-
19th August 2005, 04:02 AM
#1
How to: FC5 & FC4 Samba and Windows in 6 easy steps
Disclaimer: this works perfectly for us on two fdisk'd and fresh installs, one being Fedora Core 4 (5), and the othe Windows XP Service Pack 2. All updates were applied to both systems before this process was completed. We have also gotten a FC4 laptop and multiple Windows XP machines connected with almost no effort since we completed the first machines.
Our purpose for this project was to isolate users to their own backup areas on a FC4 Linux box, allow users to share FROM the Linux box and not their Windows machines (for security), and basically keep the data redundancy and security beefed up with an additional layer of protection with data still available even if a given users Windows machine goes down.
Step 1: Opening the Firewall
Under GNOME head to Dekstop | System Settings | Security Level
Enter the root password when asked (if you don;t know the password you are finished -- refer this article to your System Admin)
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
Add the following line to "Other ports"137:udp, 138:udp, 139:tcp, 445:tcp
Select OK
-- sources
https://bugzilla.redhat.com/bugzilla....cgi?id=133478
http://fedora.redhat.com/docs/releas.../fc4/#sn-samba
There seems to be some confusion in the thread concerning security issues related to opening the firewall. I hope to bring some clarity. Many of us have a hardware router / NAT firewall between our networks and the Internet. We are not going to open these "hardware" ports up (keeping them safe from the Internet), instead we are going to open up the ports on the Linux file server (which gives the local network access), while the Router shields the box from the Internet on ports 137, 138, 139, 445..
Step 2: Allowing shares from users /home
For FC4 Open terminal and enter the following ( you must have root / admin password):
su -
setsebool samba_enable_home_dirs=1
-- source http://fedoraforum.org/forum/showthread.php?t=59437
FC5 seems to reset this on our system upon reboots to disable the shares from the /home/user folders. To change the settings from the Gnome desktop:
System | Administration| Security Level and Firewall settings
Click on the SELinux tab
Select "Modify SELinux Policy"
Drop down the SAMBA section
Check mark "Allow Sambe to share users home directories"
Step 3: Cause SELinux to relable the files per your changes
You now need to reboot.
Step 4: Starting SMB / NMB
We will discuss two simple ways of doing this (use your own preference). Both methods require root access:
Method 1:
Go to Desktop | Server Settings | Services (enter root password as necessary)
Click on smb and hit start
Now save it.
You can close the window now.
Method 2:
Open a terminal
su -
service smb start
chkconfig smb on
Step 5: Configuring Users
As it is our purpose to allow users to have access to their data even if their Windows box goes down we are creating local user accounts on the Linux box for each user on the system. To begin with we are only interested in doing one user, as it has been my experience that if one works the rest will work also.
You will need root access:
Go to Desktop | System Settings | Users and Groups
Add a user by clicking OK after you have completed all the fields.
Now go to Desktop | System Settings | Server Settings | Samba
Create a user by going to the Prefernces menu and clicking on Samba Users | Add User
Find the user name in the dropdown box in the Unix Username box.
Now here is a neat trick. YOU DO NOT HAVE TO HAVE MATCHING USER NAME AND PASSWORDS! This is a huge misunderstanding in the networking / Linux worlds. You only have to remember what it is that you enter here. Your username does NOT have to match the Linux OR Windows username (but it does make life easier).
In our setup we have the same user name logon for Linux, Windows and Samba. With the logon passwords the same on both boxes, but the Samba password is totally different (this will help a user protect their files if someone discovers their logon name and password - unless they are on his box).
Step 6: Using the share
Go to the Windows box of your respected user
Click on any instance of "My Network Places." You are not looking for the share yet.
You will need to get to the "Workgroup Computers"
You may have to hit F5 a couple times or in the worse case reboot the windows machine a couple times. Eventually I turned both off and turned both on. When you see the Linux machine come up in the Workgroup Computers (you are not looking for the share -- only for the machine) click on it. A pop up asking for user name and password should come up if all other steps were finished correctly. At this point put in the SAMBA user name and password and put a check mark in "Remember this password...".
if you hit ok and the share shows you have just finished. Windows will auto log into using the user name and password you provided REGARDLESS of what those were.
Some snags
We have multiple Linux boxes / devices on our network. Come to find out a print server AND the FC4 fileserver were named "localhost.localdomain"
so as root we edited /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
to read
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 aragorn.localdomain aragorn
Also, check the server settings in the Samba preferences to match the name..
rebooting the server will get everything straightened out. After the rename the file server popped up and we were running.
Another snag was trying to edit the /etc/samba/smb.conf file per forums and requests when there was absoluetly no need to touch the file to get shares working.
