From Fedora Project Wiki
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
== How to create a SAMBA share ==
== How to create a Samba share ==


=== Install and enable Samba ===
=== Install and enable Samba ===
Line 5: Line 5:


<pre>
<pre>
sudo dnf install samba
$ sudo dnf install samba


sudo systemctl enable smb --now
$ sudo systemctl enable smb --now


firewall-cmd --get-active-zones
$ firewall-cmd --get-active-zones
sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
$ sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
sudo firewall-cmd --reload
$ sudo firewall-cmd --reload


sudo systemctl enable smb --now
$ sudo systemctl enable smb --now
</pre>
</pre>


Line 24: Line 24:
Create a user called "jane" in Samba:
Create a user called "jane" in Samba:
<pre>
<pre>
sudo smbpasswd -a jane
$ sudo smbpasswd -a jane
</pre>
</pre>


Create a directory to be the share for Jane, and set the correct SELinux context:
Create a directory to be the share for Jane, and set the correct SELinux context:
<pre>
<pre>
mkdir /home/jane/share
$ mkdir /home/jane/share


sudo semanage fcontext --add --type "samba_share_t" ~/share
$ sudo semanage fcontext --add --type "samba_share_t" ~/share
sudo restorecon -R ~/share
$ sudo restorecon -R ~/share
</pre>
</pre>


Line 49: Line 49:
Restart Samba for the changes to take effect:
Restart Samba for the changes to take effect:
<pre>
<pre>
sudo systemctl restart smb
$ sudo systemctl restart smb
</pre>
</pre>


Line 59: Line 59:


<pre>
<pre>
sudo groupadd myfamily
$ sudo groupadd myfamily
sudo useradd  -G myfamily jack
$ sudo useradd  -G myfamily jack
sudo useradd  -G myfamily maria
$ sudo useradd  -G myfamily maria
</pre>
</pre>
'''Tip:''' You can create these users without a system password in order to prevent access to the system via SSH or local login.
'''Tip:''' You can create these users without a system password in order to prevent access to the system via SSH or local login.
Line 67: Line 67:
Adding jack and maria to Samba:
Adding jack and maria to Samba:
<pre>
<pre>
sudo smbpasswd -a jack
$ sudo smbpasswd -a jack
sudo smbpasswd -a maria
$ sudo smbpasswd -a maria
</pre>
</pre>


Setting up the shared folder:
Setting up the shared folder:
<pre>
<pre>
sudo mkdir /home/share
$ sudo mkdir /home/share
sudo chgrp myfamily /home/share
$ sudo chgrp myfamily /home/share
sudo chmod 770 /home/share
$ sudo chmod 770 /home/share
sudo semanage fcontext --add --type "samba_share_t" /home/share
$ sudo semanage fcontext --add --type "samba_share_t" /home/share
sudo restorecon -R /home/share
$ sudo restorecon -R /home/share
</pre>
</pre>


Line 104: Line 104:


<pre>
<pre>
sudo systemctl restart smb
$ sudo systemctl restart smb
</pre>
</pre>


=== Change a samba user password ===
=== Change a samba user password ===


Remember: system and samba password can be different. The system user is mandatory in order to handle filesystem permissions.
Remember: the system user and Samba user passwords can be different. The system user is mandatory in order to handle filesystem permissions.
<pre>
<pre>
sudo smbpasswd maria
$ sudo smbpasswd maria
</pre>
</pre>


=== Remove a samba user ===
=== Remove a samba user ===
<pre>
<pre>
sudo smbpasswd -x maria
$ sudo smbpasswd -x maria
</pre>
</pre>
If you don't need the system user, remove it as well:
If you don't need the system user, remove it as well:
<pre>
<pre>
sudo userdel -r maria
$ sudo userdel -r maria
</pre>
</pre>


Line 127: Line 127:
Samba log files are located in `/var/log/samba/`
Samba log files are located in `/var/log/samba/`
<pre>
<pre>
tail -f /var/log/samba/log.smbd
$ tail -f /var/log/samba/log.smbd
</pre>
</pre>
You can increase the verbosity by adding this to the [global] section of `/etc/samba/smb.conf`:
You can increase the verbosity by adding this to the [global] section of `/etc/samba/smb.conf`:
Line 159: Line 159:
==== Trouble with accessing the share ====
==== Trouble with accessing the share ====


- Be sure that the user exists as system user as well as samba user
Some things to check if you cannot access the share.
- Check if the shared directory has the right SELinux context


1. Be sure that the user exists as a system user as well as a Samba user
Find `maria` in the Samba database:
<pre>
$ sudo pdbedit -L | grep maria
maria:1002:
</pre>
Confirm that `maria` also exists as a system user.
<pre>
$ cat /etc/passwd | grep maria
maria:x:1002:1002::/home/maria:/bin/bash
</pre>
2. Check if the shared directory has the right SELinux context.
<pre>
$ ls -dZ /home/share
$ ls -dZ /home/share
unconfined_u:object_r:samba_share_t:s0 /home/share
unconfined_u:object_r:samba_share_t:s0 /home/share
</pre>
3. Check if the system user has access rights to the shared directory.
<pre>
$ ls -ld /home/share


- Check if the system user has access rights to the shared directory
drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
ls -ld /home/share
</pre>
drwxrwx---. 5 root myfamily 4096 9 gen 15.45 /home/share
In this case, the user should be in the `myfamily` group.
 
