Samba is somewhat tricky to setup on CentOS due to both the firewall (iptables) and SELinux protection. This is actually a good thing, security is very important, but to get Samba to communicate outside the server we have to do some work and get some understanding as well.
SAMBA uses ports 137 – 139 and 445. Why so many ports? Let's go into a bit of detail. Microsoft's old format for client/server communications was netbios. Those ports are 137, 138 and 139. Their network setups relied on a netbios server (WINS) [Windows Internet Naming Service] to providing the naming to pass to the clients. In other words, WINS was the DNS of its day. It can be a very insecure service but it easy to setup. If you've ever done "net view" or the "net use" command, you've been using the WINS service.
Times change and out went WINS and in came Active Directory (AD). This is Microsoft's answer to Novell's Networking service (NDS) which was Novell's answer to UNIX's NFS server. The main difference was that Active Directory relied on a DNS server instead of netbios. That meant a port change. Microsoft switched to PORT 445 (UDP and TCP) for the AD service. Now, unless you have a Windows server setup for this service, you're going to use the old Netbios services. Just to note, Windows defaults to netbios and a special setup is required to change that functin using system icon in the control panel. You can also disable Netbios if you're not using it through the tcp/ip service in the Network Connections icon in the Windows control panel. Again, these functions are beyond the scope of this document.
Now let's get to the ports and back to Samba. Here is a detailed listing of the ports that Samba needs to work with your system.Please note that a TCP (TCP) Port is just a service port. Port 80 is for the web and port 22 for a secure remote connection (ssh). A UDP (user defined port) is a variation on a TCP port. It's not the focus of the article to explain the differences but you can easily do a web search. Just know for now that there is a difference.
- Port 137 – UDP NetBIOS name service (WINS)
- Port 138 – UDP NetBIOS datagram
- Port 139 – TCP NetBIOS Session (TCP), Windows File and Printer Sharing (this is the most insecure port)
- Port 445 - Microsoft-DS Active Directory, Windows shares (TCP)
- Port 445 - Microsoft-DS SMB file sharing (UDP)
Now why know this? Its because you have to know which ports to open and which ports to NOT open for SAMBA otherwise you're not going to get it to work in CentOS.
1. Opening Up The Firewall
Go into your firewall file /etc/sysconfig/iptables.
Use your favorite text editor (such as vi or nano or joe or whatever works for you and add these lines to the file depending on your situation.
If you use Active Directory and want to enable that function ONLY in Samba use.
-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
Don't be scared of the syntax. I'm not going to cover firewalls but understand the basics.
-s (ip address) limits to the Class C ip addresses of your installation. Of course you need to modify to your own network and this makes is far more secure than giving the entire world access to your network.
--state NEW [basically means a new rule.]
-p [the port you want to open up which is either tcp or udp. I've done the hard work for you so you don't have to figure out which type to open up]
dport 445 [This is the port number. Again for AD we use port 445.
Now, if your Samba setup demands the old netbios calls:
-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
Be sure to watch out for case issues and don't make a mistake on tcp or udp otherwise samba won't function properly. This has to be right -- as I've found out myself with a couple of typos!
Now restart the firewall. There are two ways of restarting a service on CentOS
- service iptables restart
- /etc/init.d/iptables restart
Either one works. You can also just restart the server if you want to as well.
note: You can use Redhat's system tool for editing the firewall, but it is not recommend. It won't add the -s parameter and will open up all the samba ports 137 - 139 and 445 which is not a recommended scenario.
Still with us we hope! Next we need to make SELinux happy. SELinux prevents any viewing of a share automatically as a security feature. The first solution for many is to get rid of SELinux -- bad idea. It's really not hard to work with this excellent security feature.
The setsebool command switches on and off the protection of SELinux. You can get a complete list with getsebool -a. It is pointed out since newer versions will add more security features.
getsebool -a | grep samba getsebool -a | grep smb
This should give you a pretty complete listing of all the samba switches, but it will we list the most important ones. Note the use of the command grep as a filter. If you haven't used grep before, you're missing out. Grep is an amazing tool to know in linux.
