Install And Configure Samba Server In CentOS 7

As you may know, Samba is an open source, and free software suite that provides file and print services to the SMB/CIFS clients. It allows us to share files, folders, and printers between Linux server and Windows clients. Using Samba, we can setup a domain controller on Unix/Linux server, and integrate the Windows clients to the Domain controller.

This tutorial will describe you how to setup a basic samba server in CentOS 7 system. Also, this steps will work on RHEL 7, and Scientific Linux 7 operating systems.

Scenario

In this tutorial, I will be using two systems as described below.

Samba server:

Operating system : CentOS 7 minimal server
Hostname : server.unixmen.local
IP Address : 192.168.1.101/24

Samba client:

Operating system : Windows 7 Professional
Hostname : client
IP Address : 192.168.1.102/24

Install Samba

Check for existing samba package if any using the following commands.

rpm -qa | grep samba
yum list installed | grep samba

If samba is installed, remove it using the below command:

yum remove samba*

Now, install samba using the following command.

yum install samba* -y

1. Configure a fully accessed anonymous share

Now, let us create a fully accessed anonymous share for the users. Any one can read/write in this share.

Create a directory called ‘/samba/anonymous_share’ and set full permission. You can name this share as per your liking.

mkdir -p /samba/anonymous_share
chmod -R 0777 /samba/anonymous_share

Edit Samba configuration file;

vi /etc/samba/smb.conf

Find the following directives, and make the changes as shown below.

[...]

## Add the following lines under [global] section ##
unix charset = UTF-8
dos charset = CP932

## Change the to windows default workgroup ##
workgroup = WORKGROUP

## Uncomment and set the IP Range ##
hosts allow = 127. 192.168.1.

## Uncomment ##
max protocol = SMB2

## Uncomment, and change the value of 'Security' to 'user' ## 
security = user

## Add the following line ##
map to guest = Bad User

## Add the following lines at the bottom ##
[Anonymous share]
path = /samba/anonymous_share
writable = yes
browsable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777

Start samba services, and enable them to start automatically on every reboot.

systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb

Test the Samba server configuration

We can test the Samba server configuration syntax errors using the command ‘testparm’.

testparm

Sample Output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = UNIXMEN SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes

If all good, you’re good to go now.

Firewall configuration

Allow Samba server default ports through firewall.

firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=138/tcp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=901/tcp

Restart firewall to apply the changes.

firewall-cmd --reload

SELinux Configuration

Turn the samba_enable_home_dirs Boolean on if you want to share home directories via Samba.

setsebool -P samba_enable_home_dirs on

If you create a new directory, such as a new top-level directory, label it with samba_share_t so that SELinux allows Samba to read and write to it. Do not label system directories, such as /etc/ and /home/, with samba_share_t, as such directories should already have an SELinux label.

In our case, we already have created a anonymous directory. So let us label it as shown below.

chcon -t samba_share_t /samba/anonymous_share/

If you don’t want to mess up with the SELinux, just disable it as shown below, and continue.

To disable SELinux, edit file /etc/sysconfig/selinux,

vi /etc/sysconfig/selinux

Set SELinux value to disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Restart the server to take effect the changes.

Test Samba Shares

Now, goto any windows client system. In this example, I am using Windows 7 system.

ClickStart -> Run. Enter the samba Server IP as shown below.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_001

Now, you’ll be able to access the fully accessed samba shares.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_002

You can create, modify or delete the files/folders inside the shares. For example, let me create a sample folder called ‘unixmen’ inside the samba share folder.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_003

Check the newly created files or folders are present in the samba server

ls -l /samba/anonymous_share/

Sample Output:

total 0
drwxrwxrwx. 2 nobody nobody 6 Sep 26 17:55 unixmen

As you see in the result, the folder has been created in the /samba/anonymous/ directory.

2. Create security enabled share in samba server

What we have seen so far is creating a fully accessed samba share. Anyone can access that share folder, and can create, delete files/folders in that share.

Now, let us create a password protected samba share so that the users should enter the valid username and password to access the share folder.

Create a user called “unixmen” and a group called “smbgroup”.

useradd -s /sbin/nologin unixmen
groupadd smbgroup

Assign the user unixmen to smbgroup, and set samba password to that user.

usermod -a -G smbgroup unixmen
smbpasswd -a unixmen

Create a new share called “/samba/secure_share” and set the permissions to that share.

mkdir /samba/secure_share
chmod -R 0755 /samba/secure_share
chown -R unixmen:smbgroup /samba/secure_share

Edit samba config file;

vi /etc/samba/smb.conf

Add the below lines at the bottom of samba config file.

[secure_share]
path = /samba/secure_share
writable = yes
browsable = yes
guest ok = no
valid users = @smbgroup

Test the samba configuration for any errors.

testparm

Sample output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Processing section "[secure_share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = UNIXMEN SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes

[secure_share]
    path = /samba/secure_share
    valid users = @smbgroup
    read only = No

Label  the /samba/secure_share/ with samba_share_t so that SELinux allows Samba to read and write to it.

chcon -t samba_share_t /samba/secure_share/

Restart samba services.

systemctl restart smb
systemctl restart nmb

Test Samba shares

Now, goto windows client, check for the secured share folder.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_004

Double click to open the secured share. You’ll be asked to enter the user name and password to access the share.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_005

That’s it. Now, you can access the secured samba share folder.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_006

That’s it. Samba server is ready to use.

Cheers!

  • Dragos Alexe

    A recomandation is to temporarily disable SE linux and firewalld to manage the situation. After initial configuration useradd, groupadd, samba conf enable SE linux and firewall.
    You can simply say: firewall-cmd –permanent –add-service=samba.
    And use semanage instead of chcon:
    semanage fcontext -a -t samba_share_t “/directory_to_share_(/.*)?”
    restorecon -Rv /directory_to_share
    setsebool -P smbd_anon_write 1

  • Тимур Тайжанов

    I used “chcon -h system_u:object_r:httpd_sys_content_t ….” instead of “chcon -t samba_share_t …”, because it causes problem like “chcon: can’t apply partial context to unlabeled file …”

  • Jamie Murray

    The yum remove samba* element needs to be removed from this guide and it has the capacity to damage things.

  • John McGill

    *did* damage things. 🙁