Step-by-Step: Configuring Samba File Sharing for RHCSA

Objective

In the IT world the ability to share files perfectly between Linux and Windows systems is important. Samba is an open-source implementation of the SMB/CIFS protocol which allows for cross-platform file sharing between Linux and Windows machines. For RHCSA candidates, configuring Samba is not just a checkbox task but it is a real-world skill that demonstrates your understanding of Linux networking, security and user management. This blog will walk you through the complete process of setting up Samba on a RHEL 9 system from installation to access control which will help you build confidence and clarity for both the exam and real-world applications.

What is Samba?

Samba is an open-source suite of programs that allows Linux and Unix systems to communicate with Windows clients and servers using the SMB (Server Message Block) and CIFS (Common Internet File System) protocols. Originally developed to provide file and print services compatible with Windows, Samba enables a Linux machine to act as a file server, print server, or even a domain controller within a Windows network.

With Samba users on Windows systems can:

• Access shared files and directories hosted on Linux servers
• Map Linux-shared drives as network drives
• Authenticate using Windows-style credentials

And on the Linux side administrators can enforce:

• Permissions based on Linux users or Samba-only users
• Group-level access controls
• Integration with SELinux and firewalld for added security

Samba is a crucial tool for RHCSA candidates not only because it is part of the exam objectives but also because it simulates the kind of cross-platform interoperability found in real-world enterprise environments.

Step 1: Install Samba Packages

Begin by installing the necessary Samba packages.

dnf install samba samba-client samba-common -y   # Install Samba server, client utilities, and common libraries

Step 2: Create Required Groups

Create the group that will be used for share access before proceeding with directory setup.

groupadd admins                                   # Create the 'admins' group for controlling share access

Step 3: Create a Shared Directory

Create a directory that you want to share over the network.

mkdir -p /srv/samba/shared                       # Create the shared directory for Samba
chmod 2770 /srv/samba/shared                     # Set permissions with SGID so new files inherit the group
chown root:admins /srv/samba/shared              # Set ownership to root and group to 'admins'

Permission Explanation: The chmod 2770 command sets:

• 2 (SGID bit): Ensures new files/directories inherit the group ownership
• 770: Gives read/write/execute to owner and group, no access to others
• This creates a secure collaborative space where only group members can access files

Step 4: Create Samba Users

Create a Linux user and then add it as a Samba user.

useradd sambauser                                # Create a new Linux user named 'sambauser'
passwd sambauser                                 # Set a Linux password for the user
smbpasswd -a sambauser                          # Add the user to Samba and set a Samba-specific password

The smbpasswd -a command enables the user for Samba access with a separate Samba password, providing an additional layer of security.

Step 5: Add Users to the Group

Ensure the user is part of the admins group.

usermod -aG admins sambauser                    # Add 'sambauser' to the 'admins' group to grant share access

Step 6: Configure the Samba Share

Edit the main Samba configuration file:

vi /etc/samba/smb.conf                          # Open the Samba configuration file in the vi editor for editing

Append the following section at the end of the file:

[SharedFiles]                                   # Name of the Samba share as seen by clients
   path = /srv/samba/shared                     # Filesystem path to the shared directory
   valid users = @admins                        # Only users in the 'admins' group are allowed access
   guest ok = no                                # Do not allow guest (unauthenticated) access
   writable = yes                               # Allow write access to the share
   browsable = yes                              # Make the share visible when browsing the server
   create mask = 0664                           # Set default permissions for new files
   directory mask = 0775                        # Set default permissions for new directories

Security Note: This configuration enforces group-based access control and prevents anonymous access, following security best practices.

Step 7: Enable and Start Samba Services

systemctl enable --now smb nmb                  # Enable and start the Samba (smb) and NetBIOS (nmb) services immediately

These commands start the Samba daemons and enable them to run at boot time. The nmb service handles NetBIOS name resolution, which is essential for Windows client discovery.

Step 8: Configure Firewall for Samba

Allow Samba traffic through the firewall.

firewall-cmd --permanent --add-service=samba    # Permanently allow Samba service through the firewall
firewall-cmd --reload                           # Reload the firewall to apply the new rule

This step ensures that clients on the network can reach the Samba service on the required ports (139/tcp, 445/tcp, 137/udp, 138/udp).