In this case the user should be in the myfamily group


- check in the configuration file if the user has access rights granted or he is in the appropriated group
4. Check in the configuration file `/etc/samba/smb.conf` that the user and group have access rights.
<pre>
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
</pre>
In this case, the user should be in the `myfamily` group.


==== Trouble with writing in the share ====
==== Trouble with writing in the share ====


- Check in the samba configuration file if the user/group has write permissions
1. Check in the samba configuration file if the user/group has write permissions.
- Check user group membership
<pre>
- Check the share directory permissions
...
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
</pre>
In this example, the user should be in the `myfamily` group.
 
2. Check the share directory permissions.
<pre>
$ ls -ld /home/share
 
drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
</pre>
This example assumes the user is part of the `myfamily` group which has read, write, and execute permissions for the folder.

Latest revision as of 09:01, 5 June 2020

How to create a Samba share

Install and enable Samba

The following commands install Samba and set it to run via systemctl. This also sets the firewall to allow access to Samba from other computers. 

$ sudo dnf install samba

$ sudo systemctl enable smb --now

$ firewall-cmd --get-active-zones
$ sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
$ sudo firewall-cmd --reload

$ sudo systemctl enable smb --now

Sharing a directory under your home

In this example you will share a directory under your home and accessible only by your user.

Samba does not use the operating system users for authentication, so your user account must be duplicated in Samba. So if your account is "jane" on the host, the user "jane" must also be added to Samba. The usernames must be the same, however the passwords do not.

Create a user called "jane" in Samba: 

$ sudo smbpasswd -a jane

Create a directory to be the share for Jane, and set the correct SELinux context: 

$ mkdir /home/jane/share

$ sudo semanage fcontext --add --type "samba_share_t" ~/share
$ sudo restorecon -R ~/share

Samba configuration lives in the /etc/samba/smb.conf file. Adding the following section at the end of the file will instruct Samba to set up a share for Jane called "share" at the /home/jane/share directory just created. 

[share]
        comment = My Share
        path = /home/jane/share
        writeable = yes
        browseable = yes
        public = yes
        create mask = 0644
        directory mask = 0755
        write list = user

Restart Samba for the changes to take effect: 

$ sudo systemctl restart smb

Sharing a directory for many users

In this example, you will share a directory (outside your home directory) and create a group of users with the right to read/write to the share.

Remember that a Samba user must also be a system user, in order to respect filesystem permissions. This example creates a system group "myfamily" for two new users "jack" and "maria". 

$ sudo groupadd myfamily
$ sudo useradd  -G myfamily jack
$ sudo useradd  -G myfamily maria

Tip: You can create these users without a system password in order to prevent access to the system via SSH or local login.

Adding jack and maria to Samba: 

$ sudo smbpasswd -a jack
$ sudo smbpasswd -a maria

Setting up the shared folder: 

$ sudo mkdir /home/share
$ sudo chgrp myfamily /home/share
$ sudo chmod 770 /home/share
$ sudo semanage fcontext --add --type "samba_share_t" /home/share
$ sudo restorecon -R /home/share

Each share is described by its own section in the /etc/samba/smb.conf file. Add this section to the bottom of the file: 

[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

Explanation of the above:

  • valid users: only users of the group family have access rights. The @ denotes a group name.
  • force group = +myfamily: files and directories are created with this group, instead of the user group.
  • create mask = 0660: files in the share are created with permissions to allow all group users to read and write files created by other users.
  • directory mask = 0770: as before, but for directories.

Restart Samba for the changes to take effect: 

$ sudo systemctl restart smb

Change a samba user password

Remember: the system user and Samba user passwords can be different. The system user is mandatory in order to handle filesystem permissions. 

$ sudo smbpasswd maria

Remove a samba user

$ sudo smbpasswd -x maria

If you don't need the system user, remove it as well: 

$ sudo userdel -r maria

Troubleshooting and logs

Samba log files are located in /var/log/samba/ 

$ tail -f /var/log/samba/log.smbd

You can increase the verbosity by adding this to the [global] section of /etc/samba/smb.conf: 

[global]
        loglevel = 5

To validate the syntax of the configuration file /etc/samba/smb.conf use the command testparm. Example output: 

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

To display current samba connections, use the smbstatus command. Example output: 

Samba version 4.12.3
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
7259    jack         jack         192.168.122.1 (ipv4:192.168.122.1:40148)  SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
family       7259    192.168.122.1 Fri May 29 14:03:26 2020 AEST    -            -           

No locked files

Trouble with accessing the share

Some things to check if you cannot access the share.

1. Be sure that the user exists as a system user as well as a Samba user

Find maria in the Samba database: 

$ sudo pdbedit -L | grep maria

maria:1002:

Confirm that maria also exists as a system user. 

$ cat /etc/passwd | grep maria

maria:x:1002:1002::/home/maria:/bin/bash

2. Check if the shared directory has the right SELinux context. 

$ ls -dZ /home/share

unconfined_u:object_r:samba_share_t:s0 /home/share

3. Check if the system user has access rights to the shared directory. 

$ ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share

In this case, the user should be in the myfamily group.

4. Check in the configuration file /etc/samba/smb.conf that the user and group have access rights. 

[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

In this case, the user should be in the myfamily group.

Trouble with writing in the share

1. Check in the samba configuration file if the user/group has write permissions. 

...
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily

In this example, the user should be in the myfamily group.

2. Check the share directory permissions. 

$ ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share

This example assumes the user is part of the myfamily group which has read, write, and execute permissions for the folder.

Retrieved from "https://fedoraproject.org/w/index.php?title=User:Alciregi/samba-quick-doc&oldid=578715"