Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 16. File and Print Servers

This chapter guides you through the installation and configuration of Samba, an open source implementation of the Server Message Block (SMB) and common Internet file system (CIFS) protocol, and vsftpd, the primary FTP server shipped with Red Hat Enterprise Linux. Additionally, it explains how to use the Print Settings tool to configure printers.

16.1. Samba
Copiar enlace

Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB protocol is used to access resources on a server, such as file shares and shared printers. Additionally, Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC) protocol used by Microsoft Windows.

You can run Samba as:

  • An Active Directory (AD) or NT4 domain member
  • A standalone server

  • An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)

    Note

    Red Hat supports these modes only in existing installations with Windows versions which support NT4 domains. Red Hat recommends not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and Windows Server 2008 R2 do not support NT4 domains.

Independently of the installation mode, you can optionally share directories and printers. This enables Samba to act as a file and print server.

Note

Red Hat does not support running Samba as an AD domain controller (DC).

16.1.1. The Samba Services
Copiar enlace

Samba provides the following services:

smbd

This service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. The smb systemd service starts and stops the smbd daemon.

To use the smbd service, install the samba package.

nmbd

This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the nmbd service enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. The nmb systemd service starts and stops the nmbd daemon.

Note that modern SMB networks use DNS to resolve clients and IP addresses.

To use the nmbd service, install the samba package.

winbindd

The winbindd service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. The winbind systemd service starts and stops the winbindd daemon.

If you set up Samba as a domain member, winbindd must be started before the smbd service. Otherwise, domain users and groups are not available to the local system.

To use the winbindd service, install the samba-winbind package.

Important

Red Hat only supports running Samba as a server with the winbindd service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, use of the System Security Services Daemon (SSSD) with Samba is currently not supported for these use cases. For further details, see the Red Hat Knowledgebase article What is the support status for Samba file server running on IdM clients or directly enrolled AD clients where SSSD is used as the client daemon.

16.1.2. Verifying the smb.conf File by Using the testparm Utility
Copiar enlace

The testparm utility verifies that the Samba configuration in the /etc/samba/smb.conf file is correct. The utility detects invalid parameters and values, but also incorrect settings, such as for ID mapping. If testparm reports no problem, the Samba services will successfully load the /etc/samba/smb.conf file. Note that testparm cannot verify that the configured services will be available or work as expected.

Important

Red Hat recommends that you verify the /etc/samba/smb.conf file by using testparm after each modification of this file.

To verify the /etc/samba/smb.conf file, run the testparm utility as the root user. If testparm reports incorrect parameters, values, or other errors in the configuration, fix the problem and run the utility again.

Example 16.1. Using testparm

The following output reports a non-existent parameter and an incorrect ID mapping configuration: 

~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "log levell"
Processing section "[example_share]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN (ad)!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
	...

[example_share]
	...
Copy to Clipboard Toggle word wrap

16.1.3. Understanding the Samba Security Modes
Copiar enlace

The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service. Depending on the mode you install Samba in, the parameter must be set to different values:

For further details, see the description of the security parameter in the smb.conf(5) man page.

16.1.4. Setting up Samba as a Standalone Server
Copiar enlace

In certain situations, administrators want to set up a Samba server that is not a member of a domain. In this installation mode, Samba authenticates users to a local database instead of to a central DC. Additionally, you can enable guest access to allow users to connect to one or multiple services without authentication.

To set up Samba as a standalone server:

Setting up Samba as a Standalone Server

  1. Install the samba package: 

    ~]# yum install samba
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/samba/smb.conf file and set the following parameters: 

    [global]
	workgroup = Example-WG
	netbios name = Server
	security = user

	log file = /var/log/samba/%m.log
	log level = 1
    Copy to Clipboard Toggle word wrap

    This configuration defines a standalone server named Server within the Example-WG work group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file parameter to the NetBIOS name of connecting clients. This enables individual log files for each client.

    For further details, see the parameter descriptions in the smb.conf(5) man page.

  3. Configure file or printer sharing. See:

  4. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  5. If you set up shares that require authentication, create the user accounts. For details, see Section 16.1.4.2, “Creating and Enabling Local User Accounts”.

  6. Open the required ports and reload the firewall configuration by using the firewall-cmd utility: 

    ~]# firewall-cmd --permanent --add-port={139/tcp,445/tcp}
~]# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  7. Start the smb service: 

    ~]# systemctl start smb
    Copy to Clipboard Toggle word wrap

  8. Optionally, enable the smb service to start automatically when the system boots: 

    ~]# systemctl enable smb
    Copy to Clipboard Toggle word wrap

16.1.4.2. Creating and Enabling Local User Accounts
Copiar enlace

To enable users to authenticate when they connect to a share, you must create the accounts on the Samba host both in the operating system and in the Samba database. Samba requires the operating system account to validate the Access Control Lists (ACL) on file system objects and the Samba account to authenticate connecting users.

If you use the passdb backend = tdbsam default setting, Samba stores user accounts in the /var/lib/samba/private/passdb.tdb database.

For example, to create the example Samba user:

Creating a Samba User

  1. Create the operating system account: 

    ~]# useradd -M -s /sbin/nologin example
    Copy to Clipboard Toggle word wrap

    The previous command adds the example account without creating a home directory. If the account is only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the account from logging in locally.

  2. Set a password to the operating system account to enable it: 

    ~]# passwd example
Enter new UNIX password: password
Retype new UNIX password: password
passwd: password updated successfully
    Copy to Clipboard Toggle word wrap

    Samba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects.

  3. Add the user to the Samba database and set a password to the account: 

    ~]# smbpasswd -a example
New SMB password: password
Retype new SMB password: password
Added user example.
    Copy to Clipboard Toggle word wrap

    Use this password to authenticate when using this account to connect to a Samba share.

  4. Enable the Samba account: 

    ~]# smbpasswd -e example
Enabled user example.
    Copy to Clipboard Toggle word wrap

16.1.5. Setting up Samba as a Domain Member
Copiar enlace

Administrators running an AD or NT4 domain often want to use Samba to join their Red Hat Enterprise Linux server as a member to the domain. This enables you to:

  • Access domain resources on other domain members
  • Authenticate domain users to local services, such as sshd
  • Share directories and printers hosted on the server to act as a file and print server

16.1.5.1. Joining a Domain
Copiar enlace

To join a Red Hat Enterprise Linux system to a domain:

Joining a Red Hat Enterprise Linux System to a Domain

  1. Install the following packages: 

    ~]# yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients \
    samba-winbind samba-common-tools
    Copy to Clipboard Toggle word wrap

  2. To share directories or printers on the domain member, install the samba package: 

    ~]# yum install samba
    Copy to Clipboard Toggle word wrap

  3. If you join an AD, additionally install the samba-winbind-krb5-locator package: 

    ~]# yum install samba-winbind-krb5-locator
    Copy to Clipboard Toggle word wrap

    This plug-in enables Kerberos to locate the Key Distribution Center (KDC) based on AD sites using DNS service records.

  4. Optionally, rename the existing /etc/samba/smb.conf Samba configuration file: 

    ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.old
    Copy to Clipboard Toggle word wrap

  5. Join the domain. For example, to join a domain named ad.example.com 

    ~]# realm join --membership-software=samba --client-software=winbind ad.example.com
    Copy to Clipboard Toggle word wrap

    Using the previous command, the realm utility automatically:

    • Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain
    • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
    • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory

    • Starts the winbind service and enables the service to start when the system boots

      For further details about the realm utility, see the realm(8) man page and the corresponding section in the Red Hat Windows Integration Guide.

  6. Optionally, set an alternative ID mapping back end or customized ID mapping settings in the /etc/samba/smb.conf file. For details, see Section 16.1.5.3, “Understanding ID Mapping”.
  7. Optionally, verify the configuration. See Section 16.1.5.2, “Verifying That Samba Was Correctly Joined As a Domain Member”.

  8. Verify that the winbindd is running: 

    ~]# systemctl status winbind
    Copy to Clipboard Toggle word wrap
    Important

    To enable Samba to query domain user and group information, the winbindd service must be running before you start smbd.

  9. If you installed the samba package to share directories and printers, start the smbd service: 

    ~]# systemctl start smb
    Copy to Clipboard Toggle word wrap

After you joined a Red Hat Enterprise Linux as a domain member, you can run different tests to verify that the join succeeded. See:

Verifying That the Operating System Can Retrieve Domain User Accounts and Groups

Use the getent utility to verify that the operating system can retrieve domain users and groups. For example:

  • To query the administrator account in the AD domain: 

    ~]# getent passwd AD\\administrator
AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash
    Copy to Clipboard Toggle word wrap

  • To query the members of the Domain Users group in the AD domain: 

    ~]# getent group "AD\\Domain Users"
AD\domain users:x:10000:user
    Copy to Clipboard Toggle word wrap

If the command works correctly, verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the /srv/samba/example.txt file to AD\administrator and the group to AD\Domain Users: 

~]# chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txt
Copy to Clipboard Toggle word wrap
Verifying If AD Domain Users Can Obtain a Kerberos Ticket

In an AD environment, users can obtain a Kerberos ticket from the DC. For example, to verify if the administrator user can obtain a Kerberos ticket:

Note

To use the kinit and klist utilities, install the krb5-workstation package on the Samba domain member.

Obtaining a Kerberos Ticket

  1. Obtain a ticket for the administrator@AD.EXAMPLE.COM principal: 

    ~]# kinit administrator@AD.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Display the cached Kerberos ticket: 

    ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@AD.EXAMPLE.COM

Valid starting    Expires       Service principal
11.09.2017 14:46:21 12.09.2017 00:46:21 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
	renew until 18.09.2017 14:46:19
    Copy to Clipboard Toggle word wrap
Listing the Available Domains

To list all domains available through the winbindd service, enter: 

~]# wbinfo --all-domains
Copy to Clipboard Toggle word wrap

If Samba was successfully joined as a domain member, the command displays the built-in and local host name, as well as the domain Samba is a member of including trusted domains.

Example 16.2. Displaying the Available Domains

~]# wbinfo --all-domains
BUILTIN
SAMBA-SERVER
AD
Copy to Clipboard Toggle word wrap

16.1.5.3. Understanding ID Mapping
Copiar enlace

Windows domains distinguish users and groups by unique Security Identifiers (SID). However, Linux requires unique UIDs and GIDs for each user and group. If you run Samba as a domain member, the winbindd service is responsible for providing information about domain users and groups to the operating system.

To enable the winbindd service to provide unique IDs for users and groups to Linux, you must configure ID mapping in the /etc/samba/smb.conf file for:

  • The local database (default domain)
  • The AD or NT4 domain the Samba server is a member of
  • Each trusted domain from which users must be able to access resources on this Samba server
16.1.5.3.1. Planning ID Ranges
Copiar enlace

Regardless of whether you store the Linux UIDs and GIDs in AD or if you configure Samba to generate them, each domain configuration requires a unique ID range that must not overlap with any of the other domains.

Warning

If you set overlapping ID ranges, Samba fails to work correctly.

Example 16.3. Unique ID Ranges

The following shows non-overlapping ID mapping ranges for the default (*), AD-DOM, and the TRUST-DOM domains. 

[global]
...
idmap config * : backend = tdb
idmap config * : range = 10000-999999

idmap config AD-DOM:backend = rid
idmap config AD-DOM:range = 2000000-2999999

idmap config TRUST-DOM:backend = rid
idmap config TRUST-DOM:range = 4000000-4999999
Copy to Clipboard Toggle word wrap
Important

You can only assign one range per domain. Therefore, leave enough space between the domains ranges. This enables you to extend the range later if your domain grows.

If you later assign a different range to a domain, the ownership of files and directories previously created by these users and groups will be lost.

16.1.5.3.2. The * Default Domain
Copiar enlace

In a domain environment, you add one ID mapping configuration for each of the following:

  • The domain the Samba server is a member of
  • Each trusted domain that should be able to access the Samba server

However, for all other objects, Samba assigns IDs from the default domain. This includes:

  • Local Samba users and groups
  • Samba built-in accounts and groups, such as BUILTIN\Administrators
Important

You must configure the default domain as described in this section to enable Samba to operate correctly.

The default domain back end must be writable to permanently store the assigned IDs.

For the default domain, you can use one of the following back ends:

tdb

When you configure the default domain to use the tdb back end, set an ID range that is big enough to include objects that will be created in the future and that are not part of a defined domain ID mapping configuration.

For example, set the following in the [global] section in the /etc/samba/smb.conf file: 

idmap config * : backend = tdb
idmap config * : range = 10000-999999
Copy to Clipboard Toggle word wrap

For further details, see Section 16.1.5.4.1, “Using the tdb ID Mapping Back End”.

autorid

When you configure the default domain to use the autorid back end, adding additional ID mapping configurations for domains is optional.

For example, set the following in the [global] section in the /etc/samba/smb.conf file: 

idmap config * : backend = autorid
idmap config * : range = 10000-999999
Copy to Clipboard Toggle word wrap

For further details, see Configuring the autorid Back End.

16.1.5.4. The Different ID Mapping Back Ends
Copiar enlace

Samba provides different ID mapping back ends for specific configurations. The most frequently used back ends are:

Expand
Table 16.1. Frequently Used ID Mapping Back Ends
Back EndUse Case

tdb

The * default domain only

ad

AD domains only

rid

AD and NT4 domains

autorid

AD, NT4, and the * default domain

The following sections describe the benefits, recommended scenarios where to use the back end, and how to configure it.

16.1.5.4.1. Using the tdb ID Mapping Back End
Copiar enlace

The winbindd service uses the writable tdb ID mapping back end by default to store Security Identifier (SID), UID, and GID mapping tables. This includes local users, groups, and built-in principals.

