- The basics of building an in-house server for Linux (CentOS 8.1, openSUSE 15.1, Ubuntu 20.04)! File server with Samba
- Assumptions and preparations
- environment
- Premise
- CentOS8.1
- /etc/selinux/config
- CentOS8.1
- Server conditions
- IP address
- File server conditions
- Work procedure
- OS update
- CentOS8.1
- openSUSE15.1
- Ubuntu20.04
- Introducing Samba
- Samba installation
- CentOS8.1
- openSUSE15.1
- Ubuntu20.04
- Creating a user to use Samba
- Samba settings
- /etc/samba/smb.conf
- /etc/samba/smb.conf(Example)
- Easy to get hooked on directories
- Parameter check
- Starting the Samba service
- CentOS8.1 ・ openSUSE15.1
- Ubuntu20.04
- Let’s access the file server
- What if I can’t connect?
- Let’s log on
- Let’s put the file
- If the file cannot be placed or becomes read-only
- Basic security
- Basic security in Samba settings
- Basic security with firewalld
- References
The basics of building an in-house server for Linux (CentOS 8.1, openSUSE 15.1, Ubuntu 20.04)! File server with Samba
Due to the influence of the coronavirus, the world economy is collapsing, and telework is being introduced one after another regardless of scale, but sharing files within the LAN in the room by working with a PC from a small organization So, I would like to start first (˶˙ᵕ˙˶)
Basically, ** Linux + Samba, file server in LAN **, let’s start by sharing files with multiple PCs in the organization! For simplicity, install Samba from each Linux distribution and build a Linux file server.
Assumptions and preparations
environment
—File server program: Samba (Linux package standard smbd) —Client: Windows10 Pro —Server architecture: x64 (operation confirmed with Hyper-V 2nd generation) Linux distribution: CentOS 8.1 / openSUSE 15.1 Leap / Ubuntu 20.04 (all 64bit)
Premise
—The user shall install as root. On the capture screen, create an administrator admin and execute the same command as root with sudo from there. —For all distributions, the firewall shall use firewalld (do not use distribution-specific firewall commands). —Omit about OS installation —The LAN network segment shall belong to 192.168.1.0/24 —For CentOS, disable SELinux (reboot is also required after editing / etc / selinux / config).
CentOS8.1
/etc/selinux/config
SELINUX=enforcing → SELINUX=Change to disabled
CentOS8.1
Server conditions
I tried to build a file server with Samba under the following conditions ٩ (.´͈ ᵕ `͈. ♡) ۶
IP address
—Client: 192.168.1.11 —Linux server: 192.168.1.18 (use the same IP address for all distributions) —Affiliation network segment: 192.168.1.0/24
File server conditions
—As an example, the section name created in the file server space is «kazumi75kitty». —As an example, the directory on the Linux server used as the file server space is / mnt / miura /, and both reading and writing are OK.
Work procedure
OS update
This is of course! Update is performed in advance
CentOS8.1
openSUSE15.1
Ubuntu20.04
** Reboot Linux ** when the update is complete.
Introducing Samba
Samba installation
Install Samba from the packages of each Linux distribution.
CentOS8.1
openSUSE15.1
Ubuntu20.04
Creating a user to use Samba
Create a new Linux user to use the Samba file server. This time, as an example, let’s assume that the file server is used with the user name «* shonan *».
# useradd -m shonan #sudo passwd shonan ← Set a password for the user
Next, register with Samba for the created Linux user. Use the * pdbedit * command.
Don’t get confused here, you need to set a password for the Samba file server in addition to the password you registered when you created the Linux user **. Remember that to actually log on to the file server from Windows, it is the password you set with the ** pdbedit command, not the password for the Linux user ** (I use the same password as the Linux password for simplicity .. (๑ ・ ∞ ・ ๑))
Samba settings
Set up Samba in «/etc/samba/smb.conf».
/etc/samba/smb.conf
#Only the items to be added or changed are listed. Others remain at default settings [global] workgroup = [Windows workgroup name to which you belong] hosts allow = [IP address or network segment to allow connection] [] comment = [Any comment] path = [Directory used as a file server] read only = no browsable = yes writable = yes
In this file, the directory on the Linux file server can be published as a file server for flexible purposes by separating the directories as arbitrary section names.
Therefore, this time, as described in «File server conditions», I would like to make the section name «* kazumi75kitty » and the Linux directory « / mnt / miura / *» available as a file server. I will. Also, since it is assumed that the network is at 192.168.1.0/24, allow this network.
Then, /etc/samba/smb.conf will be set with the following settings.
/etc/samba/smb.conf(Example)
#Only the items to be added or changed are listed. Others remain at default settings [global] workgroup = [Windows workgroup name to which you belong] hosts allow = 192.168.1. 127.0.0.1 #hosts allow, 192.168.1.0/If you want to allow 24 and yourself, follow the instructions above. [kazumi75kitty] comment = File Server Test in Miura Peninsula path = /mnt/miura read only = no browsable = yes writable = yes
The name of the Windows workgroup to which I belong can be confirmed in the system properties of the control panel, so I did not mention it ^ ^
Easy to get hooked on directories
The directory specified by «path» in the section ** must be the same as the user registered with pdbedit, otherwise you may not be able to access the files and directories on the file server **, so check the owner properly. I’m changing it
If you use «/ mnt / miura /» for the file server space this time, for example, if the user wants to use it with shonan, the directory owner of ** / mnt / miura / is shonan ** (not root) is needed.
