how to install and setup samba on centos:

tested with:

hostnamectl
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7

Kernel: Linux 3.10.0-693.21.1.el7.x86_64

yum info samba.x86_64
Version : 4.6.2
Release : 12.el7_4
Size : 1.8 M
Repo : installed
From repo : updates
Summary : Server and Client software to interoperate with Windows machines
URL : http://www.samba.org/
License : GPLv3+ and LGPLv3+
Description : Samba is the standard Windows interoperability suite of programs for Linux and
: Unix.

yum install samba samba-client samba-common; # install samba

# let samba through firewall
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

# make service autostart
systemctl enable smb.service
systemctl enable nmb.service

# start service
systemctl start smb.service
systemctl start nmb.service

# add a general group, for group-based access
groupadd smbgrp

# add user
# add user to system
useradd -m user
# give user a systemwide password
passwd user
usermod user -aG smbgrp; # add user to samba group
smbpasswd -a user; # set smb password

# add user's private share
mkdir -p /srv/samba/user;
chmod -R 0770 /srv/samba/user;
chown -R root:smbgrp /srv/samba/user;
chcon -t samba_share_t /srv/samba/user;

vim /etc/samba/smb.conf

[global]
workgroup = WORKGROUP
netbios name = centos
security = user

[user]
comment = Secure File Server Share
path =  /srv/samba/user
valid users = @smbgrp
guest ok = no
writable = yes
browsable = yes

:wq # save and quit vim

testparm; # test samba config

# restart service
systemctl restart smb.service;
systemctl restart nmb.service;

now you can fire up your windows workstation that needs to be in the same WORKGROUP as specify under global in smb.cnf

let’s make this easier by a script

download here.add_new_samba_user_and_share.sh.txt

vim /scripts/add_new_samba_user_and_share.sh

#!/bin/bash

if [ $# -eq 0 ]
  then
    echo "please give a username. No arguments supplied."
    exit;
fi

useradd -m $1
passwd $1
usermod $1 -aG smbgrp
smbpasswd -a $1; # set smb password

# add user's private share
mkdir -p /srv/samba/$1;
chmod -R 0770 /srv/samba/$1;
chown -R root:smbgrp /srv/samba/$1;
chcon -t samba_share_t /srv/samba/$1;

echo "
 
[$1]
comment = Secure File Server Share of $1
path =  /srv/samba/$1
valid users = $1
guest ok = no
writable = yes
browsable = yes
" >> /etc/samba/smb.conf;

testparm; # test samba config

# restart service
systemctl restart smb.service;
systemctl restart nmb.service;

:wq # save and quit vim

chmod +x /scripts/*.sh; make it executable and give it a practice run

 

one share per project – project specific file server:

the idea is to have one shared folder per project in order to concentrate/collect all project concerning data/info in one place – while at the same time allowing only a users of the project-group to see edit and create files.

when you already have a one-share-per-user (usually user’s „home“ directory) file server – it makes sense to start a new fileserver – if you want the user to be able to connect to user’s home directory AND project-directories at the same time – because – windows clients (tested this up to win 7) can NOT connect to the same server/ip with different user names / privileges / groups.

it just does not work.

so better put home and projects on different file servers with different IPs.

# let's get started
# if not already
# create a user that is allowed to work on the project
useradd -m user
passwd user
smbpasswd -a user
# let's add a group that is called like the project
groupadd projectname
# let's add this user to the project group
usermod user -aG projectname
# let's create project folder
mkdir -p /srv/samba/projectname
# and give group read and write permissions
chmod -R g+rw /srv/samba/projectname
chmod -R 0770 /srv/samba/projectname
chown -R root:projectname /srv/samba/projectname
chcon -t samba_share_t /srv/samba/projectname

# this is what smb.conf looks like
cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = WORKGROUP
        netbios name = projects
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[projectname]
comment = project folder
path = /srv/samba/projectname
valid users = @projectname
guest ok = no
writable = yes
browsable = yes

# change yours :wq save and quit
# test config
testparm
# and restart
systemctl restart smb.service;systemctl restart nmb.service; # restart samba 

… if all goes well you should be able to connect to the project-file-server as user user and be allowed to access the share „projectname“.

if not, run this on your server while you try to connect via client to see if it’s a permissions or technical problem…

find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +

SELinux trouble: visible folders – invisible files

it happened to me with the above mentioned one-share-per-project-fileserver, that it would show folders but no files!? (i was able to see the files in terminal on server, but windows 7 client could not „see“ em)

# possible messy fix
# this is possibly not the most elegant solution...

# the problem:
# all folders are empty
# samba showing folders but not files
# temporarily disable SELinux
setenforce 0
# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?
# then it's a SELinux problem

# switching SELinux back on
setenforce 1

# try this fix
chcon -R -t public_content_rw_t /srv/samba/

# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?

# no? continue:

# either completely disable selinux
vim /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing -> disabled

# or
setsebool -P samba_export_all_rw 1

# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?

additional stuff:

# delet a samba user
pdbedit -x -u username

# info about samba

yum info samba
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fra10.de.leaseweb.net
 * epel: mirror.23media.de
 * extras: centos.copahost.com
 * updates: ftp.rz.uni-frankfurt.de
Installed Packages
Name        : samba
Arch        : x86_64
Version     : 4.6.2
Release     : 12.el7_4
Size        : 1.8 M
Repo        : installed
From repo   : updates
Summary     : Server and Client software to interoperate with Windows machines
URL         : http://www.samba.org/
License     : GPLv3+ and LGPLv3+
Description : Samba is the standard Windows interoperability suite of programs for Linux and
            : Unix.

[root@privat scripts]# smbstatus --version
Version 4.6.2
admin