Use this back end only for the * default domain. For example: 

idmap config * : backend = tdb
idmap config * : range = 10000-999999
Copy to Clipboard Toggle word wrap

For further details about the * default domain, see Section 16.1.5.3.2, “The * Default Domain”.

16.1.5.4.2. Using the ad ID Mapping Back End
Copiar enlace

The ad ID mapping back end implements a read-only API to read account and group information from AD. This provides the following benefits:

  • All user and group settings are stored centrally in AD.
  • User and group IDs are consistent on all Samba servers that use this back end.
  • The IDs are not stored in a local database which can corrupt, and therefore file ownerships cannot be lost.

The ad back end reads the following attributes from AD:

Expand
Table 16.2. Attributes the ad Back End Reads from User and Group Objects
AD Attribute NameObject TypeMapped to

sAMAccountName

User and group

User or group name, depending on the object

uidNumber

User

User ID (UID)

gidNumber

Group

Group ID (GID)

loginShell [a]

User

Path to the shell of the user

unixHomeDirectory

User

Path to the home directory of the user

primaryGroupID [b]

User

Primary group ID

[a] Samba only reads this attribute if you set idmap config DOMAIN:unix_nss_info = yes.
[b] Samba only reads this attribute if you set idmap config DOMAIN:unix_primary_group = yes.

Prerequisites of the ad Back End

To use the ad ID mapping back end:

  • Both users and groups must have unique IDs set in AD, and the IDs must be within the range configured in the /etc/samba/smb.conf file. Objects whose IDs are outside of the range will not be available on the Samba server.
  • Users and groups must have all required attributes set in AD. If required attributes are missing, the user or group will not be available on the Samba server. The required attributes depend on your configuration. See Table 16.2, “Attributes the ad Back End Reads from User and Group Objects”.

Configuring the ad Back End

To configure a Samba AD member to use the ad ID mapping back end:

Configuring the ad Back End on a Domain Member

  1. Edit the [global] section in the /etc/samba/smb.conf file:

    1. Add an ID mapping configuration for the default domain (*) if it does not exist. For example: 

      idmap config * : backend = tdb
idmap config * : range = 10000-999999
      Copy to Clipboard Toggle word wrap

      For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”.

    2. Enable the ad ID mapping back end for the AD domain: 

      idmap config DOMAIN : backend = ad
      Copy to Clipboard Toggle word wrap

    3. Set the range of IDs that is assigned to users and groups in the AD domain. For example: 

      idmap config DOMAIN : range = 2000000-2999999
      Copy to Clipboard Toggle word wrap
      Important

      The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”.

    4. Set that Samba uses the RFC 2307 schema when reading attributes from AD: 

      idmap config DOMAIN : schema_mode = rfc2307
      Copy to Clipboard Toggle word wrap

    5. To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set: 

      idmap config DOMAIN : unix_nss_info = yes
      Copy to Clipboard Toggle word wrap

      Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example: 

      template shell = /bin/bash
template homedir = /home/%U
      Copy to Clipboard Toggle word wrap

      For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.

    6. By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary group on Linux. Alternatively, you can configure Samba to use the value set in the gidNumber attribute instead: 

      idmap config DOMAIN : unix_primary_group = yes
      Copy to Clipboard Toggle word wrap

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap
  4. Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.

For further details, see the smb.conf(5) and idmap_ad(8) man pages.

16.1.5.4.3. Using the rid ID Mapping Back End
Copiar enlace

Samba can use the relative identifier (RID) of a Windows SID to generate an ID on Red Hat Enterprise Linux.

Note

The RID is the last part of a SID. For example, if the SID of a user is S-1-5-21-5421822485-1151247151-421485315-30014, then 30014 is the corresponding RID. For details, how Samba calculates the local ID, see the idmap_rid(8) man page.

The rid ID mapping back end implements a read-only API to calculate account and group information based on an algorithmic mapping scheme for AD and NT4 domains. When you configure the back end, you must set the lowest and highest RID in the idmap config DOMAIN : range parameter. Samba will not map users or groups with a lower or higher RID than set in this parameter.

Important

As a read-only back end, rid cannot assign new IDs, such as for BUILTIN groups. Therefore, do not use this back end for the * default domain.

Benefits

  • All domain users and groups that have an RID within the configured range are automatically available on the domain member.
  • You do not need to manually assign IDs, home directories, and login shells.

Drawbacks

  • All domain users get the same login shell and home directory assigned. However, you can use variables.
  • User and group IDs are only the same across Samba domain members if all use the rid back end with the same ID range settings.
  • You cannot exclude individual users or groups from being available on the domain member. Only users and groups outside of the configured range are excluded.
  • Based on the formulas the winbindd service uses to calculate the IDs, duplicate IDs can occur in multi-domain environments if objects in different domains have the same RID.

Configuring the rid Back End

To configure a Samba domain member to use the rid ID mapping back end:

Configuring the rid Back End on a Domain Member

  1. Edit the [global] section in the /etc/samba/smb.conf file:

    1. Add an ID mapping configuration for the default domain (*) if it does not exist. For example: 

      idmap config * : backend = tdb
idmap config * : range = 10000-999999
      Copy to Clipboard Toggle word wrap

      For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”.

    2. Enable the rid ID mapping back end for the domain: 

      idmap config DOMAIN : backend = rid
      Copy to Clipboard Toggle word wrap

    3. Set a range that is big enough to include all RIDs that will be assigned in the future. For example: 

      idmap config DOMAIN : range = 2000000-2999999
      Copy to Clipboard Toggle word wrap

      Samba ignores users and groups whose RIDs in this domain are not within the range.

      Important

      The range must not overlap with any other domain configuration on this server. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”.

    4. Set a shell and home directory path that will be assigned to all mapped users. For example: 

      template shell = /bin/bash
template homedir = /home/%U
      Copy to Clipboard Toggle word wrap

      For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap
  4. Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.
16.1.5.4.4. Using the autorid ID Mapping Back End
Copiar enlace

The autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end in the following situations:

  • Only for the * default domain.
  • For the * default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains.
  • Only for specific domains.

Benefits

  • All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
  • You do not need to manually assign IDs, home directories, and login shells.
  • No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.

Drawbacks

  • User and group IDs are not the same across Samba domain members.
  • All domain users get the same login shell and home directory assigned. However, you can use variables.
  • You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.

Configuring the autorid Back End

To configure a Samba domain member to use the autorid ID mapping back end for the * default domain:

Note

If you use autorid for the default domain, adding additional ID mapping configuration for domains is optional.

Configuring the autorid Back End on a Domain Member

  1. Edit the [global] section in the /etc/samba/smb.conf file:

    1. Enable the autorid ID mapping back end for the * default domain: 

      idmap config * : backend = autorid
      Copy to Clipboard Toggle word wrap

    2. Set a range that is big enough to assign IDs for all existing and future objects. For example: 

      idmap config * : range = 10000-999999
      Copy to Clipboard Toggle word wrap

      Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the THE MAPPING FORMULAS section in the idmap_autorid(8) man page.

      Warning

      After you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in loosing file ownerships.

    3. Optionally, set a range size. For example: 

      idmap config * : rangesize = 200000
      Copy to Clipboard Toggle word wrap

      Samba assigns this number of continuous IDs for each domain’s object until all IDs from the range set in the idmap config * : range parameter are taken. For further details, see the rangesize parameter description in the idmap_autorid(8) man page.

    4. Set a shell and home directory path that will be assigned to all mapped users. For example: 

      template shell = /bin/bash
template homedir = /home/%U
      Copy to Clipboard Toggle word wrap

      For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.

    5. Optionally, add additional ID mapping configuration for domains. If no configuration for an individual domain is available, Samba calculates the ID using the autorid back end settings in the previously configured * default domain.

      Important

      If you configure additional back ends for individual domains, the ranges for all ID mapping configuration must not overlap. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”.

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap
  4. Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.

16.1.6. Configuring File Shares on a Samba Server
Copiar enlace

To use Samba as a file server, add shares to the /etc/samba/smb.conf file of your standalone or domain member configuration.

You can add shares that uses either:

16.1.6.1. Setting up a Share That Uses POSIX ACLs
Copiar enlace

As a Linux service, Samba supports shares with POSIX ACLs. They enable you to manage permissions locally on the Samba server using utilities, such as chmod. If the share is stored on a file system that supports extended attributes, you can define ACLs with multiple users and groups.

Note

If you need to use fine-granular Windows ACLs instead, see Section 16.1.6.2, “Setting up a Share That Uses Windows ACLs”.

Before you can add a share, set up Samba. See:

16.1.6.1.1. Adding a Share That Uses POSIX ACLs
Copiar enlace

To create a share named example, that provides the content of the /srv/samba/example/ directory, and uses POSIX ACLs:

Adding a Share That Uses POSIX ACLs

  1. Optionally, create the folder if it does not exist. For example: 

    ~]# mkdir -p /srv/samba/example/
    Copy to Clipboard Toggle word wrap

  2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory: 

    ~]# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"
~]# restorecon -Rv /srv/samba/example/
    Copy to Clipboard Toggle word wrap
  3. Set file system ACLs on the directory. For details, see Section 16.1.6.1.2, “Setting ACLs”.

  4. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled: 

    [example]
	path = /srv/samba/example/
	read only = no
    Copy to Clipboard Toggle word wrap
    Note

    Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode.

  5. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  6. Open the required ports and reload the firewall configuration using the firewall-cmd utility: 

    ~]# firewall-cmd --permanent --add-service=samba
~]# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  7. Restart the smb service: 

    ~]# systemctl restart smb
    Copy to Clipboard Toggle word wrap

  8. Optionally, enable the smb service to start automatically at boot time: 

    ~]# systemctl enable smb
    Copy to Clipboard Toggle word wrap
16.1.6.1.2. Setting ACLs
Copiar enlace

Shares that use POSIX ACLs support:

Setting Standard Linux ACLs

The standard ACLs on Linux support setting permissions for one owner, one group, and for all other undefined users. You can use the chown, chgrp, and chmod utility to update the ACLs. If you require precise control, then you use the more complex POSIX ACLs, see Setting Extended ACLs.

For example, to set the owner of the /srv/samba/example/ directory to the root user, grant read and write permissions to the Domain Users group, and deny access to all other users: 

~]# chown root:"Domain Users" /srv/samba/example/
~]# chmod 2770 /srv/samba/example/
Copy to Clipboard Toggle word wrap
Note

Enabling the set-group-ID (SGID) bit on a directory automatically sets the default group for all new files and subdirectories to that of the directory group, instead of the usual behavior of setting it to the primary group of the user who created the new directory entry.

For further details about permissions, see the chown(1) and chmod(1) man pages.

Setting Extended ACLs

If the file system the shared directory is stored on supports extended ACLs, you can use them to set complex permissions. Extended ACLs can contain permissions for multiple users and groups.

Extended POSIX ACLs enable you to configure complex ACLs with multiple users and groups. However, you can only set the following permissions:

  • No access
  • Read access
  • Write access
  • Full control

If you require the fine-granular Windows permissions, such as Create folder / append data, configure the share to use Windows ACLs. See Section 16.1.6.2, “Setting up a Share That Uses Windows ACLs”.

To use extended POSIX ACLs on a share:

Enabling Extended POSIX ACLs on a Share

  1. Enable the following parameter in the share’s section in the /etc/samba/smb.conf file to enable ACL inheritance of extended ACLs: 

    inherit acls = yes
    Copy to Clipboard Toggle word wrap

    For details, see the parameter description in the smb.conf(5) man page.

  2. Restart the smb service: 

    ~]# systemctl restart smb
    Copy to Clipboard Toggle word wrap

  3. Optionally, enable the smb service to start automatically at boot time: 

    ~]# systemctl enable smb
    Copy to Clipboard Toggle word wrap

  4. Set the ACLs on the directory. For details about using extended ACLs, see Chapter 5, Access Control Lists.

    Example 16.4. Setting Extended ACLs

    The following procedure sets read, write, and execute permissions for the Domain Admins group, read, and execute permissions for the Domain Users group, and deny access to everyone else on the /srv/samba/example/ directory:

    Setting Extended ACLs

    1. Disable auto-granting permissions to the primary group of user accounts: 

      ~]# setfacl -m group::--- /srv/samba/example/
~]# setfacl -m default:group::--- /srv/samba/example/
      Copy to Clipboard Toggle word wrap

      The primary group of the directory is additionally mapped to the dynamic CREATOR GROUP principal. When you use extended POSIX ACLs on a Samba share, this principal is automatically added and you cannot remove it.

    2. Set the permissions on the directory:

      1. Grant read, write, and execute permissions to the Domain Admins group: 

        ~]# setfacl -m group:"DOMAIN\Domain Admins":rwx /srv/samba/example/
        Copy to Clipboard Toggle word wrap

      2. Grant read and execute permissions to the Domain Users group: 

        ~]# setfacl -m group:"DOMAIN\Domain Users":r-x /srv/samba/example/
        Copy to Clipboard Toggle word wrap

      3. Set permissions for the other ACL entry to deny access to users that do not match the other ACL entries: 

        ~]# setfacl -R -m other::--- /srv/samba/example/
        Copy to Clipboard Toggle word wrap

        These settings apply only to this directory. In Windows, these ACLs are mapped to the This folder only mode.

    3. To enable the permissions set in the previous step to be inherited by new file system objects created in this directory: 

      ~]# setfacl -m default:group:"DOMAIN\Domain Admins":rwx /srv/samba/example/
~]# setfacl -m default:group:"DOMAIN\Domain Users":r-x /srv/samba/example/
~]# setfacl -m default:other::--- /srv/samba/example/
      Copy to Clipboard Toggle word wrap

      With these settings, the This folder only mode for the principals is now set to This folder, subfolders, and files.

