The basics of building an in-house server for Linux (CentOS 8.1, openSUSE 15.1, Ubuntu 20.04)! File server with Samba

Due to the influence of the coronavirus, the world economy is collapsing, and telework is being introduced one after another regardless of scale, but sharing files within the LAN in the room by working with a PC from a small organization So, I would like to start first (˶˙ᵕ˙˶)

Basically, ** Linux + Samba, file server in LAN **, let's start by sharing files with multiple PCs in the organization! For simplicity, install Samba from each Linux distribution and build a Linux file server.

Assumptions and preparations

environment

--File server program: Samba (Linux package standard smbd) --Client: Windows10 Pro --Server architecture: x64 (operation confirmed with Hyper-V 2nd generation) Linux distribution: CentOS 8.1 / openSUSE 15.1 Leap / Ubuntu 20.04 (all 64bit)

Premise

--The user shall install as root. On the capture screen, create an administrator admin and execute the same command as root with sudo from there. --For all distributions, the firewall shall use firewalld (do not use distribution-specific firewall commands). --Omit about OS installation --The LAN network segment shall belong to 192.168.1.0/24 --For CentOS, disable SELinux (reboot is also required after editing / etc / selinux / config).

CentOS8.1


# vi /etc/selinux/config

/etc/selinux/config


SELINUX=enforcing
→ SELINUX=Change to disabled

CentOS8.1


# reboot

Server conditions

I tried to build a file server with Samba under the following conditions ٩ (.´͈ ᵕ `͈. ♡) ۶

IP address

--Client: 192.168.1.11 --Linux server: 192.168.1.18 (use the same IP address for all distributions) --Affiliation network segment: 192.168.1.0/24

サーバー図.png

File server conditions

--As an example, the section name created in the file server space is "kazumi75kitty". --As an example, the directory on the Linux server used as the file server space is / mnt / miura /, and both reading and writing are OK.

Work procedure

OS update

This is of course! Update is performed in advance

CentOS8.1


# dnf -y upgrade

openSUSE15.1


# zypper -n update

Ubuntu20.04


# apt-get -y update

** Reboot Linux ** when the update is complete.

Introducing Samba

Samba installation

Install Samba from the packages of each Linux distribution.

CentOS8.1


# dnf -y install samba

openSUSE15.1


# zypper -n install samba

Ubuntu20.04


# apt-get -y install samba

Creating a user to use Samba

Create a new Linux user to use the Samba file server. This time, as an example, let's assume that the file server is used with the user name "* shonan *".

# useradd -m shonan
#sudo passwd shonan ← Set a password for the user

Next, register with Samba for the created Linux user. Use the * pdbedit * command.

# pdbedit -a shonan

Don't get confused here, you need to set a password for the Samba file server in addition to the password you registered when you created the Linux user **. Remember that to actually log on to the file server from Windows, it is the password you set with the ** pdbedit command, not the password for the Linux user ** (I use the same password as the Linux password for simplicity .. (๑ ・ ∞ ・ ๑))

Samba settings

Set up Samba in "/etc/samba/smb.conf".

# vi /etc/samba/smb.conf

/etc/samba/smb.conf


#Only the items to be added or changed are listed. Others remain at default settings
[global]
   workgroup = [Windows workgroup name to which you belong]
   hosts allow = [IP address or network segment to allow connection]
[<Arbitrary section name>]
   comment = [Any comment]
   path = [Directory used as a file server]
   read only = no
   browsable = yes
   writable = yes

In this file, the directory on the Linux file server can be published as a file server for flexible purposes by separating the directories as arbitrary section names.

Therefore, this time, as described in "File server conditions", I would like to make the section name "* kazumi75kitty " and the Linux directory " / mnt / miura / *" available as a file server. I will. Also, since it is assumed that the network is at 192.168.1.0/24, allow this network.

Then, /etc/samba/smb.conf will be set with the following settings.

/etc/samba/smb.conf(Example)


#Only the items to be added or changed are listed. Others remain at default settings
[global]
   workgroup = [Windows workgroup name to which you belong]
   hosts allow = 192.168.1. 127.0.0.1
   #hosts allow, 192.168.1.0/If you want to allow 24 and yourself, follow the instructions above.
[kazumi75kitty]
   comment = File Server Test in Miura Peninsula
   path = /mnt/miura
   read only = no
   browsable = yes
   writable = yes

The name of the Windows workgroup to which I belong can be confirmed in the system properties of the control panel, so I did not mention it ^ ^

Easy to get hooked on directories

The directory specified by "path" in the section ** must be the same as the user registered with pdbedit, otherwise you may not be able to access the files and directories on the file server **, so check the owner properly. I'm changing it

If you use "/ mnt / miura /" for the file server space this time, for example, if the user wants to use it with shonan, the directory owner of ** / mnt / miura / is shonan ** (not root) is needed.

Ownerchange.png Like the image above (the user name in the image is hidden because it is in operation)

Depending on the distribution, it may be complicated or simple depending on the presence or absence of the explanation of smb.conf, so refer to it in the image (˶ ・ ᴗ ・) ⚐⚑

Parameter check

# testparm /etc/samba/smb.conf

If you see "Loaded services file OK.", The settings should be correct.

