AlmaLinux OS - Samba File Server

Many of you requested more articles about self-hosting and home servers. One of the major use cases is making files available for others in the network. This might be useful to share projects, but also for backups or filling your media library.

AlmaLinux OS - Samba File Server
Home Server - ©2024, Daniel Schier, CC BY-SA 4.0

Many of you requested more articles about self-hosting and home servers. One of the major use cases is making files available for others in the network. This might be useful to share projects, but also for backups or filling your media library.

Don't worry. Setting up a Samba file server is easy and done quickly, even without disabling the firewall or SELinux.

AlmaLinux OS

AlmaLinux OS is my preferred Enterprise Linux for personal use. It is based on CentOS Stream, yet provides a stabilized and versioned approach. It is meant to be ABI compatible to Red Hat Enterprise Linux.

For me, it became the best OS when it comes to small office/home office use cases, but also for development and uncritical environments in large enterprise. Therefore, I already published a couple of articles related to AlmaLinux OS.

Samba

Samba is one of the older open source software implementations. In general, it stands for "opening windows for the wider world". Therefore, I am seeing it as the glue between Windows and Linux environments. This does not mean, you need to use Windows to make use of Samba.

For the sake of this tutorial, I will focus on the Samba file server capabilities. Meaning, we will provide so-called CIFS (Common Internet File System) shares. Yet, Samba can also provide an LDAP server or act as a proxy for the same and much more.

Project

Let's make our small project somewhat realistic.

As the owner of my home network, I want to share documents between me and family. All family members (Alice, Bob and Carol) should be allowed to upload and download data on a share, no matter if they use Linux or Windows on their workstation.

Pretty simple, right? And this can be solved with the Samba file server easily.

Setup

Finally, we came to the part where some work is done. Let's set this baby up.

💡
The following setup is based on AlmaLinux OS 9.4 using Samba 4.19.4.

Pre-Requisites

Before going forward, there are some things you should ensure.

  • update the system beforehand
  • ensure that the machine has a proper time/NTP setup
  • ensure that the machine has proper DNS settings (meaning it can resolve DNS records or has no DNS resolution configured at all)
  • ensure that you have enough space in /var/lib/samba/ or another desired location for your shares available

There are ways to work around all of the above, but for this tutorial, I assume you have solved them already.

Package installation

Yes, this guide does not start with disabling SELinux. Instead, just let's install some packages. The command should be pretty straight forward.

# Install Samba packages
$ sudo dnf install samba

Optionally, you can also install the samba-tools package for a more convenient and sophisticated administration command. For this guide, it is not needed.

Configuration

The configuration of Samba can be done in a single file. All Red Hat family distributions also deliver a default configuration and a fully commented example file.

# Show configuration files

$ ls -la /etc/samba/
total 32
drwxr-xr-x.  2 root root    61 May 19 06:34 .
drwxr-xr-x. 99 root root  8192 May 19 06:50 ..
-rw-r--r--.  1 root root    20 Apr  4 20:31 lmhosts
-rw-r--r--.  1 root root   853 Apr  4 20:31 smb.conf
-rw-r--r--.  1 root root 11319 Apr  4 20:31 smb.conf.example

We are interested in the smb.conf file for now. But it is strongly recommended to consult the smb.conf.example file, in case you want to tune the configuration later on. In my case, the smb.conf file will look like this:

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = No
        cups options = raw

[family]
        comment = Family Share
        path = /var/lib/samba/shares/family
        valid users = @family
        create mode = 0660
        directory mode = 0770
        browseable = Yes
        read only = No

/etc/samba/smb.conf

As you can see, I have disabled the printers, homes and all related sections, but also added a [family] section. The [homes], [globals] and [printers] section are special for samba. Every other section can be configured as you like.

In the above, I configured a single share, which can be accessed from the members of the family group.

To test your configuration, you can use the testparm command. It will tell you if you have an option written or used in the wrong way or used a value that is not supported. Yet, it will not test if your configuration does what you want.

# Run testparm
$ testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

User creation

Now that we have a valid configuration, we intend to use, we also need to create the users and tell Samba to actually use them. This part is often the most confusing one. We need to have a local user, so we can manage groups and permissions on the filesystem. But we also need a password/user combination to allow these users to log in to the Samba file server.

This might sound complicated, but in reality it is not.

For a small home setup, I will stick with a local user, which will make it easy to create these. The following commands will create our desired local Linux users and groups. The users will be created in a way, so that they do have a home directory, but are not allowed to log in on the console or via SSH.

# Create the users
$ sudo useradd alice --create-home --shell /usr/sbin/nologin
$ sudo useradd bob --create-home --shell /usr/sbin/nologin
$ sudo useradd carol --create-home --shell /usr/sbin/nologin

# Set passwords for users (even though they cannot log in)
$ sudo passwd alice
$ sudo passwd bob
$ sudo passwd carol

# Create the family group
$ sudo groupadd family

# Add users to the group
$ sudo usermod -aG family alice
$ sudo usermod -aG family bob
$ sudo usermod -aG family carol

Next, we need to add the users to the Samba database.

# Create Samba users
$ smbpasswd -a alice
$ smbpasswd -a bob
$ smbpasswd -a carol

# Check if users exist in Samba
$ sudo pdbedit -L
alice:1001:
carol:1003:
bob:1002:

And, that's it. Let's head to the next section.

Directory creation

As per our configuration, we want to share the /var/lib/samba/shares/family directory. To do so, we have to create it.

# Create directory
$ sudo mkdir -p /var/lib/samba/shares/family

We also need to set permissions for our new group.