    Samba maps the previously set permissions to the following Windows ACLs:

    Expand
    PrincipalAccessApplies to

    DOMAIN\Domain Admins

    Full control

    This folder, subfolders, and files

    DOMAIN\Domain Users

    Read & execute

    This folder, subfolders, and files

    Everyone [a]

    None

    This folder, subfolders, and files

    owner (Unix Userpass:attributes[]owner) [b]

    Full control

    This folder only

    primary_group (Unix Userpass:attributes[]primary_group) [c]

    None

    This folder only

    CREATOR OWNER [d] [e]

    Full control

    Subfolders and files only

    CREATOR GROUP [f]

    None

    Subfolders and files only

    [a] Samba maps the permissions for this principal from the other ACL entry.
    [b] Samba maps the owner of the directory to this entry.
    [c] Samba maps the primary group of the directory to this entry.
    [d] On new file system objects, the creator inherits automatically the permissions of this principal.
    [e] Configuring or removing these principals from the ACLs not supported on shares that use POSIX ACLs.
    [f] On new file system objects, the creator’s primary group inherits automatically the permissions of this principal.
16.1.6.1.3. Setting Permissions on a Share
Copiar enlace

Optionally, to limit or grant access to a Samba share, you can set certain parameters in the share’s section in the /etc/samba/smb.conf file.

Note

Share-based permissions manage if a user, group, or host is able to access a share. These settings do not affect file system ACLs.

Use share-based settings to restrict access to shares. For example, to deny access from specific hosts.

Configuring User and Group-based Share Access

User and group-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users group to access a share while access is denied for the user account, add the following parameters to the share’s configuration: 

valid users = +DOMAIN\"Domain Users"
invalid users = DOMAIN\user
Copy to Clipboard Toggle word wrap

The invalid users parameter has a higher priority than valid users parameter. For example, if the user account is a member of the Domain Users group, access is denied to this account when you use the previous example.

For further details, see the parameter descriptions in the smb.conf(5) man page.

Configuring Host-based Share Access

Host-based access control enables you to grant or deny access to a share based on client’s host names, IP addresses, or IP ranges.

For example, to enable the 127.0.0.1 IP address, the 192.0.2.0/24 IP range, and the client1.example.com host to access a share, and additionally deny access for the client2.example.com host:

Configuring Host-based Share Access

  1. Add the following parameters to the configuration of the share in the /etc/samba/smb.conf: 

    hosts allow = 127.0.0.1 192.0.2.0/24 client1.example.com
hosts deny = client2.example.com
    Copy to Clipboard Toggle word wrap

  2. Reload the Samba configuration 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

The hosts deny parameter has a higher priority than hosts allow. For example, if client1.example.com resolves to an IP address that is listed in the hosts allow parameter, access for this host is denied.

For further details, see the parameter description in the smb.conf(5) man page.

16.1.6.2. Setting up a Share That Uses Windows ACLs
Copiar enlace

Samba supports setting Windows ACLs on shares and file system object. This enables you to:

  • Use the fine-granular Windows ACLs
  • Manage share permissions and file system ACLs using Windows

Alternatively, you can configure a share to use POSIX ACLs. For details, see Section 16.1.6.1, “Setting up a Share That Uses POSIX ACLs”.

16.1.6.2.1. Granting the SeDiskOperatorPrivilege Privilege
Copiar enlace

Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure permissions on shares that use Windows ACLs. For example, to grant the privilege to the DOMAIN\Domain Admins group: 

~]# net rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.
Copy to Clipboard Toggle word wrap
Note

In a domain environment, grant SeDiskOperatorPrivilege to a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.

To list all users and groups having SeDiskOperatorPrivilege granted: 

~]# net rpc rights list privileges SeDiskOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
 BUILTIN\Administrators
 DOMAIN\Domain Admins
Copy to Clipboard Toggle word wrap
16.1.6.2.2. Enabling Windows ACL Support
Copiar enlace

To configure shares that support Windows ACLs, you must enable this feature in Samba. To enable it globally for all shares, add the following settings to the [global] section of the /etc/samba/smb.conf file: 

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
Copy to Clipboard Toggle word wrap

Alternatively, you can enable Windows ACL support for individual shares, by adding the same parameters to a share’s section instead.

16.1.6.2.3. Adding a Share That Uses Windows ACLs
Copiar enlace

To create a share named example, that shares the content of the /srv/samba/example/ directory, and uses Windows ACLs:

Adding a Share That Uses Windows ACLs

  1. Optionally, create the folder if it does not exists. For example: 

    ~]# mkdir -p /srv/samba/example/
    Copy to Clipboard Toggle word wrap

  2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory: 

    ~]# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"
~]# restorecon -Rv /srv/samba/example/
    Copy to Clipboard Toggle word wrap

  3. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled: 

    [example]
	path = /srv/samba/example/
	read only = no
    Copy to Clipboard Toggle word wrap
    Note

    Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode.

  4. If you have not enabled Windows ACL support in the [global] section for all shares, add the following parameters to the [example] section to enable this feature for this share: 

    vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
    Copy to Clipboard Toggle word wrap

  5. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  6. Open the required ports and reload the firewall configuration using the firewall-cmd utility: 

    ~]# firewall-cmd --permanent --add-service=samba
~]# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  7. Restart the smb service: 

    ~]# systemctl restart smb
    Copy to Clipboard Toggle word wrap

  8. Optionally, enable the smb service to start automatically at boot time: 

    ~]# systemctl enable smb
    Copy to Clipboard Toggle word wrap

To manage share and file system ACLs on a Samba share that uses Windows ACLs, use a Windows applications, such as Computer Management. For details, see your Windows documentation.

Alternatively, use the smbcacls utility to manage ACLs. For details, see Section 16.1.6.3, “Managing ACLs on an SMB Share Using smbcacls.

Note

To modify the file system permissions from Windows, you must use an account that has the SeDiskOperatorPrivilege privilege granted. See Section 16.1.6.2.1, “Granting the SeDiskOperatorPrivilege Privilege”.

16.1.6.3. Managing ACLs on an SMB Share Using smbcacls
Copiar enlace

The smbcacls utility can list, set, and delete ACLs of files and directories stored on an SMB share. You can use smbcacls to manage file system ACLs:

  • On a local or remote Samba server that uses advanced Windows ACLs or POSIX ACLs.
  • On Red Hat Enterprise Linux to remotely manage ACLs on a share hosted on Windows.
16.1.6.3.1. Understanding Access Control Entries
Copiar enlace

Each ACL entry of a file system object contains Access Control Entries (ACE) in the following format: 

security_principal:access_right/inheritance_information/permissions
Copy to Clipboard Toggle word wrap

Example 16.5. Access Control Entries

If the AD\Domain Users group has Modify permissions that apply to This folder, subfolders, and files on Windows, the ACL contains the following ACEs: 

AD\Domain Users:ALLOWED/OI|CI/CHANGE
Copy to Clipboard Toggle word wrap

The following describes the individual ACEs:

Security principal
The security principal is the user, group, or SID the permissions in the ACL are applied to.
Access right
Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.
Inheritance information

The following values exist:

Expand
Table 16.3. Inheritance Settings
ValueDescriptionMaps to

OI

Object Inherit

This folder and files

CI

Container Inherit

This folder and subfolders

IO

Inherit Only

The ACE does not apply to the current file or directory.

ID

Inherited

The ACE was inherited from the parent directory.

Additionally, the values can be combined as follows:

Expand
Table 16.4. Inheritance Settings Combinations
Value CombinationsMaps to the Windows Applies to Setting

OI/CI

This folder, subfolders, and files

OI/CI/IO

Subfolders and files only

CI/IO

Subfolders only

OI/IO

Files only

Permissions

This value can be either a hex value that represents one or more Windows permissions or an smbcacls alias:

  • A hex value that represents one or more Windows permissions.

    The following table displays the advanced Windows permissions and their corresponding value in hex format:

    Expand
    Table 16.5. Windows Permissions and Their Corresponding smbcacls Value in Hex Format
    Windows PermissionsHex Values

    Full control

    0x001F01FF

    Traverse folder / execute file

    0x00100020

    List folder / read data

    0x00100001

    Read attributes

    0x00100080

    Read extended attributes

    0x00100008

    Create files / write data

    0x00100002

    Create folders / append data

    0x00100004

    Write attributes

    0x00100100

    Write extended attributes

    0x00100010

    Delete subfolders and files

    0x00100040

    Delete

    0x00110000

    Read permissions

    0x00120000

    Change permissions

    0x00140000

    Take ownership

    0x00180000

    Multiple permissions can be combined as a single hex value using the bit-wise OR operation. For details, see Section 16.1.6.3.3, “Calculating an ACE Mask”.

  • An smbcacls alias. The following table displays the available aliases:

    Expand
    Table 16.6. Existing smbcacls Aliases and Their Corresponding Windows Permission
    smbcacls AliasMaps to Windows Permission

    R

    Read

    READ

    Read & execute

    W

    Special

    • Create files / write data
    • Create folders / append data
    • Write attributes
    • Write extended attributes
    • Read permissions

    D

    Delete

    P

    Change permissions

    O

    Take ownership

    X

    Traverse / execute

    CHANGE

    Modify

    FULL

    Full control

    Note

    You can combine single-letter aliases when you set permissions. For example, you can set RD to apply the Windows permission Read and Delete. However, you can neither combine multiple non-single-letter aliases nor combine aliases and hex values.

16.1.6.3.2. Displaying ACLs Using smbcacls
Copiar enlace

If you run smbcacls without any operation parameter, such as --add, the utility displays the ACLs of a file system object.

For example, to list the ACLs of the root directory of the //server/example share: 

~]# smbcacls //server/example / -U "DOMAINpass:quotes[administrator]"
Enter DOMAINpass:quotes[administrator]'s password:
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:AD\Administrators
GROUP:AD\Domain Users
ACL:AD\Administrator:ALLOWED/OI|CI/FULL
ACL:AD\Domain Users:ALLOWED/OI|CI/CHANGE
ACL:AD\Domain Guests:ALLOWED/OI|CI/0x00100021
Copy to Clipboard Toggle word wrap

The output of the command displays:

  • REVISION: The internal Windows NT ACL revision of the security descriptor
  • CONTROL: Security descriptor control
  • OWNER: Name or SID of the security descriptor’s owner
  • GROUP: Name or SID of the security descriptor’s group
  • ACL entries. For details, see Section 16.1.6.3.1, “Understanding Access Control Entries”.
16.1.6.3.3. Calculating an ACE Mask
Copiar enlace

In most situations, when you add or update an ACE, you use the smbcacls aliases listed in Table 16.6, “Existing smbcacls Aliases and Their Corresponding Windows Permission”.

However, if you want to set advanced Windows permissions as listed in Table 16.5, “Windows Permissions and Their Corresponding smbcacls Value in Hex Format”, you must use the bit-wise OR operation to calculate the correct value. You can use the following shell command to calculate the value: 

~]# echo $(printf '0x%X' $
							
							Empty
							
							hex_value_1 | hex_value_2 | ...)
Copy to Clipboard Toggle word wrap

Example 16.6. Calculating an ACE Mask

You want set following permissions:

  • Traverse folder / execute file (0x00100020)
  • List folder / read data (0x00100001)
  • Read attributes (0x00100080)

To calculate the hex value for the previous permissions, enter: 

~]# echo $(printf '0x%X' $(( 0x00100020 | 0x00100001 | 0x00100080 )))
0x1000A1
Copy to Clipboard Toggle word wrap

Use the returned value when you set or update an ACE.

16.1.6.3.4. Adding, Updating, And Removing an ACL Using smbcacls
Copiar enlace

Depending on the parameter you pass to the smbcacls utility, you can add, update, and remove ACLs from a file or directory.

Adding an ACL

To add an ACL to the root of the //server/example share that grants CHANGE permissions for This folder, subfolders, and files to the AD\Domain Users group: 

~]# smbcacls //server/example / -U "DOMAIN\administrator \
    --add ACL:"AD\Domain Users":ALLOWED/OI|CI/CHANGE
Copy to Clipboard Toggle word wrap

Updating an ACL

Updating an ACL is similar to adding a new ACL. You update an ACL by overriding the ACL using the --modify parameter with an existing security principal. If smbcacls finds the security principal in the ACL list, the utility updates the permissions. Otherwise the command fails with an error: 

ACL for SID principal_name not found
Copy to Clipboard Toggle word wrap

For example, to update the permissions of the AD\Domain Users group and set them to READ for This folder, subfolders, and files: 

~]# smbcacls //server/example / -U "DOMAIN\administrator \
    --modify ACL:"AD\Domain Users":ALLOWED/OI|CI/READ
Copy to Clipboard Toggle word wrap

Deleting an ACL

To delete an ACL, pass the --delete with the exact ACL to the smbcacls utility. For example: 

~]# smbcacls //server/example / -U "DOMAIN\administrator \
    --delete ACL:"AD\Domain Users":ALLOWED/OI|CI/READ
Copy to Clipboard Toggle word wrap

16.1.6.4. Enabling Users to Share Directories on a Samba Server
Copiar enlace

On a Samba server, you can configure that users can share directories without root permissions.

