Some days, keeping up with technology can be a mix of frustration and excitement.
I am currently working on getting back my RHCE (Red Hat Certified Engineer) credentials (I had it before, but for reasons I wont get to, it expired). From there, I will be able to avail myself of a suite of certificates from Red Hat, eventually getting either a RHCA (Red Hat Certified Architect) in Cloud or DevOps (or if time does not permits, just plain RHCA) I will do this by using existing resources (books, documentation and supplemented by in-expensive online training) rather that taking the rather priceyROLE courses.
That is the idea, at least.
Case in point, Samba. Now, I dont use Samba that much, but it is a key objective to complete in the RHCE exam - not just using it, but configuring and setting up the appropriate access controls. From reading the RHCE books, it seems pretty straight forward. For example:
- Provide network shares to specific clients
- Provide network shares suitable for group collaboration
Which mean you need to do the following on the server:
1) Install Samba on the server.
yum -y install samba samba-client
2) Add group that will be used for collaboration
groupadd -g 8888 shared
3) Modify existing users so they are part of the group
usermod -aG shared amy usermod -aG shared rory
5) Create samba users:
smbpasswd -a amy smbpasswd -a rory
6) Set the appropriate permissions on the directory you want to share.
chmod 770 /srv/directory_to_be_shared chown nobody:shared /srv/directory_to_be_shared
7) Set selinux permissions as follows:
semanage fcontext -a -t samba_public_t /srv/directory_to_be_shared restorecon -rv /srv/directory_to_be_shared
8) Create entry in /etc/samba/smb.conf
[shared] comment = shared directory path = /srv/directory_to_be_shared writable = yes browsable = yes write list = +shared hosts allow = foo.bar.monzell.com
9) run testparm to validate the configuration
10) Enable and start samba:
systemctl enable samba systemctl start samba
11) open the firewall:
firewall-cmd add-service=samba firewall-cmd add-service=samba permanent
While on the client:
1) Install samba and cifs-utils:
yum -y install cifs-utils samba
2) Create directory to mount the share:
mkdir /mnt/shared
3) Create a file that contain the credentials used to mount the share and secure the file:
echo 'username=amy' > /etc/samba/secret echo 'password=doctor!' >> /etc/samba/secret chmod 0400 /etc/samba/secret
4) Update fstab to mount the directory
//samba.server.monzell.com/shared /mnt/shared cifs _netdev,credentials=/etc/samba/pw 0 0
5) Finally, mount the share:
mount /mnt/shared
As you can tell, I got it down cold. Why? Because until today, I couldnt
do step 5. I kept getting permission errors:
mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Now I was able to mount if I remove the hosts allow entry:
[shared] comment = shared directory path = /srv/directory_to_be_shared writable = yes browsable = yes write list = +shared
But that would mean that I wouldnt be able to use ACL controls.
After some searching, I found that I can block via IP, which is sort of better - but I still wasnt satisfied.
I looked at the walkthroughs for all the RHCE books (Van Vugt, Ghori, Jang, Tecmint) and so far, from what I can tell, it should work. I mean, surely the authors have all figured it out, right?
Well, today, I gave it one more and something occur to me that, perhaps, Samba dont do lookups by default. Sure enough, after some searching, I found:
http://serverfault.com/questions/702455/samba-hosts-allow-example-com
In order for host allow entries using hostnames to work you need to enable
hostname lookups = yes
In the global configuration of smb.conf.
And sure enough, adding that in smb.conf:
[global] hostname lookups = yes
Allow me to mount with using host controls on the hostname.
Turns out that hostname lookups are quite expensive, resource-wise, so samba have it turned off by default.
I am not sure why all the major RHCE prep books missed this. I thought at first that it may a problem with the editing, which I could understand for one book
But all four?
Interesting.