Starting the Samba service

CentOS8.1 ・ openSUSE15.1


# systemctl start smb
# systemctl enable smb
# systemctl status smb

Ubuntu20.04


# systemctl start smbd
# systemctl enable smbd
# systemctl status smbd

By using enable, you can use the file server automatically even after rebooting.

Check if "Active" and "Running" are displayed in the status and "Failed" is not displayed. If it says "Failed", you will have to go back to check again, such as a misspelled smb.conf setting.

Then check the log and if there are no errors, it knows the directory specified in smb.conf.

# less -r /var/log/samba/log.smbd

If a path specification failure is displayed like "canonicalize_connect_path failed for service samba, path / mnt / miura", check whether the specified directory exists or check the owner and permissions with the ls -l command, and you can access it. It may not be.

Let's access the file server

Now, let's access the Linux file server from a Windows client. In Windows Explorer, enter \\ [Linux file server IP address].

First, open the firewalld (details will be described later).

# firewall-cmd --permanent --add-service=samba
# firewall-cmd --reload

Here, since the IP address of the server is 192.168.1.18, access with "\\ 192.168.1.18 \". If you can successfully identify the server, you should get a Windows Security Authentication Failure dialog. Conn-OK.png

What if I can't connect?

Conn-NG.png If the message "Cannot connect" is displayed instead of the initial authentication failure screen, "firewall-cmd --list-all" is set in firewalld (described later), and "samba" is allowed for Service. If it doesn't exist, or if you check if the Samba service is started on Linux with "systemctl status smb (d)", you may see a startup failure such as "Failed".

Let's log on

If the authentication failure dialog is displayed and you can connect to the file server, log in as the user registered with Samba with pdbedit. In the case of shonan in the example here, enter shonan as the user name and the password ** when registered with pdbedit ** (** distinguish it from the Linux user password **) and log on. To do. Conn-logged-on.png Then, if what is defined as the file space name, "kazumi75kitty" in this example is displayed, it means that the file space created by the section created in smb.conf is recognized normally.

Let's put the file

Once the file space is recognized, try placing any file in various ways. FileSave-OK.png Also, make sure that the placed file can be edited and saved on Windows.

If the file cannot be placed or becomes read-only

On the Linux server side, the directory used as the file server has a different owner or permissions that cannot be read or written, so reconfirm with the ls -l command again.

Basic security

Basic security in Samba settings

Basically, the main premise is not to allow access to outsiders. As an applied security, there is also a method using a domain or Active Directory, but it is omitted here. Limit hosts allow in ** smb.conf by allowing access only to the network to which you belong, assuming that you will not access it from outsiders' networks. ** **

In this example, the file server is used at 192.168.1.0/24, but what if the hosts allow in smb.conf is set to not allow 192.168.1.? ??

For example, do not allow 192.168.1., but allow 192.168.2., As shown below. ~~hosts allow = 192.168.1. 127.0.0.1~~ hosts allow = 192.168.2. 127.0.0.1 Smb-allowdomainchg-1.png

So when you access "\\ 192.168.1.18 \" in Explorer, you should get the following error: Smb-allowdomainchg-2.png And the log /var/log/samba/log.smbd shows that access from 192.168.1.11 is denied, as shown below. Smb-allowdomainchg-3.png

In this way, you were able to limit the network domains that Samba can use.

Basic security with firewalld

I think that the following firewall was opened with "firewall-cmd" earlier.

# firewall-cmd --permanent --add-service=samba
# firewall-cmd --reload

This means that the Linux firewall called firewalld always allows the service called Samba to be received, and does not allow services other than those specified. To check which services are allowed, enter the following command and check if the services allowed are displayed under services: like "services: dhcpv6-client ssh samba".

# firewall-cmd --list-all

In addition, it is possible to use rich rules to allow the port used by Samba to a specific IP address or network, but this is omitted here.

References

  1. Network server construction guide made with CentOS7 [Server construction study group] Shuwa System
  2. Information Processing Engineering-OS and Internet Mechanism- [by Hiroyo Kinoshita] Corona Publishing Co., Ltd.

Recommended Posts

The basics of building an in-house server for Linux (CentOS 8.1, openSUSE 15.1, Ubuntu 20.04)! File server with Samba
Linux file server construction (Ubuntu & Samba)
[Linux] WSL2 Build an environment for laravel7 with Ubuntu 20.04
Check the memory status of the server with the Linux free command
Check the operating status of the server with the Linux top command
Check the memory protection of linux kerne with the code for ARM
[Must-see for beginners] Basics of Linux
Edit the file of the SSH connection destination server on the server with VS Code
Check the existence of the file with python
The third night of the loop with for
How to correctly upgrade the software when building Linux (CentOS) with Vagrant ~ Using the example of upgrading from Python 2.7 to Python 3.6 ~
[Linux] Learn the basics of shell commands
The second night of the loop with for
[Python3] Understand the basics of file operations
Creating an environment for OSS-DB Silver # 1_Create a Linux environment (CentOS7 virtual environment) with VirtualBox/Vagrant
Building an Anaconda environment for Python with pyenv
Adjust file permissions with the Linux command chmod
Various commands for building an environment with Apache
Convert the character code of the file with Python3
Try building an environment for MayaPython with VisualStudioCode
Build API server for checking the operation of front implementation with python3 and Flask
We held an in-house study session on mob programming with the theme of FizzBuzz.