16.1.6.4.1. Enabling the User Shares Feature
Copiar enlace

Before users can share directories, the administrator must enable user shares in Samba. For example, to enable only members of the local example group to create user shares:

Enabling User Shares

  1. Create the local example group, if it does not exist: 

    ~]# groupadd example
    Copy to Clipboard Toggle word wrap

  2. Prepare the directory for Samba to store the user share definitions and set its permissions properly. For example:

    1. Create the directory: 

      ~]# mkdir -p /var/lib/samba/usershares/
      Copy to Clipboard Toggle word wrap

    2. Set write permissions for the example group: 

      ~]# chgrp example /var/lib/samba/usershares/
~]# chmod 1770 /var/lib/samba/usershares/
      Copy to Clipboard Toggle word wrap

      Set the sticky bit to prevent users to rename or delete files stored by other users in this directory.

  3. Edit the /etc/samba/smb.conf file and add the following to the [global] section:

    1. Set the path to the directory you configured to store the user share definitions. For example: 

      usershare path = /var/lib/samba/usershares/
      Copy to Clipboard Toggle word wrap

    2. Set how many user shares Samba allows to be created on this server. For example: 

      usershare max shares = 100
      Copy to Clipboard Toggle word wrap

      If you use the default of 0 for the usershare max shares parameter, user shares are disabled.

    3. Optionally, set a list of absolute directory paths. For example, to configure that Samba only allows to share subdirectories of the /data and /srv directory to be shared, set: 

      usershare prefix allow list = /data /srv
      Copy to Clipboard Toggle word wrap

      For a list of further user share-related parameters you can set, see the USERSHARES section in the smb.conf(5) man page.

  4. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  5. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

Users are now able to create user shares. For details, see Section 16.1.6.4.2, “Adding a User Share”.

16.1.6.4.2. Adding a User Share
Copiar enlace

After you configured Samba according to Section 16.1.6.4.1, “Enabling the User Shares Feature”, users can share directories on the Samba server without root permissions by running the net usershare add command.

Synopsis of the net usershare add command: net usershare addshare_namepathcommentACLsguest_ok=y|n

Important

If you set ACLs when you create a user share, you must specify the comment parameter prior to the ACLs. To set an empty comment, use an empty string in double quotes.

Note that users can only enable guest access on a user share, if the administrator set usershare allow guests = yes in the [global] section in the /etc/samba/smb.conf file.

Example 16.7. Adding a User Share

A user wants to share the /srv/samba/ directory on a Samba server. The share should be named example, have no comment set, and should be accessible by guest users. Additionally, the share permissions should be set to full access for the AD\Domain Users group and read permissions for other users. To add this share, run as the user: 

~]$ net usershare add example /srv/samba/ "" \
    "AD\Domain Users":F,Everyone:R guest_ok=yes
Copy to Clipboard Toggle word wrap
16.1.6.4.3. Updating Settings of a User Share
Copiar enlace

If you want to update settings of a user share, override the share by using the net usershare add command with the same share name and the new settings. See Section 16.1.6.4.2, “Adding a User Share”.

16.1.6.4.4. Displaying Information About Existing User Shares
Copiar enlace

Users can enter the net usershare info command on a Samba server to display user shares and their settings.

To display all user shares created by any user: 

~]$ net usershare info -l
[share_1]
path=/srv/samba/
comment=
usershare_acl=Everyone:R,host_name\user:F,
guest_ok=y
...
Copy to Clipboard Toggle word wrap

To list only shares created by the user who runs the command, omit the -l parameter.

To display only the information about specific shares, pass the share name or wild cards to the command. For example, to display the information about shares whose name starts with share_: 

~]$ net usershare info -l share*_
Copy to Clipboard Toggle word wrap
16.1.6.4.5. Listing User Shares
Copiar enlace

If you want to list only the available user shares without their settings on a Samba server, use the net usershare list command.

To list the shares created by any user: 

~]$ net usershare list -l
share_1
share_2
...
Copy to Clipboard Toggle word wrap

To list only shares created by the user who runs the command, omit the -l parameter.

To list only specific shares, pass the share name or wild cards to the command. For example, to list only shares whose name starts with share_: 

~]$ net usershare list -l share_*
Copy to Clipboard Toggle word wrap
16.1.6.4.6. Deleting a User Share
Copiar enlace

To delete a user share, enter as the user who created the share or as the root user: 

~]$ net usershare delete share_name
Copy to Clipboard Toggle word wrap

16.1.6.5. Enabling Guest Access to a Share
Copiar enlace

In certain situations, you want to share a directory to which users can connect without authentication. To configure this, enable guest access on a share.

Warning

Shares that do not require authentication can be a security risk.

If guest access is enabled on a share, Samba maps guest connections to the operating system account set in the guest account parameter. Guest users can access these files if at least one of the following conditions is satisfied:

  • The account is listed in file system ACLs
  • The POSIX permissions for other users allow it

Example 16.8. Guest Share Permissions

If you configured Samba to map the guest account to nobody, which is the default, the ACLs in the following example:

  • Allow guest users to read file1.txt
  • Allow guest users to read and modify file2.txt.
  • Prevent guest users to read or modify file3.txt 
-rw-r--r--. 1 root    root   1024 1. Sep 10:00 file1.txt
-rw-r-----. 1 nobody   root   1024 1. Sep 10:00 file2.txt
-rw-r-----. 1 root    root   1024 1. Sep 10:00 file3.txt
Copy to Clipboard Toggle word wrap

For example, to enable guest access for the existing [example] share:

Setting up a Guest Share

  1. Edit the /etc/samba/smb.conf file:

    1. If this is the first guest share you set up on this server:

      1. Set map to guest = Bad User in the [global] section: 

        [global]
	...
	map to guest = Bad User
        Copy to Clipboard Toggle word wrap

        With this setting, Samba rejects login attempts that use an incorrect password unless the user name does not exist. If the specified user name does not exist and guest access is enabled on a share, Samba treats the connection as a guest log in.

      2. By default, Samba maps the guest account to the nobody account on Red Hat Enterprise Linux. Optionally, you can set a different account. For example: 

        [global]
	...
	guest account = user_name
        Copy to Clipboard Toggle word wrap

        The account set in this parameter must exist locally on the Samba server. For security reasons, Red Hat recommends using an account that does not have a valid shell assigned.

    2. Add the guest ok = yes setting to the [example] section: 

      [example]
	...
	guest ok = yes
      Copy to Clipboard Toggle word wrap

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

16.1.7. Setting up a Samba Print Server
Copiar enlace

If you set up Samba as a print server, clients in your network can use Samba to print. Additionally, Windows clients can, if configured, download the driver from the Samba server.

Before you can share a printer, set up Samba:

16.1.7.1. The Samba spoolssd Service
Copiar enlace

The Samba spoolssd is a service that is integrated into the smbd service. Enable spoolssd in the Samba configuration to significantly increase the performance on print servers with a high number of jobs or printers.

Without spoolssd, Samba forks the smbd process and initializes the printcap cache for each print job. In case of a large number of printers, the smbd service can become unresponsive for multiple seconds while the cache is initialized. The spoolssd service enables you to start pre-forked smbd processes that are processing print jobs without any delays. The main spoolssd smbd process uses a low amount of memory, and forks and terminates child processes.

To enable the spoolssd service:

Enabling the spoolssd Service

  1. Edit the [global] section in the /etc/samba/smb.conf file:

    1. Add the following parameters: 

      rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
      Copy to Clipboard Toggle word wrap

    2. Optionally, you can set the following parameters:

      Expand
      ParameterDefaultDescription

      spoolssd:prefork_min_children

      5

      Minimum number of child processes

      spoolssd:prefork_max_children

      25

      Maximum number of child processes

      spoolssd:prefork_spawn_rate

      5

      Samba forks the number of new child processes set in this parameter, up to the value set in spoolssd:prefork_max_children, if a new connection is established

      spoolssd:prefork_max_allowed_clients

      100

      Number of clients, a child process serves

      spoolssd:prefork_child_min_life

      60

      Minimum lifetime of a child process in seconds. 60 seconds is the minimum.

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Restart the smb service: 

    ~]# systemctl restart smb
    Copy to Clipboard Toggle word wrap

After you restarted the service, Samba automatically starts smbd child processes: 

~]# ps axf
...
30903 smbd
30912 \_ smbd
30913   \_ smbd
30914   \_ smbd
30915   \_ smbd
...
Copy to Clipboard Toggle word wrap

16.1.7.2. Enabling Print Server Support in Samba
Copiar enlace

To enable the print server support:

Enabling Print Server Support in Samba

  1. On the Samba server, set up CUPS and add the printer to the CUPS back end. For details, see Section 16.3, “Print Settings”.

    Note

    Samba can only forward the print jobs to CUPS if CUPS is installed locally on the Samba print server.

  2. Edit the /etc/samba/smb.conf file:

    1. If you want to enable the spoolssd service, add the following parameters to the [global] section: 

      rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
      Copy to Clipboard Toggle word wrap

      For further details, see Section 16.1.7.1, “The Samba spoolssd Service”.

    2. To configure the printing back end, add the [printers] section: 

      [printers]
	comment = All Printers
	path = /var/tmp/
	printable = yes
	create mask = 0600
      Copy to Clipboard Toggle word wrap
      Important

      The printers share name is hard-coded and cannot be changed.

  3. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  4. Open the required ports and reload the firewall configuration using the firewall-cmd utility: 

    ~]# firewall-cmd --permanent --add-service=samba
~]# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  5. Restart the smb service: 

    ~]# systemctl restart smb
    Copy to Clipboard Toggle word wrap

After restarting the service, Samba automatically shares all printers that are configured in the CUPS back end. If you want to manually share only specific printers, see Section 16.1.7.3, “Manually Sharing Specific Printers”.

16.1.7.3. Manually Sharing Specific Printers
Copiar enlace

If you configured Samba as a print server, by default, Samba shares all printers that are configured in the CUPS back end. To share only specific printers:

Manually Sharing a Specific Printer

  1. Edit the /etc/samba/smb.conf file:

    1. In the [global] section, disable automatic printer sharing by setting: 

      load printers = no
      Copy to Clipboard Toggle word wrap

    2. Add a section for each printer you want to share. For example, to share the printer named example in the CUPS back end as Example-Printer in Samba, add the following section: 

      [Example-Printer]
	path = /var/tmp/
	printable = yes
	printer name = example
      Copy to Clipboard Toggle word wrap

      You do not need individual spool directories for each printer. You can set the same spool directory in the path parameter for the printer as you set in the [printers] section.

  2. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

If you are running a Samba print server for Windows clients, you can upload drivers and preconfigure printers. If a user connects to a printer, Windows automatically downloads and installs the driver locally on the client. The user does not require local administrator permissions for the installation. Additionally, Windows applies preconfigured driver settings, such as the number of trays.

Note

Before setting up automatic printer driver download, must configure Samba as a print server and share a printer. For details, see Section 16.1.7, “Setting up a Samba Print Server”.

16.1.7.4.1. Basic Information about Printer Drivers
Copiar enlace

This section provides general information about printer drivers.

Supported Driver Model Version

Samba only supports the printer driver model version 3 which is supported in Windows 2000 and later, and Windows Server 2000 and later. Samba does not support the driver model version 4, introduced in Windows 8 and Windows Server 2012. However, these and later Windows versions also support version 3 drivers.

Package-aware Drivers

Samba does not support package-aware drivers.

Preparing a Printer Driver for Being Uploaded

Before you can upload a driver to a Samba print server:

  • Unpack the driver if it is provided in a compressed format.

  • Some drivers require to start a setup application that installs the driver locally on a Windows host. In certain situations, the installer extracts the individual files into the operating system’s temporary folder during the setup runs. To use the driver files for uploading:

    1. Start the installer.
    2. Copy the files from the temporary folder to a new location.
    3. Cancel the installation.

Ask your printer manufacturer for drivers that support uploading to a print server.

Providing 32-bit and 64-bit Drivers for a Printer to a Client

To provide the driver for a printer for both 32-bit and 64-bit Windows clients, you must upload a driver with exactly the same name for both architectures. For example, if you are uploading the 32-bit driver named Example PostScript and the 64-bit driver named Example PostScript (v1.0), the names do not match. Consequently, you can only assign one of the drivers to a printer and the driver will not be available for both architectures.

16.1.7.4.2. Enabling Users to Upload and Preconfigure Drivers
Copiar enlace

To be able to upload and preconfigure printer drivers, a user or a group needs to have the SePrintOperatorPrivilege privilege granted. A user must be added into the printadmin group. Red Hat Enterprise Linux creates this group automatically when you install the samba package. The printadmin group gets assigned the lowest available dynamic system GID that is lower than 1000.

To grant the SePrintOperatorPrivilege privilege to the printadmin group: 

~]# net rpc rights grant "printadmin" SePrintOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.
Copy to Clipboard Toggle word wrap
Note

In a domain environment, grant SePrintOperatorPrivilege to a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.

To list all users and groups having SePrintOperatorPrivilege granted: 

~]# net rpc rights list privileges SePrintOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter administrator's password:
SePrintOperatorPrivilege:
 BUILTIN\Administrators
 DOMAIN\printadmin
Copy to Clipboard Toggle word wrap
16.1.7.4.3. Setting up the print$ Share
Copiar enlace

Windows operating systems download printer drivers from a share named print$ from a print server. This share name is hard-coded in Windows and cannot be changed.

To share the /var/lib/samba/drivers/ directory as print$, and enable members of the local printadmin group to upload printer drivers:

Setting up the print$ Share

  1. Add the [print$] section to the /etc/samba/smb.conf file: 

    [print$]
	path = /var/lib/samba/drivers/
	read only = no
	write list = @printadmin
	force group = @printadmin
	create mask = 0664
	directory mask = 2775
    Copy to Clipboard Toggle word wrap

    Using these settings:

    • Only members of the printadmin group can upload printer drivers to the share.
    • The group of new created files and directories will be set to printadmin.
    • The permissions of new files will be set to 664.
    • The permissions of new directories will be set to 2775.