Biggest snag is trying to hard. Networking hasn't changed much since its inception, just what we do at the ends of it (before and after transmission). The question to keep in mind is, "What am I trying to accomplish?"
Finally we can make a real share
I logged into the server and made two folders for the first user (namely me as network wide admin)
I made a library which is a read only / visible share for all users. Various utilities for all systems are placed here as well as public files for all usage.
I made another folder which can be written to but not read for inbound files to my account.
From my Windows / Linux boxes (logged into the share) I have total access, but those on my network going to the share are limited.
This should get your shares working at a very minimal level. Things that need to be tightened and secured can now be done as you have gotten the shares working. Repeat steps 5 and 6 as needed.
--- taken from my site shawndisk.com which I desperately need to get back to developing
Last edited by wshawn; 6th April 2006 at 12:29 AM.
Reason: Updated for FC5
-
19th August 2005, 12:19 PM
#2
Aha....
Thank you! Good article!
-
19th August 2005, 12:24 PM
#3
Originally Posted by
Alerander
Aha....
Thank you! Good article!
You are most welcome.
-
20th August 2005, 01:34 PM
#4
Hi,
I tried this and I must admit it is the first tip that actually allowed me to see my shares, but it won't allow me to access them.
It's giving me a "error, the network path linux_server/share cannot be found or you may not have access". linux_server is my machine name. I have added all the necessary permissions and users both in linux and Samba.
Any help would be appreciated.
thanks,
Remo
-
20th August 2005, 02:09 PM
#5
I had tried it this afternoon, it's 9:00pm here.
I have no idea about user share, i was just using security = share and it worked fine for me! However, all of these was working when i closed my firewall.
Any advice to me?
-
20th August 2005, 06:36 PM
#6
Originally Posted by
rpaulpen
Hi,
It's giving me a "error, the network path linux_server/share cannot be found or you may not have access". linux_server is my machine name. I have added all the necessary permissions and users both in linux and Samba.
Any help would be appreciated.
thanks,
Remo
You do not need to do anything with permissions on the linux side. Just make a local and a samba user with the same name. Make sure you have logged into the server via your windows by clicking on the computer from the Computer list of the workgroup computers. If you try to access the file directly you will not do it.
If you are still having a problem then shutdown the win machine, rename the FC4 server, reboot it , and then boot your windows. Windows stores a user pass combination in the registry for each network connection requiring authentication. The easiest way to reset a bad password is to rename the server or edit the registry.
The error says "Windows cannot access.." Its a permission (which windows only has as user / pass combos) error on the windows side.
Last edited by wshawn; 21st February 2006 at 11:46 PM.
-
20th August 2005, 06:40 PM
#7
Originally Posted by
Alerander
I had tried it this afternoon, it's 9:00pm here.
However, all of these was working when i closed my firewall.
Any advice to me?
You have the ports closed and the shares still working? There are a couple explanations for that. You did not restart the firewall and the ports are still open. Or you have set your Winbox as a trusted address, or other assorted reasons...
-
21st August 2005, 12:25 AM
#8
Silly me!
I do not know the ports would be opened when the firewall was working. But I got samba working fine just define "security = share". Actually, i do want to open firewall using samba, it's a chore that open firewall everytime if i need to connect to internet! I'm wandering how can i access into other pc from samba with firewall working. It seemed that there is no right for XP to access into samba, and vice versa.
-
21st August 2005, 10:43 AM
#9
You said:
"Our purpose for this project was to isolate users to their own backup areas on a FC4 Linux box, allow users to share FROM the Linux box and not their Windows machines (for security), and basically keep the data redundancy and security beefed up with an additional layer of protection with data still available even if a given users Windows machine goes down."
(Sorry, haven't figured out how to use the sexy quote feature I see in other posts!)
What changes to your procedure would I have to make for this to work in the reverse way (i.e. have Windows boxes able to share 'things' on the Linux box)?
My purpose is to be able to publish prototype web-sites, from a Windows development box, to Apache running on my Linux box and then be able to access those sites from Windows boxes on my home LAN. This is part of my personal education and test program, before I publish the site for real on the INternet.
Further advice to this very useful article would be appreciated.
-
21st August 2005, 12:58 PM
#10
I think we are missing it here. In order for shares to work, you have to have the ports open in the firewall that I listed. Other than that the rest of the ports should be closed (excluding ones you have configured to be open). My firewall on the FC4 server is completely locked down outside of 8 ports, and all but three of those are hidden from the internet.
The router we are using blocks all incoming traffic except for those required for ftp, ssh, http.
