RH358 provides file based networked storage - provides SMB file sharing

Posted by Coinnoch on Tue, 18 Jan 2022 23:08:35 +0100

RH358 provides file based networked storage – SMB file sharing

This chapter describes how to provide Samba sharing, but in my opinion, samba has become a chicken rib service. Because of the emergence of blackmail virus, many government and enterprises will ban ports 135, 137, 138, 139 and 445 at the network level, and the samba protocol uses these high-risk ports. Therefore, I really think about whether to use samba. In my opinion, don't use it.

1. Describe SMB

Server message blockserver message block (SMB) is the standard file sharing protocol for Microsoft Windows Servers and clients. SMB file servers can be configured in several ways.

  • One of the easiest ways is to configure a separate server, where the server and its clients are members of a common Windows workgroup. The server manages user accounts and passwords locally.

  • More complex configurations may use Microsoft Active Directory (AD) to coordinate user authentication through a domain controller.

  • Red Hat Enterprise Linux can access and provide SMB file sharing both as a client and as a server. The CIFS utils package needs to be installed when the client mounts the SMB file share. On the server, the samba package allows directories to be shared using the SMB protocol.

2. Use SMB to share directories

Samba can share Linux directories as SMB network file shares. This course covers the configuration of samba as a stand-alone server. In this configuration, the server manages user accounts in its Samba database and provides file sharing to members of the local Windows workgroup.

The basic steps of SMB shared directory are as follows:

  • Install the samba package.

  • Prepare shared directory.

  • Configure / etc / Samba / SMB Conf configuration file.

  • Set up and configure the appropriate Linux user in the Samba database.

  • Start Samba and turn on the local firewall.

  • Mount the SMB share from the client system to verify your configuration.

3. Install Samba and prepare the shared directory

Install the samba package on the samba server.

[root@host ~]# yum install samba

If the directory you want to share does not exist, create it.

[root@host ~]# mkdir /srv/smbshare

Set Linux access

Samba maps its user accounts to Linux users. In this basic configuration, Linux file permissions are used to control access to directories. For example, to provide write access to members of the developers group and read access to others, you can use the following command:

[root@host ~]# chgrp developers /srv/smbshare
[root@host ~]# chmod 2775 /srv/smbshare
[root@host ~]# ll /srv/smbshare
drwxrwsr-x. 2 root developers 6 May 26 08:56 /srv/smbshare
# The SGID bit ensures that new content automatically belongs to the developer group.

Set SELinux context type

For Samba to work correctly with SELinux, set the directory context type to samba_share_t.

[root@host ~]# semanage fcontext -a -t samba_share_t '/srv/smbshare(/.*)?'

[root@host ~]# restorecon -Rv /srv/smbshare

Samba can also provide a service marked SELinux public_ content_ T (read only) and public_content_rw_t (read / write) files. Use public_content_rw_t type, enable SELinux smbd_anon_write Boolean to allow read-write access. These two SELinux types are useful when you want Apache HTTP Server or NGINX to be able to provide or write shared directory content.

**Warning: * * do not use Samba share, which is also the directory of NFS exported, mounted NFS file system or FTP share. Doing so may result in file corruption or other file access problems.

4. Configure Samba

The samba configuration file is / etc / Samba / SMB conf. The file is divided into several parts. Each section begins with the section name in square brackets, followed by a set of parameters.

/etc/samba/smb. The conf configuration file starts with the [global] section. This section provides general server configuration and default values that you can override in subsequent sections. The next section defines file or printer sharing. A semicolon can be used on a comment line( 😉 Or hash (#) characters.

Configure global section

**The [global] * * section defines the basic configuration of the Samba server. The following are the most commonly used parameters.

workgroup

Workgroup represents the Windows workgroup of the server. When the client system queries the server, the name is displayed on the client system. The default value is workgroup.

security

Security parameters control how Samba authenticates clients. With security = user, the client logs in using the user name and password managed by the local Samba server in its database. This value is the default.

server min protocol

The server min protocol parameter indicates the minimum SMB version supported by the server. By default, the server supports all versions of the protocol and negotiates the version with the client. Because the first version of SMB1 (or CIFS) has security problems, Red Hat recommends that this version be excluded by setting server min protocol to SMB2. However, with this configuration, Microsoft Windows XP or earlier will not be able to access the server because they only support SMB1. The current version of SMB protocol is version 3

**Note: * * Red Hat Enterprise Linux 8.2 and above. Samba disables SMB1 support by default.

smb encrypt

smb encrypt activates traffic encryption. By default, the server and client negotiate encryption. If forced encryption is required, the SMB encryption parameter is set to required, and the server min protocol is set to SMB3. Only SMB3 provides native support for encryption. Microsoft Windows 8, Microsoft Windows Server 2012. The operating system and above support SMB3 encryption.