# Change group ownership to "family"
$ sudo chown root:family /var/lib/samba/shares/family

# Allow writing for root and group only
$ sudo chmod 0770 /var/lib/samba/shares/family

# Check permissions
$ sudo ls -ld /var/lib/samba/shares/family/
drwxrwx---. 3 root family 17 May 19 16:10 /var/lib/samba/shares/family/

This should do the trick, mostly.

SELinux considerations

But wait … or maybe … feel free to continue to the guide and come back to this section. In Red Hat family systems, you will find SELinux enabled. Therefore, the above directory is not working as designed. It might not even work at all. So, let's make a little exercise here. First, we want to check if SELinux is enabled.

$ getenforce 
Enforcing

Looking good. Next, we need to understand that SELinux works with context types on a file level. Meaning, each file and directory has a designed context type, which allows programs to access directories only, if they are meant to access it.

We can check this for our directory.

$ ls -ldZ /var/lib/samba/shares/
drwxr-xr-x. 3 root root unconfined_u:object_r:samba_var_t:s0 20 May 19 12:53 /var/lib/samba/shares/

$ ls -ldZ /var/lib/samba/shares/family/
drwxrwxr-x. 2 root family unconfined_u:object_r:samba_var_t:s0 6 May 19 12:53 /var/lib/samba/shares/family/

The context currently in use is "samba_var_t". Yet, Samba requires us to use the context "samba_share_t". This is also mentioned in the discussed smb.conf.example file from above and the command man smb.conf. To permanently set the context, we require a command (what else?).

# Configure file context
$ sudo semanage fcontext --add --type samba_share_t /var/lib/samba/shares
$ sudo semanage fcontext --add --type samba_share_t /var/lib/samba/shares/*

This will make the change persistent, but the semanage command does not "enable" these changes on the fly. Instead, a second command is needed.

# Enable/Restore the configure contexts
$ sudo restorecon -R /var/lib/samba/shares

And that's it. Checking our files again, we can see the context.

# Check the shares
$ ls -ldZ /var/lib/samba/shares/family/
drwxrwxr-x. 2 root family unconfined_u:object_r:samba_share_t:s0 6 May 19 12:53 /var/lib/samba/shares/family/

And yes, you also need to this, if your desired location is located in the /samba, /srv/shares or wherever you desire to have them.

Services

Finally, we can start the services. This will start Samba, read our configuration and basically make Samba available.

# Start & enable Samba and Netbios
$ sudo systemctl enable --now smb.service
$ sudo systemctl enable --now nmb.service

In case you don't have a firewall enabled on your (which may be a bad idea), you are done here. Everything should work as expected.

Firewall

In case you have the firewalld daemon enabled, you require one more step to complete the setup.

# Allow Samba traffic
$ sudo firewall-cmd --add-service samba
$ sudo firewall-cmd --add-service samba --permanent

And now we are done.

Testing

For testing purposes, you can use lots of tools. One of them is the smbclient command line utility. It is in the samba-client package.

# Check what is available for alice
$ smbclient -U SAMBA/alice -L //localhost
Password for [SAMBA\alice]:

	Sharename       Type      Comment
	---------       ----      -------
	family          Disk      Family Share
	IPC$            IPC       IPC Service (Samba 4.19.4)
SMB1 disabled -- no workgroup available

But, you can also use the Nautilus file manager to mount a Samba share. Just open it and add a new network share.

Screenshot - Nautilus using a samba share

And finally, you can create a file or directory.

Which should be reflected on our machine with the desired permissions.

# Check new directory
$ sudo ls -lZ /var/lib/samba/shares/family/
total 0
drwxrwx---. 2 alice alice system_u:object_r:samba_share_t:s0 6 May 19 16:10 foo

But wait, this directory is created for Alice only. What, if we want each directory to be owned by our "family" group? Easy enough. Just change the smb.conf file to the below.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = No
        cups options = raw

[family]
        comment = Family Share
        path = /var/lib/samba/shares/family
        valid users = @family
        create mode = 0660
        directory mode = 0770
        force group = family
        browseable = Yes
        read only = No

After disconnecting and reconnecting to your samba share, everything should be as you like.

# Show effective permissions
$ sudo ls -lZ /var/lib/samba/shares/family/
total 0
drwxrwx---. 2 alice family system_u:object_r:samba_share_t:s0 6 May 19 16:20 bar
drwxrwx---. 2 alice alice  system_u:object_r:samba_share_t:s0 6 May 19 16:10 foo

Samba is a vast topic, and I may add at least 10 more articles digging into all the details. Yet, there are some awesome resources already out there. Same can be said about SELinux.

smb.conf
4.7. SELinux Contexts – Labeling Files Red Hat Enterprise Linux 7 | Red Hat Customer Portal
Access Red Hat’s knowledge, guidance, and support through your subscription.
How to share files with Samba
Samba provides easy, flexible, cross-platform, and open source collaboration across your organization.
How To Force User/Group Ownership Of Files On A Samba Share – The Geek Diary
You have a disk directory shared among Linux and Microsoft Windows clients. Multiple users need access to this directory share, but when files are created or modified from the Linux clients the Linux file permissions are applied making it difficult or impossible for the Windows clients to access these files. You would like to share these disk resources in a homogeneous fashion.

Conclusion

With this rather long article, you should be all set up for your first file server. I will add another article, discussing NFS, for sure. And maybe I will find some more opportunities to talk about Samba.

Said that, how do you share files at home? How do you sync between your TV, Windows and Linux devices? Do you use Samba? Something else? Let me know, I am eager to find out how you do things and what can be added to the blog.