  2. To upload only 64-bit drivers for a printer, include this setting in the [global] section in the /etc/samba/smb.conf file: 

    spoolss: architecture = Windows x64
    Copy to Clipboard Toggle word wrap

    Without this setting, Windows only displays drivers for which you have uploaded at least the 32-bit version.

  3. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  4. Reload the Samba configuration 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

  5. Create the printadmin group if it does not exists: 

    ~]# groupadd printadmin
    Copy to Clipboard Toggle word wrap

  6. Grant the SePrintOperatorPrivilege privilege to the printadmin group. 

    ~]# net rpc rights grant "printadmin" SePrintOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.
    Copy to Clipboard Toggle word wrap

    For further details, see Section 16.1.7.4.2, “Enabling Users to Upload and Preconfigure Drivers”.

  7. If you run SELinux in enforcing mode, set the samba_share_t context on the directory: 

    ~]# semanage fcontext -a -t samba_share_t "/var/lib/samba/drivers(/.*)?"
~]# restorecon -Rv /var/lib/samba/drivers/
    Copy to Clipboard Toggle word wrap

  8. Set the permissions on the /var/lib/samba/drivers/ directory:

    • If you use POSIX ACLs, set: 

      ~]# chgrp -R "printadmin" /var/lib/samba/drivers/
~]# chmod -R 2775 /var/lib/samba/drivers/
      Copy to Clipboard Toggle word wrap

    • If you use Windows ACLs, set:

      Expand
      PrincipalAccessApply to

      CREATOR OWNER

      Full control

      Subfolders and files only

      Authenticated Users

      Read & execute, List folder contents, Read

      This folder, subfolders and files

      printadmin

      Full control

      This folder, subfolders and files

      For details about setting ACLs on Windows, see your Windows documentation.

For security reasons, recent Windows operating systems prevent clients from downloading non-package-aware printer drivers from an untrusted server. If your print server is a member in an AD, you can create a Group Policy Object (GPO) in your domain to trust the Samba server.

To create GPOs, the Windows computer you are using must have the Windows Remote Server Administration Tools (RSAT) installed. For details, see your Windows documentation.

Creating a GPO to Enable Clients to Trust the Samba Print Server

  1. Log into a Windows computer using an account that is allowed to edit group policies, such as the AD domain Administrator user.
  2. Open the Group Policy Management Console.

  3. Right-click to your AD domain and select Create a GPO in this domain, and Link it here

    samba create new GPO
    View larger image
    samba create new GPO
  4. Enter a name for the GPO, such as Legacy printer Driver Policy and click OK. The new GPO will be displayed under the domain entry.
  5. Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

  6. Navigate to Computer Configuration Policies Administrative Templates Printers.

    samba select printer GPO group
    View larger image
    samba select printer GPO group

  7. On the right side of the window, double-click Point and Print Restriction to edit the policy:

    1. Enable the policy and set the following options:

      1. Select Users can only point and print to these servers and enter the fully-qualified domain name (FQDN) of the Samba print server to the field next to this option.

      2. In both check boxes under Security Prompts, select Do not show warning or elevation prompt.

        samba GPO point and print
        View larger image
        samba GPO point and print
    2. Click OK.

  8. Double-click Package Point and Print - Approved servers to edit the policy:

    1. Enable the policy and click the Show button.

    2. Enter the FQDN of the Samba print server.

      samba GPO approved servers
      View larger image
      samba GPO approved servers
    3. Close both the Show Contents and policy properties window by clicking OK.
  9. Close the Group Policy Management Editor.
  10. Close the Group Policy Management Console.

After the Windows domain members applied the group policy, printer drivers are automatically downloaded from the Samba server when a user connects to a printer.

For further details about using group policies, see your Windows documentation.

16.1.7.4.5. Uploading Drivers and Preconfiguring Printers
Copiar enlace

Use the Print Management application on a Windows client to upload drivers and preconfigure printers hosted on the Samba print server. For further details, see your Windows documentation.

16.1.8. Tuning the Performance of a Samba Server
Copiar enlace

This section describes what settings can improve the performance of Samba in certain situations, and which settings can have a negative performance impact.

16.1.8.1. Setting the SMB Protocol Version
Copiar enlace

Each new SMB version adds features and improves the performance of the protocol. The recent Windows and Windows Server operating systems always supports the latest protocol version. If Samba also uses the latest protocol version, Windows clients connecting to Samba benefit from the performance improvements. In Samba, the default value of the server max protocol is set to the latest supported stable SMB protocol version.

To always have the latest stable SMB protocol version enabled, do not set the server max protocol parameter. If you set the parameter manually, you will need to modify the setting with each new version of the SMB protocol, to have the latest protocol version enabled.

To unset, remove the server max protocol parameter from the [global] section in the /etc/samba/smb.conf file.

To improve the performance of shares that contain directories with more than 100.000 files:

Tuning Shares with Directories That Contain a Large Number of Files

  1. Rename all files on the share to lowercase.

    Note

    Using the settings in this procedure, files with names other than in lowercase will no longer be displayed.

  2. Set the following parameters in the share’s section: 

    case sensitive = true
default case = lower
preserve case = no
short preserve case = no
    Copy to Clipboard Toggle word wrap

    For details about the parameters, see their descriptions in the smb.conf(5) man page.

  3. Reload the Samba configuration: 

    ~]# smbcontrol all reload-config
    Copy to Clipboard Toggle word wrap

After you applied these settings, the names of all newly created files on this share use lowercase. Because of these settings, Samba no longer needs to scan the directory for uppercase and lowercase, which improves the performance.

16.1.8.3. Settings That Can Have a Negative Performance Impact
Copiar enlace

By default, the kernel in Red Hat Enterprise Linux is tuned for high network performance. For example, the kernel uses an auto-tuning mechanism for buffer sizes. Setting the socket options parameter in the /etc/samba/smb.conf file overrides these kernel settings. As a result, setting this parameter decreases the Samba network performance in most cases.

To use the optimized settings from the Kernel, remove the socket options parameter from the [global] section in the /etc/samba/smb.conf.

16.1.9. Frequently Used Samba Command-line Utilities
Copiar enlace

This section describes frequently used commands when working with a Samba server.

16.1.9.1. Using the net Utility
Copiar enlace

The net utility enables you to perform several administration tasks on a Samba server. This section describes the most frequently used subcommands of the net utility.

For further details, see the net(8) man page.

16.1.9.1.1. Using the net ads join and net rpc join Commands
Copiar enlace

Using the join subcommand of the net utility, you can join Samba to an AD or NT4 domain. To join the domain, you must create the /etc/samba/smb.conf file manually, and optionally update additional configurations, such as PAM.

Important

Red Hat recommends using the realm utility to join a domain. The realm utility automatically updates all involved configuration files. For details, see Section 16.1.5.1, “Joining a Domain”.

To join a domain using the net command:

Joining a Domain Using the net Command

  1. Manually create the /etc/samba/smb.conf file with the following settings:

    • For an AD domain member: 

      [global]
workgroup = domain_name
security = ads
passdb backend = tdbsam
realm = AD_REALM
      Copy to Clipboard Toggle word wrap

    • For an NT4 domain member: 

      [global]
workgroup = domain_name
security = user
passdb backend = tdbsam
      Copy to Clipboard Toggle word wrap
  2. Add an ID mapping configuration for the * default domain and for the domain you want to join to the [global] section in the /etc/samba/smb.conf. For details, see Section 16.1.5.3, “Understanding ID Mapping”.

  3. Verify the /etc/samba/smb.conf file: 

    ~]# testparm
    Copy to Clipboard Toggle word wrap

    For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

  4. Join the domain as the domain administrator:

    • To join an AD domain: 

      ~]# net ads join -U "DOMAINpass:quotes[administrator]"
      Copy to Clipboard Toggle word wrap

    • To join an NT4 domain: 

      ~]# net rpc join -U "DOMAINpass:quotes[administrator]"
      Copy to Clipboard Toggle word wrap

  5. Append the winbind source to the passwd and group database entry in the /etc/nsswitch.conf file: 

    passwd:   files winbind
group:   files winbind
    Copy to Clipboard Toggle word wrap

  6. Enable and start the winbind service: 

    ~]# systemctl enable winbind
~]# systemctl start winbind
    Copy to Clipboard Toggle word wrap

  7. Optionally, configure PAM using the authconf utility.

    For details, see the Using Pluggable Authentication Modules (PAM) section in the Red Hat System-Level Authentication Guide.

  8. Optionally for AD environments, configure the Kerberos client.

    For details, see the Configuring a Kerberos Client section in the Red Hat System-Level Authentication Guide.

16.1.9.1.2. Using the net rpc rights Command
Copiar enlace

In Windows, you can assign privileges to accounts and groups to perform special operations, such as setting ACLs on a share or upload printer drivers. On a Samba server, you can use the net rpc rights command to manage privileges.

Listing Privileges

To list all available privileges and their owners, use the net rpc rights list command. For example: 

net rpc rights list -U "DOMAINpass:attributes[{blank}]administrator"
Enter DOMAINpass:attributes[{blank}]administrator's password:
   SeMachineAccountPrivilege Add machines to domain
   SeTakeOwnershipPrivilege Take ownership of files or other objects
       SeBackupPrivilege Back up files and directories
      SeRestorePrivilege Restore files and directories
   SeRemoteShutdownPrivilege Force shutdown from a remote system
   SePrintOperatorPrivilege Manage printers
      SeAddUsersPrivilege Add users and groups to the domain
    SeDiskOperatorPrivilege Manage disk shares
      SeSecurityPrivilege System security
Copy to Clipboard Toggle word wrap

Granting Privileges

To grant a privilege to an account or group, use the net rpc rights grant command.

For example, grant the SePrintOperatorPrivilege privilege to the DOMAIN\printadmin group: 

~]# net rpc rights grant "DOMAIN\printadmin" SePrintOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.
Copy to Clipboard Toggle word wrap

Revoking Privileges

To revoke a privilege from an account or group, use the net rpc rights revoke.

For example, to revoke the SePrintOperatorPrivilege privilege from the DOMAIN\printadmin group: 

~]# net rpc rights remoke "DOMAIN\printadmin" SePrintOperatorPrivilege \
    -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully revoked rights.
Copy to Clipboard Toggle word wrap
16.1.9.1.3. Using the net rpc share Command
Copiar enlace

The net rpc share command provides the capability to list, add, and remove shares on a local or remote Samba or Windows server.

Listing Shares

To list the shares on an SMB server, use the net rpc share list command. Optionally, pass the -S server_name parameter to the command to list the shares of a remote server. For example: 

~]# net rpc share list -U "DOMAIN\administrator" -S example
Enter DOMAIN\administrator's password:
IPC$
share_1
share_2
...
Copy to Clipboard Toggle word wrap
Note

Shares hosted on a Samba server that have browseable = no set in their section in the /etc/samba/smb.conf file are not displayed in the output.

Adding a Share

The net rpc share add command enables you to add a share to an SMB server.

For example, to add a share named example on a remote Windows server that shares the C:\example\ directory: 

~]# net rpc share add example="C:\example" -U "DOMAIN\administrator" -S server
Copy to Clipboard Toggle word wrap
Note

You must omit the trailing backslash in the path when specifying a Windows directory name.

To use the command to add a share to a Samba server:

  • The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege granted.
  • You must write a script that adds a share section to the /etc/samba/smb.conf file and reloads Samba. The script must be set in the add share command parameter in the [global] section in /etc/samba/smb.conf. For further details, see the add share command description in the smb.conf(5) man page.

Removing a Share

The net rpc share delete command enables you to remove a share from an SMB server.

For example, to remove the share named example from a remote Windows server: 

~]# net rpc share delete example -U "DOMAIN\administrator" -S server
Copy to Clipboard Toggle word wrap

To use the command to remove a share from a Samba server:

  • The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege granted.
  • You must write a script that removes the share’s section from the /etc/samba/smb.conf file and reloads Samba. The script must be set in the delete share command parameter in the [global] section in /etc/samba/smb.conf. For further details, see the delete share command description in the smb.conf(5) man page.
16.1.9.1.4. Using the net user Command
Copiar enlace

The net user command enables you to perform the following actions on an AD DC or NT4 PDC:

  • List all user accounts
  • Add users
  • Remove Users
Note

Specifying a connection method, such as ads for AD domains or rpc for NT4 domains, is only required when you list domain user accounts. Other user-related subcommands can auto-detect the connection method.

Pass the -U user_name parameter to the command to specify a user that is allowed to perform the requested action.

Listing Domain User Accounts

To list all users in an AD domain: 

~]# net ads user -U "DOMAIN\administrator"
Copy to Clipboard Toggle word wrap

To list all users in an NT4 domain: 

~]# net rpc user -U "DOMAIN\administrator"
Copy to Clipboard Toggle word wrap

Adding a User Account to the Domain

On a Samba domain member, you can use the net user add command to add a user account to the domain.

For example, add the user account to the domain:

Adding a User Account to the Domain

  1. Add the account: 

    ~]# net user add user password -U "DOMAIN\administrator"
User user added
    Copy to Clipboard Toggle word wrap

  2. Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or NT4 PDC. For example: 

    ~]# net rpc shell -U DOMAIN\administrator -S DC_or_PDC_name
Talking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751)

net rpc> user edit disabled user no
Set user's disabled flag from [yes] to [no]

net rpc> exit
    Copy to Clipboard Toggle word wrap

Deleting a User Account from the Domain

On a Samba domain member, you can use the net user delete command to remove a user account from the domain.

