Network Services Overview SMB
General Information
This page covers the Network Services objectives, specifically for samba (which uses the server message block protocol, or SMB).
Network Services Objectives
- Install the packages needed to provide the service
- Configure SELinux to support the service
- Use SELinux port labeling to allow services to use non-standard ports
- Configure the service to start when the system is booted
- Configure the service for basic operation
- Configure host-based and user-based security for the service
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all SMB client tests from here
- server2.example.com (192.168.1.151) → Install the Samba Server here
Install the packages needed to provide the service
Install the service (server)
yum install samba samba-client
- samba → samba server
- samba-client → samba client utilities
Install the service (client)
yum install samba-client cifs-utils
- samba-client → samba client utilities
- cifs-utils → includes command needed to mount remote SMB shares
Configure SELinux to support the service
- Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).
- IMPORTANT: View all label types
# Install package yum install setools-console # View all label types seinfo -t # Find Samba/SMB types seinfo -t | grep samba seinfo -t | grep smb
Use SELinux port labeling to allow services to use non-standard ports
Configuring the <service-name> with a non standard port and allowing port access with selinux.
NOTE: “man semanage-port” has examples for allowing non-standard ports!
Configure the service to start when the system is booted
Check Current Service Status
systemctl status smb
- Also displays if the service is enabled or disabled
Enabling a service to start on boot
systemctl enable smb
Configure the service for basic operation
Enable and Start the service
systemctl enable smb
systemctl start smb
Configure host-based and user-based security for the service
Firewall
Allow access through the firewall
firewall-cmd --permanent --add-service=samba firewall-cmd --reload
Host Based
Main samba config
vim /etc/samba/smb.conf [global] hosts allow = 192.168.1.
- Allows all hosts in the 192.168.1.x network
- Allow list over rides deny lists (if any and they conflict)
User Based
Main samba config
vim /etc/samba/smb.conf [share] valid users = dvader, yoda write list = dvader read list = yoda
- valid users → allowed to login to the service
- write list → users that can write, even if the share is set to read only
- read list → users that can read