Introduction:
This guide provides a complete, step-by-step process for setting up a secure file share server on Rocky Linux using Samba, with SMB 3.1 compliance and no backward compatibility. Additionally, it explains how to install and configure Cockpit with the file-sharing module provided by 45Drives. This guide is tailored for beginner Linux sysadmins and includes all relevant commands and configurations for managing users, groups, shares, and permissions.
Step 1: Install Samba and Required Packages
Start by installing Samba and the necessary tools:
sudo dnf install samba samba-client samba-common -y
Step 2: Configure SELinux and Firewall
To ensure the proper functioning of Samba, configure SELinux policies and open the necessary firewall ports.
- Configure SELinux:
Allow Samba to read/write to user directories:
sudo setsebool -P samba_enable_home_dirs on
sudo setsebool -P samba_export_all_rw on
- Open Samba Ports in the Firewall:
Enable Samba services through the firewall:
sudo firewall-cmd --permanent --add-service=samba<br>sudo firewall-cmd --reload
Step 3: Install and Configure Cockpit with File-Sharing Module
Cockpit provides a web-based management interface, which can be enhanced with the file-sharing module from 45Drives.
- Install Cockpit and Required Modules:
Install Cockpit and the necessary modules for storage management:
sudo dnf install cockpit cockpit-storaged -y
- Install the 45Drives File-Sharing Module and File Navigator:
Clone the repository from 45Drives and install the file-sharing and Navigation module:
curl -sSL https://repo.45drives.com/setup | sudo bash
sudo dnf install cockpit-file-sharing cockpit-navigator
- Enable and Start Cockpit Service:
Enable and start the Cockpit service:
sudo systemctl enable --now cockpit.socket
- Open Cockpit Port in the Firewall:
Allow Cockpit access through the firewall:
sudo firewall-cmd --permanent --add-service=cockpit
sudo firewall-cmd --reload
- Access Cockpit Web Interface:
Open your web browser and navigate to:
https://<server-ip>:9090
Log in using your server credentials.
- Configure Samba Using Cockpit:
- Navigate to the File Sharing module in the Cockpit interface.
- Click on Add Share to create a new Samba share.
- Specify the directory path (e.g.,
/srv/samba/share
), and set permissions as needed.
Step 4: Create and Manage Users and Groups
Managing users and groups effectively is crucial for controlling access to shared directories.
- Create a Group for Samba Users:
Create a primary group (smbgroup
) for users who will access the shared resources:
sudo groupadd smbgroup
- Create Users and Add Them to the Group:
Create users and assign them to the smbgroup
:
sudo useradd -m -G smbgroup user1
sudo useradd -m -G smbgroup user2
Set passwords for the newly created users:
sudo passwd user1
sudo passwd user2
- Add Users to the Samba Database:
Add the users to the Samba user database:
sudo smbpasswd -a user1
sudo smbpasswd -e user1
sudo smbpasswd -a user2
sudo smbpasswd -e user2
- Remove Samba Users:
To remove a user from the Samba database:
sudo smbpasswd -x user1
- List Samba Users:
To display all Samba users:
sudo pdbedit -L
Step 5: Create and Manage Samba Shares
Setting up and managing Samba shares is a core aspect of building a file server.
- Create a Shared Directory:
Create a directory to be shared by Samba:
sudo mkdir -p /srv/samba/share
Set ownership and permissions to control access:
sudo chown -R root:smbgroup /srv/samba/share
sudo chmod 2770 /srv/samba/share
- Edit Samba Configuration to Define Shares:
Open the Samba configuration file:
sudo nano /etc/samba/smb.conf
Add the following global settings to ensure SMB 3.1 compliance and disable backward compatibility:
[global]
workgroup = WORKGROUP
server string = File Server
security = user
smb encrypt = required
server min protocol = SMB3_11
disable netbios = yes
dns proxy = no
log file = /var/log/samba/%m.log
max log size = 50
client min protocol = SMB3_11
- Define and Manage Shares:
To create a new share named [Shared]
, add the following configuration:
[Shared]
path = /srv/samba/share
valid users = @smbgroup
guest ok = no
writable = yes
browsable = yes
create mask = 0660
directory mask = 2770
- Grant Access to Multiple Users:
To grant multiple users access to a share, modify the valid users
parameter:
[Shared]
path = /srv/samba/share
valid users = user1 user2
guest ok = no
writable = yes
browsable = yes
create mask = 0660
directory mask = 2770
- Modify Existing Shares:
To make an existing share read-only, change the writable
parameter:
[Shared]
path = /srv/samba/share
valid users = @smbgroup
guest ok = no
writable = no
browsable = yes
create mask = 0440
directory mask = 0550
- Remove a Share:
To remove a share, delete its section from /etc/samba/smb.conf
and restart Samba.
- Restart Samba Services:
After modifying the Samba configuration file, restart the Samba services to apply changes:
sudo systemctl restart smb nmb
sudo systemctl enable smb nmb
Step 6: Apply and Verify Samba Configuration
To ensure that the Samba configuration is correct, use the following command:
testparm
Step 7: Manage Samba User Access and Permissions
Fine-tuning permissions allows for precise control over user access to shared resources.
- Control Access for Specific Groups and Users:
To specify read-only or read-write access for different users or groups, use the write list
and read list
parameters:
[Shared]
path = /srv/samba/share
valid users = @smbgroup
write list = user1
read list = user2
guest ok = no
writable = yes
browsable = yes
create mask = 0660
directory mask = 2770
- Apply Permissions Recursively:
Apply the permissions recursively to all files and directories within the share:
sudo chmod -R 2770 /srv/samba/share
sudo chown -R root:smbgroup /srv/samba/share
Step 8: Connect from Windows Clients
- Access the Samba Share from Windows:
- Press
Win + R
and type\\<server-ip>\Shared
to access the shared folder. - Enter the Samba user credentials when prompted.
- Ensure SMB 3.1 Support:
Verify that SMB 3.1 is enabled on the Windows client (Windows 10 and above support SMB 3.1 by default).
Step 9: Troubleshoot and Monitor Samba and Cockpit
- Check Samba Logs:
Monitor Samba logs for any access or authentication issues:
tail -f /var/log/samba/log.smbd
- View Connected Clients:
To check the status of connected clients:
sudo smbstatus
- Monitor Cockpit Logs:
Cockpit logs can also be useful for debugging:
journalctl -u cockpit
Conclusion
By following this comprehensive guide, you have successfully set up a secure file share server on Rocky Linux 8 using Samba with SMB 3.1 compliance. Additionally, you have integrated Cockpit with the 45Drives file-sharing module for easier management of the file server. This guide provides all the necessary commands and configurations for managing users, groups, shares, and permissions, making it an excellent resource for beginner Linux sysadmins. You can further customize this setup to fit your specific needs while ensuring a high level of security.