If you want samba to be a domain controller:
setsebool -P samba_domain_controller on
If you want to share the default home directory, type this command:
setsebool -P samba_enable_home_dirs on
This is all you should need as of CentOS 5.3. Now we're going to use the semanage command (part of the SELinux package) to open up the directory(s) you desire to share with the network. That's right. Without doing this, you'll start up samba and get a bunch of blank directories and panic thinking the server deleted all your data!
semanage fcontext -a -t samba_share_t '/<shared path>(/.*)?' restorecon -R /<shared path>
A note about the home directory:
Home directories mean that only you -- the user -- can connect to your home directory. There is no question that the home directory can create a roaming profile plus be a holder for user created files. It is also true that using the useradd command you can define the home directory wherever you want it to be. Bear with me a second on that issue.
Consider this situation. You want to blast the operating system. You want to preserve your data including the home directories. Is that possible? Yes and here's how.
3. Setting Up The Data Partition
Create another partition on the hard disk, mount that partition and share that instead. Again, the reason being is that its separate from the system files and if you ever need to reinstall the operating system, the data volume will be untouched by your actions. (We've all been there) Also note that the entire CentOS operating system takes a small amount of space. For this example we declared 12 gig for the operating system (overkill) and used the (/) mount point. Then we declared 100 meg for the boot (/boot) and the rest of the drive became the data share (/data). We then mounted /data under the mount (/mnt/data) directory. With a large drive, you can have a massive data directory available for the clients.
Let's use an example. Let's say we created another partition on /dev/hda (the first hard disk) and called it /data. Here are the steps
mkdir /mnt/data mount /dev/hd3 /mnt/data
(You can of course call the directory anything you want. In my case note it was the third partition /dev/hd3. It may be different in your hard disk depending on how you setup the partitians. You can use fdisk /dev/hda and then the p command to get a listing of the partitions. Please try this on an experimental drive first if you've never use fdisk before. fdisk is a bit...dangerous)
Now run the semanage command on that directory.
semanage fcontext -a -t samba_share_t '/mnt/data(/.*)?' restorecon -R /mnt/data
This will change the permissions for SELinux for the entire directory path however deep it is. Note that the -R does recursive and you can use it on a lot of commands such as rm and cp.
At this point you would want of course to setup the rights and ownerships for the /data partition. That is entirely up to you. If you're in a hurry you do it quick and dirty. Consult the man pages for the specifics of chmod and chown since it's beyond the scope of this article.
chmod 770 -R /mnt/data chmod -R root:(name of primary group) /mnt/data
This opened up the drive to everyone who is the owner and the specific group with full rights. You can then take it from there to define your own personal needs. The next section will tell you how to setup the user AND home directory for that user on the new partition.
4. Adding Users
Now that we have security taken care of, it's time to add users. For this example, I'm going to create a user named dave (which happens to be my name)
useradd dave -d /mnt/data/home/dave
(Notice the -d command). This creates my home directory on the new data drive AWAY from the operating system. Now you have the best of both worlds.
It is recommended that you establish these rights for each user.
chown (user): (user) /mnt/data/home/(user) chown dave:dave /mnt/data/home/dave
This should have been setup with the useradd command but check it out anyway to be sure. As for rights for the user, that's agian up to you. Ubuntu has a pretty good philosophy. All users get chmod 640 for their rights.
passwd dave (name of password of your choice) smbpasswd -a dave
(The -a means add it to the database. Don't use (-a) to modify an existing user of course) If this is the first user, the screen will scream with error messages. No big deal. It's just creating a new database and you won't see it again.
The last action (smbpasswd) adds the passwd to the smbpasswd database. The actual password file has changed over the years. The latest is passtb.tdb but its original name was smbpasswd. You can see the confusion with a command having the same name as a file!
Finally, restart smb
service smb restart (or /etc/init.d/smb restart)
This will setup the new changes. You can now setup samba for your installation. There are a ton of articles out there on the subject and it was considered adding one for samba but it's just too rich a subject for a small document. You should be on your way now!