Configure shared section

After the [global] section, define your share in the custom section. The section name in parentheses defines the name of the share, as seen from the client. The most useful instructions in these sections are as follows.

path

The path Directive provides the full name of the directory to be shared on the server.

writeable

The writeable instruction indicates whether the authenticated user has read-write access to the share (when set to yes) or no read-write access (when set to no). The default setting is No.

write list

When the value of the writeable instruction is no (the default), you can use the write list instruction to provide a comma separated list of users with read and write access to the share. Users who are not in the list have read access only.

In the list, you can specify a local Linux group by prefixing the group name with the @ character. The following example grants read / write access to the operator 1 user and members of the developers group.

write list = operator1, @developers

valid users

By default, all authenticated users can access the share. If you want to restrict this access, use the valid users directive. This directive accepts a comma separated list of users who should have access rights.

The following example declares the SMB devcode share and grants access to the / srv/smbshare directory. All authenticated users have read access to the share, but only members of the developers group have read / write access.

[devcode]
path = /srv/smbshare
write list = @developers

The following example further restricts access to the share by allowing only developer group and operator 1 users access. operator1 is not in the write list and only has read permission.

[devcode]
path = /srv/smbshare
valid users = operator1, @developers
write list = @developers

Validation profile

/etc/samba/smb. If there is an error in the conf file, use the testarm command without parameters.

[root@host ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
Enter
...output omitted...

5. Prepare Samba users

Each Samba account must have an associated Linux account with the same user name. To create a samba only user account, lock its Linux password and set its login shell to / sbin/nologin. This configuration prevents users from logging in to the Linux System Using SSH or from the console.

Take the example of creating a locked Linux user for the operator 1 user.

[root@host ~]# useradd -s /sbin/nologin operator1

After creating the Linux accounts, add them to the Samba database using the smbpasswd command in the Samba public toolkit.

To add a user to the Samba database, use the smbpasswd command with the - a option and user name as parameters. Enter the password at the command prompt.

[root@host ~]# smbpasswd -a operator1
New SMB password: redhat
Retype new SMB password: redhat
Added user operator1.

To remove a user from the Samba database, use the - x option.

[root@host ~]# smbpasswd -x operator1
Deleted user operator1.

In addition to the smbpasswd command, a more powerful pdbedit command is provided. For example, use the pdbedit -L command to list users in the Samba database. For more information, see the pdbedit(8) man page.

Samba maintains its database in the / var/lib/samba/private / directory. Do not directly modify the files in this directory.

6. Start Samba

Use the systemct l command to enable and start the smb service.

[root@host ~]# systemctl enable --now smb

To allow the Samba server to communicate, open the Samba firewall service, which controls access to port 139/TCP and port 445/TCP.

[root@host ~]# firewall-cmd --permanent --add-service=samba

[root@host ~]# firewall-cmd --reload

**Important: * * Samba regularly checks / etc / Samba / SMB Whether conf has been changed. If the configuration file has changed, samba will automatically reload it. This does not affect any connection that has been established to the samba service until the connection is closed or Samba is completely restarted.

Execute the systemctl reload smb command to immediately reload the configuration file, or execute the systemctl restart smb command to completely restart Samba.

7. Mount SMB file system

Both Microsoft Windows and Linux systems can access SMB shares from Samba servers. Under Linux system, you need to install CIFS utils package to mount SMB share on the local system.

On Linux, use the / / servername/sharename symbol to access the share. The standard Microsoft Windows unified naming convention (UNC) uses \ servername\sharename to represent network resources. However, because \ is an escape character in the shell. Linux utilities typically use the / character instead.

To mount an SMB share, you must provide user credentials to authenticate using the Samba server. These credentials determine access to files on the share.

For manual mount, you can use the username mount option. This command prompts the user for a password.