You are wanting to do two entirely seperate things. Get the shares working first, then find a how to for apache, as it is pretty close to ready to run out of the box with very little configuration. I run Red Hat Enterprise Web server(s) already and just produce websites directly on the server using PHP and leaving the default index.htm page up to catch nosey visitors until I am ready to delete the index.htm file and make the site live.
My stated purpose was to NOT have shares running on the Windows boxes. Instead once you get the shares working you on the Linux box, the idea is to have the windows boxes doing there shares from there.
This accomplishes exactly the same thing, but with a security layer added into the mix. To share a windows box requires next to nothing. Make a share somewhere on the file system as the admin and use the Places | Computers | Browse Network to get to hem. The problem with this is: it is EASY to get around Windows security through their shares, which is why I do not allow shares on Windows Systems (not even printers).
In case you didn't know: a long lasting bug in windows is: once you turn on file / printer sharing it can not be completely turned off (with out a FDISK / format / re install of the OS).
Last edited by wshawn; 21st August 2005 at 01:09 PM.
Reason: Failed to mention:
-
21st August 2005, 05:43 PM
#11
Yes, I probably am missing it here, (put it down to my advancing years - I'm far too old to be messing about in this sand pit), so thanks for providing the additional clarification,as well as the advice (but I cannot imagine why fdisk would be required to remove all vestigies of file/printer sharing!).
I probably need to reconfigure my (wired) cable modem/router to block off unwisely open ports. Can you recommend a source of info which will guide me on what ports should be open? - on both the router and on the workgroup client machines on my LAN?
btw I am wanting to use Apache after trying for some weeks to use IIS with FrontPage extensions. Some kind soul on the relevant micro$oft public newsgroup for IIS suggested that it would be quicker and safer to use Apache under Limux, which sent me off down the road of discovering who Linux is, and helping me to discover all these ancilliary issues on that journey. I am still planning to use FrontPage (or DreamWeaver), but you mention developing web sitees with PHP. Has it got a steep learning curve? (I haven't got much time left!)
-
21st August 2005, 07:58 PM
#12
Well, I had everything working but it now seems that when I reboot the server or the client, the client can not find the server now. It's not in the "entire network" directory anymore. This is confusing. Any help would be appreciated.
Thanks,
Remo
-
22nd August 2005, 01:38 AM
#13
Originally Posted by
rpaulpen
Well, I had everything working but it now seems that when I reboot the server or the client, the client can not find the server now. It's not in the "entire network" directory anymore. This is confusing. Any help would be appreciated.
Thanks,
Remo
make sure your smb is running...
-
22nd August 2005, 01:46 AM
#14
Originally Posted by
Shaky Start
Can you recommend a source of info which will guide me on what ports should be open? - on both the router and on the workgroup client machines on my LAN?
You only need to open the ports you want people to access in on... like 80 for httpd..
Originally Posted by
Shaky Start
btw I am wanting to use Apache after trying for some weeks to use IIS with FrontPage extensions. Some kind soul on the relevant micro$oft public newsgroup for IIS suggested that it would be quicker and safer to use Apache under Limux, which sent me off down the road of discovering who Linux is, and helping me to discover all these ancilliary issues on that journey. I am still planning to use FrontPage (or DreamWeaver), but you mention developing web sitees with PHP. Has it got a steep learning curve? (I haven't got much time left!)
Use Dreamweaver if you have the access to it. Avoid Front Page like the plague. PHP is cool in that you can use mostly HTML and add php where needed (like randomized images)
As far as the fdisk required to dump the shares. Yeah it sucks. But even if you reinstal the OS over the OS it retains the old settings, and if you think just a mere format will be enough, we have documented examples on how a system was reinstalled with only a format and when the registry was search on the first boot after install it contained information for Norton System works from the old system (which no software had been reinstalled).
Personally, I treat Windows as a virus if it has been used for any length of time (snag the data and start over locking it down from the start)...
-
22nd August 2005, 02:57 AM
#15
It's alive!!!!!!!!!
Finally got it working. Thanks very much for your help wshawn... much appreciated!
Remo
Similar Threads
-
By Titoolsen in forum Hardware
Replies: 9
Last Post: 8th April 2009, 01:10 PM
-
Replies: 4
Last Post: 24th April 2007, 06:58 PM
-
By eldnar in forum Hardware
Replies: 0
Last Post: 4th August 2006, 12:26 AM
-
By ukanth in forum Guides & Solutions (Not For Questions)
Replies: 1
Last Post: 18th October 2005, 07:04 AM
-
By ntdesign in forum Hardware
Replies: 5
Last Post: 17th February 2005, 11:10 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
[[template footer(Guest)]]