How to use Samba to build a shared file service on a Linux server

Recently, our small team needs to share a shared folder on the server for everyone to store public resource documents. You think this must be very simple. Under Windows, we only need to create a related Windows account, share a folder, and give read/write permissions to the account we created to complete the sharing. However, it is not so beautiful under Linux. Most of the resource materials on the Internet point to completing the sharing task through Samba, but some blogs only introduce how to do it, but not why to do it. The setup work is not smooth. I am not familiar with Linux and took a lot of detours, so I will deeply understand each step through this blog.

Introduction to Samba

Samba is a free software that implements the SMB protocol on Linux and UNIX systems, consisting of server and client programs. This is bullshit... let's see something interesting. The author Tridgwell applied to register the trademark of this software using SMBServer (short for Server Message Block), but there was no way to register it because SMB is a meaningless word. Then he looked up the dictionary and saw that SAMBA contains the letters SMB, which is also the name of the Latin dance we are all familiar with. Then the name Sanba came into being. (From Wikipedia)

To build a Samba shared directory, if you need to use a username/password to access the shared directory, we need to create a Linux user first, and then create a samba user through smbpasswd (the username needs to be the same), the original text is here:

To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam back end and stores the database in the /usr/local/samba/private/passdb.tdb file. Optionally set a different location in the smb.conf file using the passdb backend parameter. See the smb.conf 5 man page for details (from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server).

Build a shared directory that requires username authentication

1. Create a user for the shared directory. We use group to demonstrate here.

groupadd smbgrp
useradd fielshare -s /sbin/nologin -g smbgrp -p <password>
#Create an smb user with the same name. The password here is completely independent of the local user's password. The user we finally used was created by smbpasswd -a fielshare

2. Create a working directory that needs to be shared and set the folder permissions

mkdir -p /srv/samba/secure
chmod -R 0770 /srv/samba/secure
chown -R root:smbgrp /srv/samba/secure

To build a Samba shared directory, if you need to use a username/password to access the shared directory, we need to create a Linux user first, and then create a samba user through smbpasswd (the username needs to be the same), the original text is here:

3. Modify the security context

chcon -t samba_share_t /srv/samba/secure

This command is a SELinux (see Security-Enhanced Linux) command, which switches /srv/samba/securel to the samba context.

4. Modify the configuration file smb.conf

Before modifying the configuration file, we should back it up to prevent any accidents.

cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

Here we have the following things to do:

1. Change the workgroup in the [global] section to WORKGROUP (the name of the workgroup you see in My Computer => Properties => Computer Name)

2. Set the netbios name under [global]. This can be anything, just like the computer name we see in My Neighborhood.
3. Make sure that security is set to user under [global]
4. Add shared directory configuration

#The folder name that can be seen when you click on it in My Neighborhood [share]
  comment = Secure File Server Share
  # Path to the directory to be shared = /srv/samba/secure
  # Accessible users, multiple users are separated by spaces, and the user group starts with @ valid users = @smbgrp
  # Disable anonymous access and set to no
  guest ok = no
  writable = yes
  browsable = yes

The entire smb.conf file is as follows:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
  workgroup = WORKGROUP
  netbios name = centos
  security = user
  passdb backend = tdbsam
  printing = cups
  printcap name = cups
  load printers = no
  cups options = raw
[printers]
  comment = All Printers
  path = /var/tmp
  printable = Yes
  create mask = 0600
  browseable = No
[print$]
  comment = Printer Drivers
  path = /var/lib/samba/drivers
  write list = @printadmin root
  force group = @printadmin
  create mask = 0664
  directory mask = 0775
 [share]
  comment = secure file share
  path = /srv/samba/secure
  valid users = @smbgrp
  guest ok = no
  writable = yes
  browsable = yes
  browseable = yes

Note that smb.conf has a [home] node by default. If you do not want to have a folder with the same name as your username, please delete it.

Finish editing, save the configuration file,

After executing testparm, you will get a result similar to the following, which means that there is no problem with the configuration file

[root@localhost software]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
 load printers = No
 netbios name = CENTOS-SHARE
 printcap name = cups
 security = USER
 idmap config * : backend = tdb
 cups options = raw
[printers]
 browseable = No
 comment = All Printers
 create mask = 0600
 path = /var/tmp
 printable = Yes
[print$]
 comment = Printer Drivers
 create mask = 0664
 directory mask = 0775
 force group = @printadmin
 path = /var/lib/samba/drivers
 write list = @printadmin root
[share]
 comment = secure file share
 path = /home/share
 read only = No
 valid users = @smbgrp
[root@localhost software]#

5. Restart the samba service and open my computer for testing

systemctl restart smb.service
systemctl restart nmb.service

Since the test machine and the Linux host are not in the same network, I can't find the CENTOS-SHARE I configured in my Neighborhood. Here I directly access it through IP

6. Don't forget to add a firewall, otherwise you won't be able to see your neighbors

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload 

Summarize

Here we only demonstrate how to share folders using the username authentication mode, which is mainly for Windows. Students who are not familiar with this can try anonymous sharing on their own. During the setup process, I came into contact with something I had never come across before, SELinux, and there are still many things in this area. There are many articles on the Internet introducing the use of SAMBA. The purpose of writing this blog is to tell you how to use it from multiple perspectives.