[root@client ~]# mount -o username=operator1 //host.example.com/devcode /mnt
Password for operator1@//host.example.com/devcode: redhat

To mount the share automatically, for example, use the credential option from / etc/fstab. The following example shows the entry in / etc/fstab that mounts the devcode share using the credentials file.

//host.example.com/devcode /data cifs credentials=/etc/samba/credentials 0 0

The credential file provides a user name and password for authentication.

[root@client ~]# cat /etc/samba/credentials
username=operator1
password=redhat

Because the credential file contains a password, store the file in a secure directory and restrict its access:

[root@client ~]# chown root /etc/samba/credentials
[root@client ~]# chmod 600 /etc/samba/credentials

Request encryption

If you need to force SMB traffic encryption, use the seal option in the mount command. The following example shows the entry in / etc/fstab that mounts the devcode share and forces traffic encryption.

//host.example.com/devcode /data cifs credentials=/etc/samba/credentials,seal 0 0

Perform multi-user SMB mount

When you mount an SMB share using the credentials or user name option, these credentials will be used by all users on the local system. Any user can access the share using these specific credentials.

Ideally, you want each user to use their own SMB credentials to determine access to files on mounted shares. It can be set through the multi-user mount option.

When using multiuser, you can let the root user mount an SMB share with credentials that have minimal access to the share. When a user logs in, use the cifcreds command to temporarily add his SMB password to the secure kernel keyring. The client's Linux kernel will then use their SMB credentials to determine access to the share, not the credentials used by the root user to mount the share.

The following steps describe the system configuration for the multi-user option.

  • Create a credential file to mount the SMB share. The user used in the credential file must have minimum access to the SMB share and read access to the shared directory, but no more access is required.

  • Add the multiuser option to the mount command. The following / etc/fstab entry uses credentials and multiuser options. The entry is in a single line without a line break.

//host.example.com/devcode /data cifs credentials=/etc/samba/creds,multiuser 0 0

  • Mount the SMB share using the mount command.

Before accessing the mount point, users should run the cifcreds command to provide their credentials.

[developer1@client ~]$ cifscreds add host.example.com
Password: redhat

The cifscreds command takes the subcommand as its first argument and the Samba server name as its second argument. The add subcommand loads SMB credentials into the kernel keyring. The clear subcommand removes credentials for the user from the kernel key ring of a specific host. The update subcommand replaces the credentials in the kernel Keyring with the new user and password.

Note: by default, cifcreds assumes that the username used by SMB credentials matches the current Linux username. You can use the - u username option after add or clear to specify different user names for SMB credentials

Reference documents: samba(7), SMB conf(5),testparm(1),smbpasswd(8),pdbedit(8),mount.cifs(8) and cifscreds(1) man page

8. Textbook exercises

[student@workstation ~]$ lab filestorage-smb start

This command ensures that servera and serverd are available on the network and creates developer 1 and operator 1 user accounts on servera.

In this exercise, you configure serverd as a stand-alone SMB file server that shares the / smbshare directory. Configure servera to mount to the / designs directory using the SMB share multiuser mount option.

1. Install samba package

[root@serverd ~]# yum -y install samba

2. Create and configure the marketing group and / smbshare directory.

The configuration / smbshare directory is as follows:

  • The catalog belongs to the marketing group.

  • The SGID bit is set in the directory.

  • Everyone has read permission to the directory, but only the marketing group can write.

[root@serverd ~]# groupadd marketing
[root@serverd ~]# mkdir /smbshare
[root@serverd ~]# chgrp marketing /smbshare
[root@serverd ~]# chmod 2775 /smbshare
[root@serverd ~]# semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
[root@serverd ~]# restorecon -Rv /smbshare
Relabeled /smbshare from unconfined_u:object_r:default_t:s0 tounconfined_u:object_r:samba_share_t:s0
[root@serverd ~]# ls -ldZ /smbshare
drwxrwsr-x. 2 root marketing unconfined_u:object_r:samba_share_t:s0 6 Jul  2 09:40 /smbshare

3. Edit / etc / Samba / SMB Conf configuration file.

  • Set the workgroup to MYCOMPANY.

  • Configure Samba to require encrypted traffic.

  • Force Samba to support only SMB version 3 and later.

  • Create a share named data.

  • Share the / smbshare directory.

  • Protect the share so that everyone can access it, but only members of the marketing group have write access.

