Intro to Samba

Samba is a project[27] providing software capable of utilizing the SMB (Server Message Block) and CIFS (Common Internet File System) protocols to interoperate with systems using MS-Windows-style file and printer sharing. Linux systems can use Samba to perform the following tasks.

Samba was originally called SMB Server. The name had to be changed due to "SMB Server" being an actual product that was the predecessor to CIFS. The later version of Samba implements CIFS network protocol, which is what allows Samba to communicate with (newer) MS Windows systems. Legacy Samba needs ports 137, 138, 139. Newer versions of CIFS need only port 445.[28]

Installing Samba

The following packages need to be installed for a comprehensive set of Samba services.[29]

  1. samba
  2. samba-common
  3. samba-winbind

Samba Configuration

The main Samba configuration file is located at '/etc/samba/smb.conf'. The Global high points of this file are listed in the table below.

Table 10.4. Samba Global Configuration

Configuration Description
workgroup Specifies a shared Windows Workgroup or Domain name.
server string Provides a description of the server.
netbios name Specifies a name for the server for in implementations where NetBIOS is still used.
Interfaces Used to bind the service only to particular network adapters or IP addresses.
Hosts Allow Used for host-based access control.

The Samba server can be configured for one of five security models. They are listed in the following table.

Table 10.5. Samba Server Security Models

Model Description
user Indicates that user credentials are held on the local server.
share Indicates that credentials are not kept globally on an individual basis. All who report membership in the same workgroup are permitted access to the server and user authentication in configured in the share settings.
domain Used when the Samba Server has been added to a Windows NT Domain. User access is authenticated through a primary or secondary domain controller.
server User access is authenticated through a peer server that is not a domain controller.
ads User access is authenticated through an Active Directory controller. Kerberos must be installed and configured to authenticate this machine's membership in the Domain.

Samba users must be manually configured when the security model set to user. Therefore, local Samba users and passwords must be created. Typically, these accounts use the same user names as those configured on the local system. `smbpasswd -a <user>` is the command that is used[30]. See the section called "Create a Public Share with Samba" for an example of configuring a public Samba share.

The syntax of the '/etc/samba/smb.conf' file can be tested before restarting the service with the command `testparm`.

Samba as a Service

Samba is controlled by two services, smbd and nmbd. Typically, both services are tied together with the startup scripts, and can be started with the typical command `service smb start`. Remember to configure the service to start at boot with the command `chkconfig smb on`.

Commands to Manipulate Samba

To mount a CIFS file system use the command `mount -t cifs -o [options] //<server>/<share> /<path>/<to>/<mountpoint>`.

`testparm`.

`smbclient -L {localhost|<server>} -U <username>`

Securing Samba

Samba, in its latest version, uses TCP port 445. For backwards compatibility or in a mixed environment, UDP ports 137 and 138 and TCP port 139 may also need to be opened.

There are copious SELinux notes are at the top of the config file at '/etc/samba/smb.conf' Run the command `man samba_selinux` for more information. To find SELinux port settings, booleans, and file contexts that apply to Samba, see the commands in the listing below.

    semanage port -l  | grep smb
    semanage boolean -l  | grep "smb\|samba"
    semanage fcontext -l  | grep "smb\|samba"

Additional Notes & Considerations for Samba

Samba is one of the entities in the Linux realm that is way cool. It is capable of many interactions with the world of Windows that would otherwise be extremely difficult or impossible. See The Samba Project for more details.

Reference Material for this Chapter

For this chapter's supporting material, please reference Chapters 15 & 16 in the RHCSA/RHCE Linux Certification Study Guide text book.



[27] See The Samba Project for details.

[28] See Implementing CIFS and/or Using Samba for more information.

[29] There is also a samba-domainjoin-gui package available from external repositories if one needs that functionality.

[30] Note that in this paradigm, the user being configured in Samba must exist on the local Linux system.