    Group        Machine                                  Protocol Version  Encryption          Signing             
----------------------------------------------------------------------------------------------------------------------------------------
7259    jack        jack        192.168.122.1 (ipv4:192.168.122.1:40148)  SMB3_11          -                    partial(AES-128-CMAC)


tail -f /var/log/samba/log.smbd
Service      pid    Machine      Connected at                    Encryption  Signing   
---------------------------------------------------------------------------------------------
family      7259    192.168.122.1 Fri May 29 14:03:26 2020 AEST    -            -         


You can increase the verbosity adding this directive to /etc/samba/smb.conf in the [global] stanza:
No locked files
</pre>


[global]
==== Trouble with accessing the share ====
        loglevel = 5


To validate configuration file syntax: testparm
Some things to check if you cannot access the share.


To display current samba connections, use the smbstatus command.
1. Be sure that the user exists as a system user as well as a Samba user


Find `maria` in the Samba database:
<pre>
$ sudo pdbedit -L | grep maria


==== Trouble with accessing the share ====
maria:1002:
</pre>
Confirm that `maria` also exists as a system user.
<pre>
$ cat /etc/passwd | grep maria


- Be sure that the user exists as system user as well as samba user
maria:x:1002:1002::/home/maria:/bin/bash
- Check if the shared directory has the right SELinux context
</pre>


2. Check if the shared directory has the right SELinux context.
<pre>
$ ls -dZ /home/share
$ ls -dZ /home/share
unconfined_u:object_r:samba_share_t:s0 /home/share
unconfined_u:object_r:samba_share_t:s0 /home/share
</pre>
3. Check if the system user has access rights to the shared directory.
<pre>
$ ls -ld /home/share


- Check if the system user has access rights to the shared directory
drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
ls -ld /home/share
</pre>
drwxrwx---. 5 root myfamily 4096 9 gen 15.45 /home/share
In this case, the user should be in the `myfamily` group.
 
In this case the user should be in the myfamily group


- check in the configuration file if the user has access rights granted or he is in the appropriated group
4. Check in the configuration file `/etc/samba/smb.conf` that the user and group have access rights.
<pre>
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
</pre>
In this case, the user should be in the `myfamily` group.


==== Trouble with writing in the share ====
==== Trouble with writing in the share ====


- Check in the samba configuration file if the user/group has write permissions
1. Check in the samba configuration file if the user/group has write permissions.
- Check user group membership
<pre>
- Check the share directory permissions
...
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
</pre>
In this example, the user should be in the `myfamily` group.


2. Check the share directory permissions.
<pre>
$ ls -ld /home/share


https://selinuxproject.org/page/SambaRecipes
drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
</pre>
This example assumes the user is part of the `myfamily` group which has read, write, and execute permissions for the folder.

Latest revision as of 09:01, 5 June 2020

How to create a Samba share

Install and enable Samba

The following commands install Samba and set it to run via systemctl. This also sets the firewall to allow access to Samba from other computers. 

$ sudo dnf install samba

$ sudo systemctl enable smb --now

$ firewall-cmd --get-active-zones
$ sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
$ sudo firewall-cmd --reload

$ sudo systemctl enable smb --now

Sharing a directory under your home

In this example you will share a directory under your home and accessible only by your user.

Samba does not use the operating system users for authentication, so your user account must be duplicated in Samba. So if your account is "jane" on the host, the user "jane" must also be added to Samba. The usernames must be the same, however the passwords do not.

Create a user called "jane" in Samba: 

$ sudo smbpasswd -a jane

Create a directory to be the share for Jane, and set the correct SELinux context: 

$ mkdir /home/jane/share

$ sudo semanage fcontext --add --type "samba_share_t" ~/share
$ sudo restorecon -R ~/share

Samba configuration lives in the /etc/samba/smb.conf file. Adding the following section at the end of the file will instruct Samba to set up a share for Jane called "share" at the /home/jane/share directory just created. 

[share]
        comment = My Share
        path = /home/jane/share
        writeable = yes
        browseable = yes
        public = yes
        create mask = 0644
        directory mask = 0755
        write list = user

Restart Samba for the changes to take effect: 

$ sudo systemctl restart smb

Sharing a directory for many users

In this example, you will share a directory (outside your home directory) and create a group of users with the right to read/write to the share.

Remember that a Samba user must also be a system user, in order to respect filesystem permissions. This example creates a system group "myfamily" for two new users "jack" and "maria". 

$ sudo groupadd myfamily
$ sudo useradd  -G myfamily jack
$ sudo useradd  -G myfamily maria

Tip: You can create these users without a system password in order to prevent access to the system via SSH or local login.

Adding jack and maria to Samba: 

$ sudo smbpasswd -a jack
$ sudo smbpasswd -a maria

Setting up the shared folder: 

$ sudo mkdir /home/share
$ sudo chgrp myfamily /home/share
$ sudo chmod 770 /home/share
$ sudo semanage fcontext --add --type "samba_share_t" /home/share
$ sudo restorecon -R /home/share

Each share is described by its own section in the /etc/samba/smb.conf file. Add this section to the bottom of the file: 

[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

Explanation of the above:

  • valid users: only users of the group family have access rights. The @ denotes a group name.
  • force group = +myfamily: files and directories are created with this group, instead of the user group.
  • create mask = 0660: files in the share are created with permissions to allow all group users to read and write files created by other users.
  • directory mask = 0770: as before, but for directories.

Restart Samba for the changes to take effect: 

$ sudo systemctl restart smb

Change a samba user password

Remember: the system user and Samba user passwords can be different. The system user is mandatory in order to handle filesystem permissions. 

$ sudo smbpasswd maria

Remove a samba user

$ sudo smbpasswd -x maria

If you don't need the system user, remove it as well: 

$ sudo userdel -r maria

Troubleshooting and logs

Samba log files are located in /var/log/samba/ 

$ tail -f /var/log/samba/log.smbd

You can increase the verbosity by adding this to the [global] section of /etc/samba/smb.conf: 

[global]
        loglevel = 5

To validate the syntax of the configuration file /etc/samba/smb.conf use the command testparm. Example output: 

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

To display current samba connections, use the smbstatus command. Example output: 

Samba version 4.12.3
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
7259    jack         jack         192.168.122.1 (ipv4:192.168.122.1:40148)  SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
family       7259    192.168.122.1 Fri May 29 14:03:26 2020 AEST    -            -           

No locked files

Trouble with accessing the share

Some things to check if you cannot access the share.

1. Be sure that the user exists as a system user as well as a Samba user

Find maria in the Samba database: 

$ sudo pdbedit -L | grep maria

maria:1002:

Confirm that maria also exists as a system user. 

$ cat /etc/passwd | grep maria

maria:x:1002:1002::/home/maria:/bin/bash

2. Check if the shared directory has the right SELinux context. 

$ ls -dZ /home/share

unconfined_u:object_r:samba_share_t:s0 /home/share

3. Check if the system user has access rights to the shared directory. 

$ ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share

In this case, the user should be in the myfamily group.

4. Check in the configuration file /etc/samba/smb.conf that the user and group have access rights. 

[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

In this case, the user should be in the myfamily group.

Trouble with writing in the share

1. Check in the samba configuration file if the user/group has write permissions. 

...
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

In this example, the user should be in the myfamily group.

2. Check the share directory permissions. 

$ ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share

This example assumes the user is part of the myfamily group which has read, write, and execute permissions for the folder.

Retrieved from "https://fedoraproject.org/w/index.php?title=User:Alciregi/samba-quick-doc&oldid=578715"