Like the image above (the user name in the image is hidden because it is in operation)
Depending on the distribution, it may be complicated or simple depending on the presence or absence of the explanation of smb.conf, so refer to it in the image (˶ ・ ᴗ ・) ⚐⚑
- CentOS 8.1
- openSUSE 15.1
- Ubuntu 20.04 —global section (only some because there are so many items) —Section prepared by yourself
Parameter check
If you see «Loaded services file OK.», The settings should be correct.
Starting the Samba service
CentOS8.1 ・ openSUSE15.1
# systemctl start smb # systemctl enable smb # systemctl status smb
Ubuntu20.04
# systemctl start smbd # systemctl enable smbd # systemctl status smbd
By using enable, you can use the file server automatically even after rebooting.
Check if «Active» and «Running» are displayed in the status and «Failed» is not displayed. If it says «Failed», you will have to go back to check again, such as a misspelled smb.conf setting.
Then check the log and if there are no errors, it knows the directory specified in smb.conf.
# less -r /var/log/samba/log.smbd
If a path specification failure is displayed like «canonicalize_connect_path failed for service samba, path / mnt / miura», check whether the specified directory exists or check the owner and permissions with the ls -l command, and you can access it. It may not be.
Let’s access the file server
Now, let’s access the Linux file server from a Windows client. In Windows Explorer, enter \\ [Linux file server IP address].
First, open the firewalld (details will be described later).
# firewall-cmd --permanent --add-service=samba # firewall-cmd --reload
Here, since the IP address of the server is 192.168.1.18, access with «\\ 192.168.1.18 \». If you can successfully identify the server, you should get a Windows Security Authentication Failure dialog.
What if I can’t connect?
If the message «Cannot connect» is displayed instead of the initial authentication failure screen, «firewall-cmd —list-all» is set in firewalld (described later), and «samba» is allowed for Service. If it doesn’t exist, or if you check if the Samba service is started on Linux with «systemctl status smb (d)», you may see a startup failure such as «Failed».
Let’s log on
If the authentication failure dialog is displayed and you can connect to the file server, log in as the user registered with Samba with pdbedit. In the case of shonan in the example here, enter shonan as the user name and the password ** when registered with pdbedit ** (** distinguish it from the Linux user password **) and log on. To do. Then, if what is defined as the file space name, «kazumi75kitty» in this example is displayed, it means that the file space created by the section created in smb.conf is recognized normally.
Let’s put the file
Once the file space is recognized, try placing any file in various ways. Also, make sure that the placed file can be edited and saved on Windows.
If the file cannot be placed or becomes read-only
On the Linux server side, the directory used as the file server has a different owner or permissions that cannot be read or written, so reconfirm with the ls -l command again.
Basic security
Basic security in Samba settings
Basically, the main premise is not to allow access to outsiders. As an applied security, there is also a method using a domain or Active Directory, but it is omitted here. Limit hosts allow in ** smb.conf by allowing access only to the network to which you belong, assuming that you will not access it from outsiders’ networks. ** **
In this example, the file server is used at 192.168.1.0/24, but what if the hosts allow in smb.conf is set to not allow 192.168.1.? ??
For example, do not allow 192.168.1., but allow 192.168.2., As shown below. ~~hosts allow = 192.168.1. 127.0.0.1~~ hosts allow = 192.168.2. 127.0.0.1
So when you access «\\ 192.168.1.18 \» in Explorer, you should get the following error: And the log /var/log/samba/log.smbd shows that access from 192.168.1.11 is denied, as shown below.
In this way, you were able to limit the network domains that Samba can use.
Basic security with firewalld
I think that the following firewall was opened with «firewall-cmd» earlier.
# firewall-cmd --permanent --add-service=samba # firewall-cmd --reload
This means that the Linux firewall called firewalld always allows the service called Samba to be received, and does not allow services other than those specified. To check which services are allowed, enter the following command and check if the services allowed are displayed under services: like «services: dhcpv6-client ssh samba».
In addition, it is possible to use rich rules to allow the port used by Samba to a specific IP address or network, but this is omitted here.
References
- Network server construction guide made with CentOS7 [Server construction study group] Shuwa System
- Information Processing Engineering-OS and Internet Mechanism- [by Hiroyo Kinoshita] Corona Publishing Co., Ltd.
- Reference 1 is for CentOS 7, but for Samba, there is no particular difficulty in keeping the original form because the difference is that the package installation command has changed from yum to dnf for Samba.
- There is «Corona» in the publisher name of Reference 2, but as of June 2020, there are cases where people are prejudiced just by saying «Corona» due to the reputational damage of the coronavirus. The original meaning of corona is the very thin plasma atmosphere of the sun’s ultra-high temperature, which physically means the shape of the corona discharge, so let’s use the original meaning of corona correctly.