RHEL6 – Quick and Easy Samba Configuration Guide – Part II

Cartoon-SnakeA few weeks ago i published a Quick and Easy Samba Configuration Guide, which can be found here. After messing around with samba on and off since then I have learned a few things that I wanted to document before I totally forgot them. So  lets down to business.

Samba Password Failures

So I have read a few things here and there that say that passwords can be a sticky issue in samba. Such was the case for me when I was trying to set a simple password of “myuser” for the user myuser.

As you can see below I got a bit of output from the command however in the end I was able to add the user, I quick check of google showed that the output below was supposed to be bogus anyway.

# smbpasswd -a myuser
New SMB password:
Retype new SMB password:
tdbsam_open: Converting version 0.0 database to version 4.0.
tdbsam_convert_backup: updated /var/lib/samba/private/passdb.tdb file.
for type 1 (min password length), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0

Added user myuser

But when I attempted to test with the samba client I got the following error

# smbclient -L localhost -U myuser
Enter myuser’s password:
session setup failed: NT_STATUS_LOGON_FAILURE

So at this point I decided to change the password to something more complex and tried again and this time no issues at all. Just to be cheeky, I then changed the password for myuser back to “myuser” and it worked again.

Lesson learned here if if you see this message try changing your password to something else.

Troubleshooting Samba Share Write Issues

Holy Cow, this one was driving me nuts and I probably spent a good hour trying to fix it. And the fix was super easy. Below I am just trying to put a file on the share using smbclient

# smbclient //localhost/samba -U myuser
Enter myuser’s password:
Domain=[WORKGROUP1] OS=[Unix] Server=[Samba 3.5.10-125.el6]
smb: \> put /var/tmp/test test
NT_STATUS_ACCESS_DENIED opening remote file \test

I tried selinux, various smb.conf changes, checking ip tables, and in the end the issue was as simple as permissions on the directory

chmod 2775 /shared/samba

Once I set this everything worked fine.

Additional Smb.conf Configuration Items

Just do get samba up and running on a basic level you don’t really have to know too many configuration directives, and most of those are documented in smb.conf anyway. However there are a few more options that I think are either useful or interesting. They are below.

admin users – a user configured as an admin user can perform actions as root.

invalid users – any user here is denied access, even if the group that the user is a member of has access.

RHEL6 – Quick and Easy Samba Configuration Guide

Space ghostAccording to Samba.org , "Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients." Bottom line, samba allows you to share files and directories via Linux and access them on a Windows machine.

Lets walk through a senario where are ultimate goal is to get samba configured quickly and easily. We are not shooting for best practices here.  That being said., lets say you are asked to create a CIFS share with the following information. The share that we create must be writable by members of the sambausers group. Other users can only have read access.

  • Workgroup: Workgroup1
  • Linux Group: sambausers
  • CIFS Share Name: /share/samba

Installing Samba

Ok Lets get started by installing samba and configuring it to start at boot, then lets start it up.

# yum install samba samba-doc samba-client

# chkconfig smb on && service smb start

Configuring Firewall

There are two ways to do this. You can either do this via the command line, or do this via the system-config-firewall gui. In this instance I am going to do this the quick and dirty way, as our goal here is to get samba up and running quickly. So i launch system-config-firewall gui and select the box next t0 samba to enable access, then save and reload.

Note that these are the lines that  are added to /etc/sysconfig/iptables.

-A INPUT -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 445 -j ACCEPT

Create Users and Shares

Now its time to add the Linux group sambausers. Note that the -r option below adds sambausers as a system group.

# groupadd -r sambausers

Now lets create a user named "myuser" and stick him in the sambausers group.

# useradd -s /bin/nologin -G sambausers myuser

Once thats done lets create a samba password for "myuser". Lets use "mypassword" as the samba password

# smbpasswd -a myuser

Now lets create our share and change group ownership to sambausers.

# mkdir -p /share/samba

# chgrp sambausers /share/samba

Now set the setgid bit to ensure that all files created in /share/samba inherit the GID of sambausers.

# chmod 2775 /share/samba

Configure SELinux

Set SELinux context, public_content_t on /share. This will allow you to share files anonymously.

# semanage fcontext -a -t public_content_t '/share(/.*)?'

Set SELInux context, samba_share_t on /share/samba. This allows samba to share this directory. By default SELinux is only configured to allow home directories to be shared via samba right out of the box.

# semanage fcontext -a -t samba_share_t '/share/samba(/.*)?'

Now apply the two semanage commands with restorecon.

# restorecon -vvFR /shared

Editing the SMB.conf

Ok, now we need to actually configure samba. So modify or confirm the following in /etc/samba/smb.conf. Note that each and every one of the configuration items below is documented in the smb.conf

First set the workgroup as seen below

workgroup = workgroup1

Then create the directive to share our directory of /share/samba.

        path = /share/samba
        write list = @sambausers
        read only = yes
        guest ok = no

Testing our Configs

Holy Crap, we finally made it. Now lets test with the smbclient command

# smbclient -L localhost -U myuser

This shows us that our share, called samba, does in fact exist.

Sharename       Type      Comment
        ———       —-      ——-
        samba           Disk     

Now lets connect.

#smbclient //localhost/samba -U myuser

Once connected lets put and touch a few files

smb: \> mkdir testing

smb: \> put /etc/hosts hosts

Awesome, I can see the share, I can access it and I can create files. Mission accomplished.