Step 9: SELinux Configuration (If Enabled)

Check the current SELinux status:

getenforce                                      # Check the current SELinux mode (Enforcing, Permissive, or Disabled)

If it's enforcing, set the appropriate context and enable required booleans:

# Install SELinux management tools if not present
dnf install policycoreutils-python-utils -y    # Install the package needed for managing SELinux contexts with semanage

# Set file contexts
semanage fcontext -a -t samba_share_t "/srv/samba/shared(/.*)?"   # Set SELinux context type for the shared directory and its contents
restorecon -Rv /srv/samba/shared                                  # Apply the new SELinux context recursively to the directory

# Enable SELinux booleans for Samba functionality
setsebool -P samba_enable_home_dirs on          # Allow Samba to access home directories if needed
setsebool -P samba_export_all_rw on             # Allow Samba to read/write all files (use with caution)

SELinux Best Practice: Only enable the booleans you actually need. The samba_export_all_rw boolean should be used carefully as it grants broad access.

Step 10: Verify Configuration and Test

Check the Samba configuration for syntax errors:

testparm                                        # Check the Samba configuration file for syntax errors and view loaded settings
testparm -s                                     # Show a summary of the configuration without comments

Test local share listing:

smbclient -L localhost                          # List available shares on the local server
smbclient -L localhost -U sambauser             # List shares as a specific user

Step 11: Accessing the Share from Clients

From a Linux system:

smbclient //server-ip/SharedFiles -U sambauser  # Access the Samba share from a Linux client using the specified Samba user

From a Windows system:

1. Press Windows + R
2. Type: \\<server-ip>\SharedFiles
3. Enter the Samba username and password when prompted

Mounting on Linux (persistent access):

# Create mount point
mkdir /mnt/samba-share

# Mount the share
mount -t cifs //server-ip/SharedFiles /mnt/samba-share -o username=sambauser,uid=1000,gid=1000

# For persistent mounting, add to /etc/fstab:
# //server-ip/SharedFiles /mnt/samba-share cifs username=sambauser,password=yourpassword,uid=1000,gid=1000 0 0

Step 12: Monitoring and Troubleshooting

Monitor Samba activity and troubleshoot issues:

# Monitor Samba logs in real time
tail -f /var/log/samba/log.smbd                 # Monitor the main Samba daemon log
tail -f /var/log/samba/log.nmbd                 # Monitor the NetBIOS daemon log

# Check service status
systemctl status smb nmb                        # Verify both services are running properly

# Test network connectivity
ss -tuln | grep -E ':(139|445|137|138)'         # Check if Samba ports are listening

# Verify user access
pdbedit -L                                       # List all Samba users
smbstatus                                        # Show current Samba connections and locked files

Additional Security Hardening (Optional)

For production environments, consider these additional security measures:

# Restrict Samba to specific network interfaces
# Add to [global] section in smb.conf:
# interfaces = eth0 192.168.1.0/24
# bind interfaces only = yes

# Enable encryption (SMB3 and later)
# Add to [global] section:
# smb encrypt = required

# Disable SMB1 protocol (security risk)
# Add to [global] section:
# server min protocol = SMB2

Common Troubleshooting Commands

# Reset Samba user password
smbpasswd sambauser

# Check if user exists in Samba database
pdbedit -u sambauser -v

# Test authentication
smbclient -L localhost -U sambauser%password

# Check SELinux denials
ausearch -m AVC -ts recent | grep samba

Conclusion

Configuring Samba on RHEL is an essential skill that blends service management, networking, user permissions and SELinux all core components of the RHCSA exam. This comprehensive guide covers not just the basic setup but also security considerations, troubleshooting, and best practices that you'll encounter in real-world environments. Whether you are preparing for your certification or setting up a production network share, understanding Samba empowers you to bridge Linux and Windows environments efficiently and securely. The key takeaways include proper permission management with SGID, SELinux context configuration, firewall setup, and comprehensive testing procedures. For a deeper hands-on experience and real exam-based lab practice, head over to RHCSA.GURU a comprehensive platform dedicated to helping you master every RHCSA topic with clarity and confidence.