Introduction:

This guide provides a complete, step-by-step process for setting up a secure file share server on Rocky Linux using Samba, with SMB 3.1 compliance and no backward compatibility. Additionally, it explains how to install and configure Cockpit with the file-sharing module provided by 45Drives. This guide is tailored for beginner Linux sysadmins and includes all relevant commands and configurations for managing users, groups, shares, and permissions.

Step 1: Install Samba and Required Packages

Start by installing Samba and the necessary tools:

sudo dnf install samba samba-client samba-common -y
Bash

Step 2: Configure SELinux and Firewall

To ensure the proper functioning of Samba, configure SELinux policies and open the necessary firewall ports.

  1. Configure SELinux:

Allow Samba to read/write to user directories:

sudo setsebool -P samba_enable_home_dirs on
sudo setsebool -P samba_export_all_rw on
Bash
  1. Open Samba Ports in the Firewall:

Enable Samba services through the firewall:

sudo firewall-cmd --permanent --add-service=samba<br>sudo firewall-cmd --reload
Bash

Step 3: Install and Configure Cockpit with File-Sharing Module

Cockpit provides a web-based management interface, which can be enhanced with the file-sharing module from 45Drives.

  1. Install Cockpit and Required Modules:

Install Cockpit and the necessary modules for storage management:

sudo dnf install cockpit cockpit-storaged -y
Bash
  1. Install the 45Drives File-Sharing Module and File Navigator:

Clone the repository from 45Drives and install the file-sharing and Navigation module:

curl -sSL https://repo.45drives.com/setup | sudo bash
sudo dnf install cockpit-file-sharing cockpit-navigator
Bash
  1. Enable and Start Cockpit Service:

Enable and start the Cockpit service:

sudo systemctl enable --now cockpit.socket
Bash
  1. Open Cockpit Port in the Firewall:

Allow Cockpit access through the firewall:

sudo firewall-cmd --permanent --add-service=cockpit
sudo firewall-cmd --reload
Bash
  1. Access Cockpit Web Interface:

Open your web browser and navigate to:

https://<server-ip>:9090
Bash

Log in using your server credentials.

  1. Configure Samba Using Cockpit:
  • Navigate to the File Sharing module in the Cockpit interface.
  • Click on Add Share to create a new Samba share.
  • Specify the directory path (e.g., /srv/samba/share), and set permissions as needed.

Step 4: Create and Manage Users and Groups

Managing users and groups effectively is crucial for controlling access to shared directories.

  1. Create a Group for Samba Users:

Create a primary group (smbgroup) for users who will access the shared resources:

sudo groupadd smbgroup
Bash
  1. Create Users and Add Them to the Group:

Create users and assign them to the smbgroup:

sudo useradd -m -G smbgroup user1
sudo useradd -m -G smbgroup user2
Bash

Set passwords for the newly created users:

sudo passwd user1
sudo passwd user2
Bash
  1. Add Users to the Samba Database:

Add the users to the Samba user database:

sudo smbpasswd -a user1
sudo smbpasswd -e user1
sudo smbpasswd -a user2
sudo smbpasswd -e user2
Bash
  1. Remove Samba Users:

To remove a user from the Samba database:

sudo smbpasswd -x user1
Bash
  1. List Samba Users:

To display all Samba users:

sudo pdbedit -L
Bash

Step 5: Create and Manage Samba Shares

Setting up and managing Samba shares is a core aspect of building a file server.

  1. Create a Shared Directory:

Create a directory to be shared by Samba:

sudo mkdir -p /srv/samba/share
Bash

Set ownership and permissions to control access:

sudo chown -R root:smbgroup /srv/samba/share
sudo chmod 2770 /srv/samba/share
Bash
  1. Edit Samba Configuration to Define Shares:

Open the Samba configuration file:

sudo nano /etc/samba/smb.conf
Bash

Add the following global settings to ensure SMB 3.1 compliance and disable backward compatibility:

[global]
   workgroup = WORKGROUP
   server string = File Server
   security = user
   smb encrypt = required
   server min protocol = SMB3_11
   disable netbios = yes
   dns proxy = no
   log file = /var/log/samba/%m.log
   max log size = 50
   client min protocol = SMB3_11
Conf
  1. Define and Manage Shares:

To create a new share named [Shared], add the following configuration:

[Shared]
   path = /srv/samba/share
   valid users = @smbgroup
   guest ok = no
   writable = yes
   browsable = yes
   create mask = 0660
   directory mask = 2770
Conf
  1. Grant Access to Multiple Users:

To grant multiple users access to a share, modify the valid users parameter:

[Shared]
   path = /srv/samba/share
   valid users = user1 user2
   guest ok = no
   writable = yes
   browsable = yes
   create mask = 0660
   directory mask = 2770
Conf
  1. Modify Existing Shares:

To make an existing share read-only, change the writable parameter:

[Shared]
   path = /srv/samba/share
   valid users = @smbgroup
   guest ok = no
   writable = no
   browsable = yes
   create mask = 0440
   directory mask = 0550
Conf
  1. Remove a Share:

To remove a share, delete its section from /etc/samba/smb.conf and restart Samba.

  1. Restart Samba Services:

After modifying the Samba configuration file, restart the Samba services to apply changes:

sudo systemctl restart smb nmb
sudo systemctl enable smb nmb
Bash

Step 6: Apply and Verify Samba Configuration

To ensure that the Samba configuration is correct, use the following command:

testparm
Bash

Step 7: Manage Samba User Access and Permissions

Fine-tuning permissions allows for precise control over user access to shared resources.

  1. Control Access for Specific Groups and Users:

To specify read-only or read-write access for different users or groups, use the write list and read list parameters:

[Shared]
   path = /srv/samba/share
   valid users = @smbgroup
   write list = user1
   read list = user2
   guest ok = no
   writable = yes
   browsable = yes
   create mask = 0660
   directory mask = 2770
Conf
  1. Apply Permissions Recursively:

Apply the permissions recursively to all files and directories within the share:

sudo chmod -R 2770 /srv/samba/share
sudo chown -R root:smbgroup /srv/samba/share
Bash

Step 8: Connect from Windows Clients

  1. Access the Samba Share from Windows:
  • Press Win + R and type \\<server-ip>\Shared to access the shared folder.
  • Enter the Samba user credentials when prompted.
  1. Ensure SMB 3.1 Support:

Verify that SMB 3.1 is enabled on the Windows client (Windows 10 and above support SMB 3.1 by default).

Step 9: Troubleshoot and Monitor Samba and Cockpit

  1. Check Samba Logs:

Monitor Samba logs for any access or authentication issues:

tail -f /var/log/samba/log.smbd
Bash
  1. View Connected Clients:

To check the status of connected clients:

sudo smbstatus
Bash
  1. Monitor Cockpit Logs:

Cockpit logs can also be useful for debugging:

journalctl -u cockpit
Bash

Conclusion

By following this comprehensive guide, you have successfully set up a secure file share server on Rocky Linux 8 using Samba with SMB 3.1 compliance. Additionally, you have integrated Cockpit with the 45Drives file-sharing module for easier management of the file server. This guide provides all the necessary commands and configurations for managing users, groups, shares, and permissions, making it an excellent resource for beginner Linux sysadmins. You can further customize this setup to fit your specific needs while ensuring a high level of security.

Categorized in:

Linux Administration, System Administrator Guides,

Last Update: November 5, 2024

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,