For example, to remove the user account from the domain: 

~]# net user delete user -U "DOMAIN\administrator"
User user deleted
Copy to Clipboard Toggle word wrap
16.1.9.1.5. Using the net usershare Command
Copiar enlace

See Section 16.1.6.4, “Enabling Users to Share Directories on a Samba Server”.

16.1.9.2. Using the rpcclient Utility
Copiar enlace

The rpcclient utility enables you to manually execute client-side Microsoft Remote Procedure Call (MS-RPC) functions on a local or remote SMB server. However, most of the features are integrated into separate utilities provided by Samba. Use rpcclient only for testing MS-PRC functions.

For example, you can use the utility to:

  • Manage the printer Spool Subsystem (SPOOLSS).

    Example 16.9. Assigning a Driver to a Printer

    ~]# rpcclient server_name -U "DOMAINpass:quotes[administrator]" \
    -c 'setdriver "printer_name" "driver_name"'
Enter DOMAINpass:quotes[administrator]s password:
Successfully set printer_name to driver driver_name.
    Copy to Clipboard Toggle word wrap

  • Retrieve information about an SMB server.

    Example 16.10. Listing all File Shares and Shared Printers

    ~]# rpcclient server_name -U "DOMAINpass:quotes[administrator]" -c 'netshareenum'
Enter DOMAINpass:quotes[administrator]s password:
netname: Example_Share
	remark:
	path:  C:\srv\samba\example_share\
	password:
netname: Example_Printer
	remark:
	path:  C:\var\spool\samba\
	password:
    Copy to Clipboard Toggle word wrap

  • Perform actions using the Security Account Manager Remote (SAMR) protocol.

    Example 16.11. Listing Users on an SMB Server

    ~]# rpcclient server_name -U "DOMAINpass:quotes[administrator]" -c 'enumdomusers'
Enter DOMAINpass:quotes[administrator]s password:
user:[user1] rid:[0x3e8]
user:[user2] rid:[0x3e9]
    Copy to Clipboard Toggle word wrap

    If you run the command against a standalone server or a domain member, it lists the users in the local database. Running the command against an AD DC or NT4 PDC lists the domain users.

For a complete list of supported subcommands, see COMMANDS section in the rpcclient(1) man page.

16.1.9.3. Using the samba-regedit Application
Copiar enlace

Certain settings, such as printer configurations, are stored in the registry on the Samba server. You can use the ncurses-based samba-regedit application to edit the registry of a Samba server.

samba regedit
View larger image
samba regedit

To start the application, enter: 

~]# samba-regedit
Copy to Clipboard Toggle word wrap

Use the following keys:

  • Cursor up and cursor down: Navigate through the registry tree and the values.
  • Enter: Opens a key or edits a value.
  • Tab: Switches between the Key and Value pane.
  • Ctrl+C: Closes the application.

16.1.9.4. Using the smbcacls Utility
Copiar enlace

See Section 16.1.6.3, “Managing ACLs on an SMB Share Using smbcacls.

16.1.9.5. Using the smbclient Utility
Copiar enlace

The smbclient utility enables you to access file shares on an SMB server, similarly to a command-line FTP client. You can use it, for example, to upload and download files to and from a share.

For example, to authenticate to the example share hosted on server using the DOMAIN\user account: 

~]# smbclient -U "DOMAIN\user" //server/example
Enter domain\user's password:
Domain=[SERVER] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \>
Copy to Clipboard Toggle word wrap

After smbclient connected successfully to the share, the utility enters the interactive mode and shows the following prompt: 

smb: \>
Copy to Clipboard Toggle word wrap

To display all available commands in the interactive shell, enter: 

smb: \> help
Copy to Clipboard Toggle word wrap

To display the help for a specific command, enter: 

smb: \> help command_name
Copy to Clipboard Toggle word wrap

For further details and descriptions of the commands available in the interactive shell, see the smbclient(1) man page.

16.1.9.5.1. Using smbclient in Interactive Mode
Copiar enlace

If you use smbclient without the -c parameter, the utility enters the interactive mode.

The following procedure shows how to connect to an SMB share and download a file from a subdirectory:

Downloading a File from an SMB Share Using smbclient

  1. Connect to the share: 

    ~]# smbclient -U "DOMAINpass:quotes[user_name]" //server_name/share_name
    Copy to Clipboard Toggle word wrap

  2. Change into the /example/ directory: 

    smb: \> cd /example/
    Copy to Clipboard Toggle word wrap

  3. List the files in the directory: 

    smb: \example\> ls
 .          D     0 Mon Sep 1 10:00:00 2017
 ..          D     0 Mon Sep 1 10:00:00 2017
 example.txt     N  1048576 Mon Sep 1 10:00:00 2017

     9950208 blocks of size 1024. 8247144 blocks available
    Copy to Clipboard Toggle word wrap

  4. Download the example.txt file: 

    smb: \example\> get example.txt
getting file \directory\subdirectory\example.txt of size 1048576 as example.txt (511975,0 KiloBytes/sec) (average 170666,7 KiloBytes/sec)
    Copy to Clipboard Toggle word wrap

  5. Disconnect from the share: 

    smb: \example\> exit
    Copy to Clipboard Toggle word wrap
16.1.9.5.2. Using smbclient in Scripting Mode
Copiar enlace

If you pass the -c commands parameter to smbclient, you can automatically execute the commands on the remote SMB share. This enables you to use smbclient in scripts.

The following command shows how to connect to an SMB share and download a file from a subdirectory: 

~]# smbclient -U DOMAINpass:quotes[user_name] //server_name/share_name \
    -c "cd /example/ ; get example.txt ; exit"
Copy to Clipboard Toggle word wrap

16.1.9.6. Using the smbcontrol Utility
Copiar enlace

The smbcontrol utility enables you to send command messages to the smbd, nmbd, winbindd, or all of these services. These control messages instruct the service, for example, to reload its configuration.

Example 16.12. Reloading the Configuration of the smbd, nmbd, and winbindd Service

For example, to reload the configuration of the smbd, nmbd, winbindd, send the reload-config message-type to the all destination: 

~]# smbcontrol all reload-config
Copy to Clipboard Toggle word wrap

For further details and a list of available command message types, see the smbcontrol(1) man page.

16.1.9.7. Using the smbpasswd Utility
Copiar enlace

The smbpasswd utility manages user accounts and passwords in the local Samba database.

If you run the command as a user, smbpasswd changes the Samba password of the user. For example: 

[user@server ~]$ smbpasswd
New SMB password:
Retype new SMB password:
Copy to Clipboard Toggle word wrap

If you run smbpasswd as the root user, you can use the utility, for example, to:

  • Create a new user: 

    [root@server ~]# smbpasswd -a user_name
New SMB password:
Retype new SMB password:
Added user user_name.
    Copy to Clipboard Toggle word wrap
    Note

    Before you can add a user to the Samba database, you must create the account in the local operating system. See Section 4.3.1, “Adding a New User”

  • Enable a Samba user: 

    [root@server ~]# smbpasswd -e user_name
Enabled user user_name.
    Copy to Clipboard Toggle word wrap

  • Disable a Samba user: 

    [root@server ~]# smbpasswd -x user_name
Disabled user user_name.
    Copy to Clipboard Toggle word wrap

  • Delete a user: 

    [root@server ~]# smbpasswd -x user_name
Deleted user user_name.
    Copy to Clipboard Toggle word wrap

For further details, see the smbpasswd(8) man page.

16.1.9.8. Using the smbstatus Utility
Copiar enlace

The smbstatus utility reports on:

  • Connections per PID of each smbd daemon to the Samba server. This report includes the user name, primary group, SMB protocol version, encryption, and signing information.
  • Connections per Samba share. This report includes the PID of the smbd daemon, the IP of the connecting machine, the time stamp when the connection was established, encryption, and signing information.
  • A list of locked files. The report entries include further details, such as opportunistic lock (oplock) types

Example 16.13. Output of the smbstatus Utility

~]# smbstatus

Samba version 4.6.2
PID Username       Group        Machine              Protocol Version Encryption Signing
-----------------------------------------------------------------------------------------------------------------------------
963 DOMAIN\administrator DOMAIN\domain users client-pc (ipv4:192.0.2.1:57786) SMB3_02      -      AES-128-CMAC

Service pid Machine  Connected at         Encryption Signing:
-------------------------------------------------------------------------------
example 969 192.0.2.1 Mo Sep 1 10:00:00 2017 CEST -      AES-128-CMAC

Locked files:
Pid Uid  DenyMode  Access  R/W   Oplock   SharePath      Name   Time
------------------------------------------------------------------------------------------------------------
969 10000 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/example file.txt Mon Sep 1 10:00:00 2017
Copy to Clipboard Toggle word wrap

For further details, see the smbstatus(1) man page.

16.1.9.9. Using the smbtar Utility
Copiar enlace

The smbtar utility backs up the content of an SMB share or a subdirectory of it and stores the content in a tar archive. Alternatively, you can write the content to a tape device.

For example, to back up the content of the demo directory on the //server/example/ share and store the content in the /root/example.tar archive: 

~]# smbtar -s server -x example -u user_name -p password -t /root/example.tar
Copy to Clipboard Toggle word wrap

For further details, see the smbtar(1) man page.

16.1.9.10. Using the testparm Utility
Copiar enlace

See Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”.

16.1.9.11. Using the wbinfo Utility
Copiar enlace

The wbinfo utility queries and returns information created and used by the winbindd service.

Note

The winbindd service must be configured and running to use wbinfo.

You can use wbinfo, for example, to:

  • List domain users: 

    ~]# wbinfo -u
AD\administrator
AD\guest
...
    Copy to Clipboard Toggle word wrap

  • List domain groups: 

    ~]# wbinfo -g
AD\domain computers
AD\domain admins
AD\domain users
...
    Copy to Clipboard Toggle word wrap

  • Display the SID of a user: 

    ~]# wbinfo --name-to-sid="AD\administrator"
S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)
    Copy to Clipboard Toggle word wrap

  • Display information about domains and trusts: 

    ~]# wbinfo --trusted-domains --verbose
Domain Name  DNS Domain      Trust Type Transitive In  Out
BUILTIN               None    Yes     Yes Yes
server               None    Yes     Yes Yes
DOMAIN1    domain1.example.com  None    Yes     Yes Yes
DOMAIN2    domain2.example.com  External  No     Yes Yes
    Copy to Clipboard Toggle word wrap

For further details, see the wbinfo(1) man page.

16.1.10. Additional Resources
Copiar enlace

  • The Red Hat Samba packages include manual pages for all Samba commands and configuration files the package installs. For example, to display the man page of the /etc/samba/smb.conf file that explains all configuration parameters you can set in this file: 

    ~]# man 5 smb.conf
    Copy to Clipboard Toggle word wrap
  • /usr/share/docs/samba-version/: Contains general documentation, example scripts, and LDAP schema files, provided by the Samba project.
  • Red Hat Cluster Storage Administration Guide: Provides information about setting up Samba and the Clustered Trivial Database (CDTB) to share directories stored on an GlusterFS volume.
  • The An active/active Samba Server in a Red Hat High Availability Cluster chapter in the Red Hat Enterprise Linux High Availability Add-on Administration guide describes how to up a Samba high-availability installation.
  • For details about mounting an SMB share on Red Hat Enterprise Linux, see the corresponding section in the Red Hat Storage Administration Guide.

16.2. FTP
Copiar enlace

The File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly in to the remote host or to have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.

This section outlines the basics of the FTP protocol and introduces vsftpd, which is the preferred FTP server in Red Hat Enterprise Linux.

16.2.1. The File Transfer Protocol
Copiar enlace

FTP uses a client-server architecture to transfer files using the TCP network protocol. Because FTP is a rather old protocol, it uses unencrypted user name and password authentication. For this reason, it is considered an insecure protocol and should not be used unless absolutely necessary. However, because FTP is so prevalent on the Internet, it is often required for sharing files to the public. System administrators, therefore, should be aware of FTP's unique characteristics.

This section describes how to configure vsftpd to establish connections secured by TLS and how to secure an FTP server with the help of SELinux. A good substitute for FTP is sftp from the OpenSSH suite of tools. For information about configuring OpenSSH and about the SSH protocol in general, refer to Chapter 12, OpenSSH.

Unlike most protocols used on the Internet, FTP requires multiple network ports to work properly. When an FTP client application initiates a connection to an FTP server, it opens port 21 on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in active or passive mode.

The following defines these modes:

active mode
Active mode is the original method used by the FTP protocol for transferring data to the client application. When an active-mode data transfer is initiated by the FTP client, the server opens a connection from port 20 on the server to the IP address and a random, unprivileged port (greater than 1024) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above 1024. With the growth of insecure networks, such as the Internet, the use of firewalls for protecting client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active-mode FTP servers, passive mode was devised.
passive mode

Passive mode, like active mode, is initiated by the FTP client application. When requesting data from the server, the FTP client indicates it wants to access the data in passive mode and the server provides the IP address and a random, unprivileged port (greater than 1024) on the server. The client then connects to that port on the server to download the requested information.

While passive mode does resolve issues for client-side firewall interference with data connections, it can complicate administration of the server-side firewall. You can reduce the number of open ports on a server by limiting the range of unprivileged ports on the FTP server. This also simplifies the process of configuring firewall rules for the server.

16.2.2. The vsftpd Server
Copiar enlace

The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.

The security model used by vsftpd has three primary aspects:

  • Strong separation of privileged and non-privileged processes — Separate processes handle different tasks, and each of these processes runs with the minimal privileges required for the task.
  • Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary — By taking advantage of compatibilities found in the libcap library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
  • Most processes run in a chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the /var/ftp/ directory is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained in the new root directory.