[root@serverd ~]# vim /etc/samba/smb.conf
[global]
        workgroup = MYCOMPANY
        smb encrypt = required
        server min protocol = SMB3
............
[data]
        path = /smbshare
        write list = @marketing
[root@serverd ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
Enter
...output omitted...
# If the command reports any warnings or errors, correct them before continuing

4. Create users and groups as required and set permissions.

Create a developer 1 user account that only supports samba and add it to the marketing group. The user account has write access to the share because it is a member of the marketing group.

Create an operator 1 user account that only supports samba. Do not add it to the marketing group, it has read-only access to the share.

[root@serverd ~]# useradd -s /sbin/nologin -G marketing developer1
[root@serverd ~]# smbpasswd -a developer1
New SMB password: redhat
Retype new SMB password: redhat
Added user developer1.

[root@serverd ~]# useradd -s /sbin/nologin operator1
[root@serverd ~]# smbpasswd -a operator1
New SMB password: redhat
Retype new SMB password: redhat
Added user operator1.

5. Create an additional sambamount user account that has minimal access to the share.

Use the system account only on the client system to mount the share using the multi-user option

Create a sambamount user account. Set the login shell to / sbin/nologin to prevent Linux users from logging in. Use the – system option (or - r) to declare it as a system account and do not create a home directory.

[root@serverd ~]# useradd -r -s /sbin/nologin sambamount
[root@serverd ~]# smbpasswd -a sambamount
New SMB password: redhat
Retype new SMB password: redhat
Added user sambamount.

6. Enable and start the smb service, and then open the firewall port.

[root@serverd ~]# systemctl enable --now smb
[root@serverd ~]# systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-07-02 10:12:52 CST; 4s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 2765 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 4 (limit: 11248)
   Memory: 8.3M
   CGroup: /system.slice/smb.service
           ├─2765 /usr/sbin/smbd --foreground --no-process-group
           ├─2767 /usr/sbin/smbd --foreground --no-process-group
           ├─2768 /usr/sbin/smbd --foreground --no-process-group
           └─2769 /usr/sbin/smbd --foreground --no-process-group
[root@serverd ~]# firewall-cmd --permanent --add-service=samba
success
[root@serverd ~]# firewall-cmd --reload
success

7. Persistently mount the SMB data share under the / designs mount point on servera.

# To do this, create / etc / Samba / creds Txt file containing the credentials of the sambamount user. Use the credentials, multiuser, seal mount options in / etc/fstab to activate multi-user mode and encrypt communication.
[root@servera ~]# yum -y install cifs-utils
[root@servera ~]# vim /etc/samba/creds.txt
username=sambamount
password=redhat
[root@servera ~]# chmod 600 /etc/samba/creds.txt
[root@servera ~]# mkdir /designs
[root@servera ~]# echo "//serverd.lab.example.com/data /designs cifs credentials=/etc/samba/creds.txt,multiuser,seal 0 0" >> /etc/fstab
 [root@servera ~]# mount /designs
[root@servera ~]# df /designs
Filesystem 1K-blocks Used Available Use% Mounted on
//serverd.lab.example.com/data 10474476 2289868 8184608 22% /designs

8. Test.

[root@servera ~]# su - developer1
[developer1@servera ~]$ cifscreds add serverd.lab.example.com
Password: redhat
[developer1@servera ~]$ echo Hello World > /designs/test.txt
[developer1@servera ~]$ ls /designs
test.txt
[developer1@servera ~]$ cat /designs/test.txt
Hello World
[developer1@servera ~]$ exit
logout

[root@servera ~]# su - operator1
[operator1@servera ~]$ cifscreds add serverd.lab.example.com
Password: redhat
[operator1@servera ~]$ ls /designs
test.txt
[operator1@servera ~]$ cat /designs/test.txt
Hello World
[operator1@servera ~]$ echo Hello World > /designs/operator1.txt
-bash: /designs/operator1.txt: Permission denied

Complete the experiment

[student@workstation ~]$ lab filestorage-smb finish

summary

  • Introduce SMB.
  • How to deploy and configure Samba.
  • Export Samba and mount it for use.
  • If you like a little girl's article, please give it a compliment. You can also pay attention, because the follow-up will continue to dry goods.

Topics: Linux Operation & Maintenance server RHCA