Use of these security practices has the following effect on how vsftpd deals with requests:

  • The parent process runs with the least privileges required — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the FTP clients and run with as close to no privileges as possible.
  • All operations requiring elevated privileges are handled by a small parent process — Much like the Apache HTTP Server, vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
  • All requests from unprivileged child processes are distrusted by the parent process — Communication with child processes is received over a socket, and the validity of any information from child processes is checked before being acted on.
  • Most interactions with FTP clients are handled by unprivileged child processes in a chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allow the attacker access to the shared files.

16.2.2.1. Starting and Stopping vsftpd
Copiar enlace

To start the vsftpd service in the current session, type the following at a shell prompt as root: 

~]# systemctl start vsftpd.service
Copy to Clipboard Toggle word wrap

To stop the service in the current session, type as root: 

~]# systemctl stop vsftpd.service
Copy to Clipboard Toggle word wrap

To restart the vsftpd service, run the following command as root: 

~]# systemctl restart vsftpd.service
Copy to Clipboard Toggle word wrap

This command stops and immediately starts the vsftpd service, which is the most efficient way to make configuration changes take effect after editing the configuration file for this FTP server. Alternatively, you can use the following command to restart the vsftpd service only if it is already running: 

~]# systemctl try-restart vsftpd.service
Copy to Clipboard Toggle word wrap

By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, type the following at a shell prompt as root: 

~]# systemctl enable vsftpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
Copy to Clipboard Toggle word wrap

For more information on how to manage system services in Red Hat Enterprise Linux 7, see Chapter 10, Managing Services with systemd.

16.2.2.2. Starting Multiple Copies of vsftpd
Copiar enlace

Sometimes, one computer is used to serve multiple FTP domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.

To do this, first assign all relevant IP addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, and additional information about network configuration scripts, see the Red Hat Enterprise Linux 7 Networking Guide.

Next, the DNS server for the FTP domains must be configured to reference the correct machine. For information about BIND, the DNS protocol implementation used in Red Hat Enterprise Linux, and its configuration files, see the Red Hat Enterprise Linux 7 Networking Guide.

For vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. To facilitate launching multiple instances of the vsftpd daemon, a special systemd service unit (vsftpd@.service) for launching vsftpd as an instantiated service is supplied in the vsftpd package.

In order to make use of this service unit, a separate vsftpd configuration file for each required instance of the FTP server must be created and placed in the /etc/vsftpd/ directory. Note that each of these configuration files must have a unique name (such as /etc/vsftpd/vsftpd-site-2.conf) and must be readable and writable only by the root user.

Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique: 

listen_address=N.N.N.N
Copy to Clipboard Toggle word wrap

Replace N.N.N.N with a unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.

Once there are multiple configuration files present in the /etc/vsftpd/ directory, individual instances of the vsftpd daemon can be started by executing the following command as root: 

~]# systemctl start vsftpd@configuration-file-name.service
Copy to Clipboard Toggle word wrap

In the above command, replace configuration-file-name with the unique name of the requested server’s configuration file, such as vsftpd-site-2. Note that the configuration file’s .conf extension should not be included in the command.

If you want to start several instances of the vsftpd daemon at once, you can make use of a systemd target unit file (vsftpd.target), which is supplied in the vsftpd package. This systemd target causes an independent vsftpd daemon to be launched for each available vsftpd configuration file in the /etc/vsftpd/ directory. Execute the following command as root to enable the target: 

~]# systemctl enable vsftpd.target
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.target to /usr/lib/systemd/system/vsftpd.target.
Copy to Clipboard Toggle word wrap

The above command configures the systemd service manager to launch the vsftpd service (along with the configured vsftpd server instances) at boot time. To start the service immediately, without rebooting the system, execute the following command as root: 

~]# systemctl start vsftpd.target
Copy to Clipboard Toggle word wrap

See Section 10.3, “Working with systemd Targets” for more information on how to use systemd targets to manage services.

Other directives to consider altering on a per-server basis are:

  • anon_root
  • local_root
  • vsftpd_log_file
  • xferlog_file

16.2.2.3. Encrypting vsftpd Connections Using TLS
Copiar enlace

In order to counter the inherently insecure nature of FTP, which transmits user names, passwords, and data without encryption by default, the vsftpd daemon can be configured to utilize the TLS protocol to authenticate connections and encrypt all transfers. Note that an FTP client that supports TLS is needed to communicate with vsftpd with TLS enabled.

Note

SSL (Secure Sockets Layer) is the name of an older implementation of the security protocol. The new versions are called TLS (Transport Layer Security). Only the newer versions (TLS) should be used as SSL suffers from serious security vulnerabilities. The documentation included with the vsftpd server, as well as the configuration directives used in the vsftpd.conf file, use the SSL name when referring to security-related matters, but TLS is supported and used by default when the ssl_enable directive is set to YES.

Set the ssl_enable configuration directive in the vsftpd.conf file to YES to turn on TLS support. The default settings of other TLS-related directives that become automatically active when the ssl_enable option is enabled provide for a reasonably well-configured TLS set up. This includes, among other things, the requirement to only use the TLS v1 protocol for all connections (the use of the insecure SSL protocol versions is disabled by default) or forcing all non-anonymous logins to use TLS for sending passwords and data transfers.

Example 16.14. Configuring vsftpd to Use TLS

In this example, the configuration directives explicitly disable the older SSL versions of the security protocol in the vsftpd.conf file: 

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Copy to Clipboard Toggle word wrap

Restart the vsftpd service after you modify its configuration: 

~]# systemctl restart vsftpd.service
Copy to Clipboard Toggle word wrap

See the vsftpd.conf(5) manual page for other TLS-related configuration directives for fine-tuning the use of TLS by vsftpd.

16.2.2.4. SELinux Policy for vsftpd
Copiar enlace

The SELinux policy governing the vsftpd daemon (as well as other ftpd processes), defines a mandatory access control, which, by default, is based on least access required. In order to allow the FTP daemon to access specific files or directories, appropriate labels need to be assigned to them.

For example, in order to be able to share files anonymously, the public_content_t label must be assigned to the files and directories to be shared. You can do this using the chcon command as root: 

~]# chcon -R -t public_content_t /path/to/directory
Copy to Clipboard Toggle word wrap

In the above command, replace /path/to/directory with the path to the directory to which you want to assign the label. Similarly, if you want to set up a directory for uploading files, you need to assign that particular directory the public_content_rw_t label. In addition to that, the allow_ftpd_anon_write SELinux Boolean option must be set to 1. Use the setsebool command as root to do that: 

~]# setsebool -P allow_ftpd_anon_write=1
Copy to Clipboard Toggle word wrap

If you want local users to be able to access their home directories through FTP, which is the default setting on Red Hat Enterprise Linux 7, the ftp_home_dir Boolean option needs to be set to 1. If vsftpd is to be allowed to run in standalone mode, which is also enabled by default on Red Hat Enterprise Linux 7, the ftpd_is_daemon option needs to be set to 1 as well.

See the ftpd_selinux(8) manual page for more information, including examples of other useful labels and Boolean options, on how to configure the SELinux policy pertaining to FTP. Also, see the Red Hat Enterprise Linux 7 SELinux User’s and Administrator’s Guide for more detailed information about SELinux in general.

16.2.3. Additional Resources
Copiar enlace

For more information about vsftpd, see the following resources.

16.2.3.1. Installed Documentation
Copiar enlace

  • The /usr/share/doc/vsftpd-version-number/ directory — Replace version-number with the installed version of the vsftpd package. This directory contains a README file with basic information about the software. The TUNING file contains basic performance-tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.

  • vsftpd-related manual pages — There are a number of manual pages for the daemon and the configuration files. The following lists some of the more important manual pages.

    Server Applications
    {blank}
    Copy to Clipboard Toggle word wrap
    • vsftpd(8) — Describes available command-line options for vsftpd.
    Configuration Files
    {blank}
    Copy to Clipboard Toggle word wrap
    • vsftpd.conf(5) — Contains a detailed list of options available within the configuration file for vsftpd.
    • hosts_access(5) — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny.
    Interaction with SELinux
    {blank}
    Copy to Clipboard Toggle word wrap
    • ftpd_selinux(8) — Contains a description of the SELinux policy governing ftpd processes as well as an explanation of the way SELinux labels need to be assigned and Booleans set.

16.2.3.2. Online Documentation
Copiar enlace

About vsftpd and FTP in General
{blank}
Copy to Clipboard Toggle word wrap
Red Hat Enterprise Linux Documentation
{blank}
Copy to Clipboard Toggle word wrap
  • Red Hat Enterprise Linux 7 Networking Guide — The Networking Guide for Red Hat Enterprise Linux 7 documents relevant information regarding the configuration and administration of network interfaces, networks, and network services in this system. It provides an introduction to the hostnamectl utility and explains how to use it to view and set host names on the command line, both locally and remotely.
  • Red Hat Enterprise Linux 7 SELinux User’s and Administrator’s Guide — The SELinux User’s and Administrator’s Guide for Red Hat Enterprise Linux 7 describes the basic principles of SELinux and documents in detail how to configure and use SELinux with various services such as the Apache HTTP Server, Postfix, PostgreSQL, or OpenShift. It explains how to configure SELinux access permissions for system services managed by systemd.
  • Red Hat Enterprise Linux 7 Security Guide — The Security Guide for Red Hat Enterprise Linux 7 assists users and administrators in learning the processes and practices of securing their workstations and servers against local and remote intrusion, exploitation, and malicious activity. It also explains how to secure critical system services.
Relevant RFC Documents
{blank}
Copy to Clipboard Toggle word wrap
  • RFC 0959 — The original Request for Comments (RFC) of the FTP protocol from the IETF.
  • RFC 1123 — The small FTP-related section extends and clarifies RFC 0959.
  • RFC 2228FTP security extensions. vsftpd implements the small subset needed to support TLS and SSL connections.
  • RFC 2389 — Proposes FEAT and OPTS commands.
  • RFC 2428IPv6 support.

16.3. Print Settings
Copiar enlace

The Print Settings tool serves for printer configuring, maintenance of printer configuration files, print spool directories and print filters, and printer classes management.

The tool is based on the Common Unix Printing System (CUPS). If you upgraded the system from a previous Red Hat Enterprise Linux version that used CUPS, the upgrade process preserved the configured printers.

Important

The cupsd.conf man page documents configuration of a CUPS server. It includes directives for enabling SSL support. However, CUPS does not allow control of the protocol versions used. Due to the vulnerability described in Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) for components that do not allow SSLv3 to be disabled via configuration settings, Red Hat recommends that you do not rely on this for security. It is recommend that you use stunnel to provide a secure tunnel and disable SSLv3. For more information on using stunnel, see the Red Hat Enterprise Linux 7 Security Guide.

For ad-hoc secure connections to a remote system’s Print Settings tool, use X11 forwarding over SSH as described in Section 12.4.1, “X11 Forwarding”.

Note

You can perform the same and additional operations on printers directly from the CUPS web application or command line. To access the application, in a web browser, go to http://localhost:631/. For CUPS manuals refer to the links on the Home tab of the web site.

16.3.1. Starting the Print Settings Configuration Tool
Copiar enlace

With the Print Settings configuration tool you can perform various operations on existing printers and set up new printers. You can also use CUPS directly (go to http://localhost:631/ to access the CUPS web application).

To start the Print Settings tool from the command line, type system-config-printer at a shell prompt. The Print Settings tool appears. Alternatively, if using the GNOME desktop, press the Super key to enter the Activities Overview, type Print Settings and then press Enter. The Print Settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.

The Print Settings window depicted in Figure 16.1, “Print Settings window” appears.

Figure 16.1. Print Settings window

Print Settings configuration window
View larger image
Print Settings configuration window

16.3.2. Starting Printer Setup
Copiar enlace

Printer setup process varies depending on the printer queue type.

If you are setting up a local printer connected with USB, the printer is discovered and added automatically. You will be prompted to confirm the packages to be installed and provide an administrator or the root user password. Local printers connected with other port types and network printers need to be set up manually.

Follow this procedure to start a manual printer setup:

  1. Start the Print Settings tool (refer to Section 16.3.1, “Starting the Print Settings Configuration Tool”).
  2. Go to Server New Printer.
  3. In the Authenticate dialog box, enter an administrator or root user password. If this is the first time you have configured a remote printer you will be prompted to authorize an adjustment to the firewall.
  4. Select the printer connection type and provide its details in the area on the right.

16.3.3. Adding a Local Printer
Copiar enlace

Follow this procedure to add a local printer connected with other than a serial port:

  1. Open the Add printer dialog (refer to Section 16.3.2, “Starting Printer Setup”).
  2. If the device does not appear automatically, select the port to which the printer is connected in the list on the left (such as Serial Port #1 or LPT #1).

  3. On the right, enter the connection properties:

    for Other
    URI (for example file:/dev/lp0)
    for Serial Port

    Baud Rate

    Parity

    Data Bits

    Flow Control

    Figure 16.2. Adding a local printer

    Adding a local printer
    View larger image
    Adding a local printer
  4. Click Forward.
  5. Select the printer model. See Section 16.3.8, “Selecting the Printer Model and Finishing” for details.

16.3.4. Adding an AppSocket/HP JetDirect printer
Copiar enlace

Follow this procedure to add an AppSocket/HP JetDirect printer:

  1. Open the New Printer dialog (refer to Section 16.3.1, “Starting the Print Settings Configuration Tool”).
  2. In the list on the left, select Network Printer AppSocket/HP JetDirect.

  3. On the right, enter the connection settings:

    Hostname
    Printer host name or IP address.
    Port Number

    Printer port listening for print jobs (9100 by default).

    Figure 16.3. Adding a JetDirect printer

    Adding a JetDirect Printer
    View larger image
    Adding a JetDirect Printer
  4. Click Forward.
  5. Select the printer model. See Section 16.3.8, “Selecting the Printer Model and Finishing” for details.

16.3.5. Adding an IPP Printer
Copiar enlace

An IPP printer is a printer attached to a different system on the same TCP/IP network. The system this printer is attached to may either be running CUPS or simply configured to use IPP.

If a firewall is enabled on the printer server, then the firewall must be configured to allow incoming TCP connections on port 631. Note that the CUPS browsing protocol allows client machines to discover shared CUPS queues automatically. To enable this, the firewall on the client machine must be configured to allow incoming UDP packets on port 631.

Follow this procedure to add an IPP printer:

  1. Open the New Printer dialog (refer to Section 16.3.2, “Starting Printer Setup”).
  2. In the list of devices on the left, select Network Printer and Internet Printing Protocol (ipp) or Internet Printing Protocol (https).

  3. On the right, enter the connection settings:

    Host
    The host name of the IPP printer.
    Queue

    The queue name to be given to the new queue (if the box is left empty, a name based on the device node will be used).

    Figure 16.4. Adding an IPP printer

    Networked IPP Printer
    View larger image
    Networked IPP Printer
  4. Click Forward to continue.
  5. Select the printer model. See Section 16.3.8, “Selecting the Printer Model and Finishing” for details.

16.3.6. Adding an LPD/LPR Host or Printer
Copiar enlace

Follow this procedure to add an LPD/LPR host or printer:

  1. Open the New Printer dialog (refer to Section 16.3.2, “Starting Printer Setup”).
  2. In the list of devices on the left, select Network Printer LPD/LPR Host or Printer.

  3. On the right, enter the connection settings:

    Host

    The host name of the LPD/LPR printer or host.

    Optionally, click Probe to find queues on the LPD host.

    Queue

    The queue name to be given to the new queue (if the box is left empty, a name based on the device node will be used).

    Figure 16.5. Adding an LPD/LPR printer

    Adding an LPD/LPR Printer
    View larger image
    Adding an LPD/LPR Printer
  4. Click Forward to continue.
  5. Select the printer model. See Section 16.3.8, “Selecting the Printer Model and Finishing” for details.

16.3.7. Adding a Samba (SMB) printer
Copiar enlace

Follow this procedure to add a Samba printer:

Note

Note that in order to add a Samba printer, you need to have the samba-client package installed. You can do so by running, as root: 

yum install samba-client
Copy to Clipboard Toggle word wrap

For more information on installing packages with Yum, refer to Section 9.2.4, “Installing Packages”.

  1. Open the New Printer dialog (refer to Section 16.3.2, “Starting Printer Setup”).
  2. In the list on the left, select Network Printer Windows Printer via SAMBA.

  3. Enter the SMB address in the smb:// field. Use the format computer name/printer share. In Figure 16.6, “Adding a SMB printer”, the computer name is dellbox and the printer share is r2.

    Figure 16.6. Adding a SMB printer

    SMB Printer
    View larger image
    SMB Printer
  4. Click Browse to see the available workgroups/domains. To display only queues of a particular host, type in the host name (NetBios name) and click Browse.

  5. Select either of the options:

    1. Prompt user if authentication is required: user name and password are collected from the user when printing a document.
    2. Set authentication details now: provide authentication information now so it is not required later. In the Username field, enter the user name to access the printer. This user must exist on the SMB system, and the user must have permission to access the printer. The default user name is typically guest for Windows servers, or nobody for Samba servers.

  6. Enter the Password (if required) for the user specified in the Username field.

    Warning

    Samba printer user names and passwords are stored in the printer server as unencrypted files readable by root and the Linux Printing Daemon, lpd. Thus, other users that have root access to the printer server can view the user name and password you use to access the Samba printer.

    Therefore, when you choose a user name and password to access a Samba printer, it is advisable that you choose a password that is different from what you use to access your local Red Hat Enterprise Linux system.

    If there are files shared on the Samba print server, it is recommended that they also use a password different from what is used by the print queue.

  7. Click Verify to test the connection. Upon successful verification, a dialog box appears confirming printer share accessibility.
  8. Click Forward.
  9. Select the printer model. See Section 16.3.8, “Selecting the Printer Model and Finishing” for details.

16.3.8. Selecting the Printer Model and Finishing
Copiar enlace

Once you have properly selected a printer connection type, the system attempts to acquire a driver. If the process fails, you can locate or search for the driver resources manually.

Follow this procedure to provide the printer driver and finish the installation:

  1. In the window displayed after the automatic driver detection has failed, select one of the following options:

    1. Select a Printer from database — the system chooses a driver based on the selected make of your printer from the list of Makes. If your printer model is not listed, choose Generic.
    2. Provide PPD file — the system uses the provided PostScript Printer Description (PPD) file for installation. A PPD file may also be delivered with your printer as being normally provided by the manufacturer. If the PPD file is available, you can choose this option and use the browser bar below the option description to select the PPD file.

    3. Search for a printer driver to download — enter the make and model of your printer into the Make and model field to search on OpenPrinting.org for the appropriate packages.

      Figure 16.7. Selecting a printer brand

      Selecting a printer brand from the printer database brands.
      View larger image
      Selecting a printer brand from the printer database brands.

  2. Depending on your previous choice provide details in the area displayed below:

    • Printer brand for the Select printer from database option.
    • PPD file location for the Provide PPD file option.
    • Printer make and model for the Search for a printer driver to download option.
  3. Click Forward to continue.

  4. If applicable for your option, window shown in Figure 16.8, “Selecting a printer model” appears. Choose the corresponding model in the Models column on the left.

    Note

    On the right, the recommended printer driver is automatically selected; however, you can select another available driver. The print driver processes the data that you want to print into a format the printer can understand. Since a local printer is attached directly to your computer, you need a printer driver to process the data that is sent to the printer.

    Figure 16.8. Selecting a printer model

    Selecting a Printer Model with a Driver Menu
    View larger image
    Selecting a Printer Model with a Driver Menu
  5. Click Forward.

  6. Under the Describe Printer enter a unique name for the printer in the Printer Name field. The printer name can contain letters, numbers, dashes (-), and underscores (); it _must not contain any spaces. You can also use the Description and Location fields to add further printer information. Both fields are optional, and may contain spaces.

    Figure 16.9. Printer setup

    Printer Setup
    View larger image
    Printer Setup
  7. Click Apply to confirm your printer configuration and add the print queue if the settings are correct. Click Back to modify the printer configuration.
  8. After the changes are applied, a dialog box appears allowing you to print a test page. Click Yes to print a test page now. Alternatively, you can print a test page later as described in Section 16.3.9, “Printing a Test Page”.

16.3.9. Printing a Test Page
Copiar enlace

After you have set up a printer or changed a printer configuration, print a test page to make sure the printer is functioning properly:

  1. Right-click the printer in the Printing window and click Properties.
  2. In the Properties window, click Settings on the left.
  3. On the displayed Settings tab, click the Print Test Page button.

16.3.10. Modifying Existing Printers
Copiar enlace

To delete an existing printer, in the Print Settings window, select the printer and go to Printer Delete. Confirm the printer deletion. Alternatively, press the Delete key.

To set the default printer, right-click the printer in the printer list and click the Set as Default button in the context menu.

16.3.10.1. The Settings Page
Copiar enlace

To change printer driver configuration, double-click the corresponding name in the Printer list and click the Settings label on the left to display the Settings page.

You can modify printer settings such as make and model, print a test page, change the device location (URI), and more.

Figure 16.10. Settings page

Settings Page
View larger image
Settings Page

16.3.10.2. The Policies Page
Copiar enlace

Click the Policies button on the left to change settings in printer state and print output.

You can select the printer states, configure the Error Policy of the printer (you can decide to abort the print job, retry, or stop it if an error occurs).

You can also create a banner page (a page that describes aspects of the print job such as the originating printer, the user name from the which the job originated, and the security status of the document being printed): click the Starting Banner or Ending Banner drop-down menu and choose the option that best describes the nature of the print jobs (for example, confidential).

16.3.10.2.1. Sharing Printers
Copiar enlace

On the Policies page, you can mark a printer as shared: if a printer is shared, users published on the network can use it. To allow the sharing function for printers, go to Server Settings and select Publish shared printers connected to this system.

Figure 16.11. Policies page

Policies Page
View larger image
Policies Page

Make sure that the firewall allows incoming TCP connections to port 631, the port for the Network Printing Server (IPP) protocol. To allow IPP traffic through the firewall on Red Hat Enterprise Linux 7, make use of firewalld's IPP service. To do so, proceed as follows:

Enabling IPP Service in firewalld

  1. To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The Firewall Configuration window opens. You will be prompted for an administrator or root password.

    Alternatively, to start the graphical firewall configuration tool using the command line, enter the following command as root user: 

    ~]# firewall-config
    Copy to Clipboard Toggle word wrap

    The Firewall Configuration window opens.

    Look for the word "Connected" in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld.

    To immediately change the current firewall settings, ensure the drop-down selection menu labeled Configuration is set to Runtime. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent from the drop-down list.

  2. Select the Zones tab and then select the firewall zone to correspond with the network interface to be used. The default is the public zone. The Interfaces tab shows what interfaces have been assigned to a zone.
  3. Select the Services tab and then select the ipp service to enable sharing. The ipp-client service is required for accessing network printers.
  4. Close the firewall-config tool.

For more information on opening and closing ports in firewalld, see the Red Hat Enterprise Linux 7 Security Guide.

16.3.10.2.2. The Access Control Page
Copiar enlace

You can change user-level access to the configured printer on the Access Control page. Click the Access Control label on the left to display the page. Select either Allow printing for everyone except these users or Deny printing for everyone except these users and define the user set below: enter the user name in the text box and click the Add button to add the user to the user set.

Figure 16.12. Access Control page

Access Control Page
View larger image
Access Control Page
16.3.10.2.3. The Printer Options Page
Copiar enlace

The Printer Options page contains various configuration options for the printer media and output, and its content may vary from printer to printer. It contains general printing, paper, quality, and printing size settings.

Figure 16.13. Printer Options page

Printer Options Page
View larger image
Printer Options Page
16.3.10.2.4. Job Options Page
Copiar enlace

On the Job Options page, you can detail the printer job options. Click the Job Options label on the left to display the page. Edit the default settings to apply custom job options, such as number of copies, orientation, pages per side, scaling (increase or decrease the size of the printable area, which can be used to fit an oversize print area onto a smaller physical sheet of print medium), detailed text options, and custom job options.

Figure 16.14. Job Options page

Job Options Page
View larger image
Job Options Page
16.3.10.2.5. Ink/Toner Levels Page
Copiar enlace

The Ink/Toner Levels page contains details on toner status if available and printer status messages. Click the Ink/Toner Levels label on the left to display the page.

Figure 16.15. Ink/Toner Levels page

Ink/Toner Levels Page
View larger image
Ink/Toner Levels Page

16.3.10.3. Managing Print Jobs
Copiar enlace

When you send a print job to the printer daemon, such as printing a text file from Emacs or printing an image from GIMP, the print job is added to the print spool queue. The print spool queue is a list of print jobs that have been sent to the printer and information about each print request, such as the status of the request, the job number, and more.

During the printing process, the Printer Status icon appears in the Notification Area on the panel. To check the status of a print job, click the Printer Status, which displays a window similar to Figure 16.16, “GNOME Print Status”.

Figure 16.16. GNOME Print Status

GNOME Print Status
View larger image
GNOME Print Status

To cancel, hold, release, reprint or authenticate a print job, select the job in the GNOME Print Status and on the Job menu, click the respective command.

To view the list of print jobs in the print spool from a shell prompt, type the command lpstat -o. The last few lines look similar to the following:

Example 16.15. Example of lpstat -o output

$ lpstat -o
Charlie-60       twaugh      1024  Tue 08 Feb 2011 16:42:11 GMT
Aaron-61        twaugh      1024  Tue 08 Feb 2011 16:42:44 GMT
Ben-62         root       1024  Tue 08 Feb 2011 16:45:42 GMT
Copy to Clipboard Toggle word wrap

If you want to cancel a print job, find the job number of the request with the command lpstat -o and then use the command cancel job number. For example, cancel 60 would cancel the print job in Example 16.15, “Example of lpstat -o output”. You cannot cancel print jobs that were started by other users with the cancel command. However, you can enforce deletion of such job by issuing the cancel -U root job_number command. To prevent such canceling, change the printer operation policy to Authenticated to force root authentication.

You can also print a file directly from a shell prompt. For example, the command lp sample.txt prints the text file sample.txt. The print filter determines what type of file it is and converts it into a format the printer can understand.

16.3.11. Additional Resources
Copiar enlace

To learn more about printing on Red Hat Enterprise Linux, see the following resources.

Installed Documentation
  • lp(1) — The manual page for the lp command that allows you to print files from the command line.
  • lpr(1) — The manual page for the lpr command that allows you to print files from the command line.
  • cancel(1) — The manual page for the command-line utility to remove print jobs from the print queue.
  • mpage(1) — The manual page for the command-line utility to print multiple pages on one sheet of paper.
  • cupsd(8) — The manual page for the CUPS printer daemon.
  • cupsd.conf(5) — The manual page for the CUPS printer daemon configuration file.
  • classes.conf(5) — The manual page for the class configuration file for CUPS.
  • lpstat(1) — The manual page for the lpstat command, which displays status information about classes, jobs, and printers.
Online Documentation
  • http://www.linuxprinting.org/ — The OpenPrinting group on the Linux Foundation website contains a large amount of information about printing in Linux.
  • http://www.cups.org/ — The CUPS website provides documentation, FAQs, and newsgroups about CUPS.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat