quick-docs/modules/ROOT/pages/samba.adoc

= How to create a Samba share
Alessio, Peter Lilley, Petr Bokoc 
:revnumber: F32
:revdate: 2020-12-01
:category: Administration
:tags: Samba, share, file-sharing

// pboy: Made just a quick fix. Used date from merge request #253 and issue #165.

// Still needs review.

Samba allows for Windows and other clients to connect to file share directories on Linux hosts. It implements the server message block (SMB) protocol. This guide covers creating a shared file location on a Fedora machine that can be accessed by other computers on the local network.

[[install_and_enable_samba]]
== Install and enable Samba

The following commands install Samba and set it to run via `systemctl`.
This also sets the firewall to allow access to Samba from other
computers.

....
sudo dnf install samba
sudo systemctl enable smb --now
firewall-cmd --get-active-zones
sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
sudo firewall-cmd --reload
....

[[sharing_a_directory_inside_home]]
== Sharing a directory inside /home

In this example you will share a directory inside your home directory, accessible only by your user.

Samba does not use the operating system users for authentication, so your user account must be duplicated in Samba. So if your account is
`jane` on the host, the user `jane` must also be added to Samba. While the usernames must match, the passwords can be different.

Create a user called `jane` in Samba:
....
sudo smbpasswd -a jane
....

Create a directory to be the share for jane, and set the correct SELinux
context:
....
mkdir /home/jane/share
sudo semanage fcontext --add --type "samba_share_t" "/home/jane/share(/.*)?"
sudo restorecon -R ~/share
....

Samba configuration lives in the `/etc/samba/smb.conf` file. Adding the following section at the end of the file will instruct Samba to set up a share for jane called "share" at the `/home/jane/share` directory just created.
....
[share]
        comment = My Share
        path = /home/jane/share
        writeable = yes
        browseable = yes
        public = yes
        create mask = 0644
        directory mask = 0755
        write list = user
....

Restart Samba for the changes to take effect:

....
sudo systemctl restart smb
....

[[sharing_a_directory_for_many_users]]
== Sharing a directory for many users

In this example, you will share a directory (outside your home directory) and create a group of users with the ability to read and write to the share.

Remember that a Samba user must also be a system user, in order to
respect filesystem permissions. This example creates a system group
`myfamily` for two new users `jack` and `maria`.
....
sudo groupadd myfamily
sudo useradd  -G myfamily jack
sudo useradd  -G myfamily maria
....

[TIP]
====
You could create these users without a system password. This would prevent access to the system via SSH or local login.
====

Add `jack` and `maria` to Samba and create their passwords:

....
sudo smbpasswd -a jack
sudo smbpasswd -a maria
....

Setting up the shared folder:
....
sudo mkdir /home/share
sudo chgrp myfamily /home/share
sudo chmod 770 /home/share
sudo semanage fcontext --add --type "samba_share_t" "/home/share(/.*)?"
sudo restorecon -R /home/share
....

Each share is described by its own section in the `/etc/samba/smb.conf`
file. Add this section to the bottom of the file:
....
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
....

Explanation of the above:

* `valid users`: only users of the group `family` have access rights. The @ denotes a group name.
* `force group = +myfamily`: files and directories are created with this group, instead of the user group.
* `create mask = 0660`: files in the share are created with permissions to allow all group users to read and write files created by other users.
* `directory mask = 0770`: as before, but for directories.

Restart Samba for the changes to take effect:

....
sudo systemctl restart smb
....

[[managing_samba_users]]
== Managing Samba Users

[[change_a_samba_user_password]]
=== Change a samba user password

[TIP] 
====
Remember: the system user and Samba user passwords can be different. The system user is needed in order to handle filesystem permissions.
====

....
sudo smbpasswd maria
....

[[remove_a_samba_user]]
=== Remove a samba user

....
sudo smbpasswd -x maria
....

If you don't need the system user, remove it as well:

....
sudo userdel -r maria
....

[[troubleshooting_and_logs]]
== Troubleshooting and logs

Samba log files are located in `/var/log/samba/`

....
tail -f /var/log/samba/log.smbd
....

You can increase the verbosity by adding this to the `[global]` section of
`/etc/samba/smb.conf`:

....
[global]
        loglevel = 5
....

To validate the syntax of the configuration file `/etc/samba/smb.conf`
use the command `testparm`. Example output:

....
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
....

To display current samba connections, use the `smbstatus` command.
Example output:

....
Samba version 4.12.3
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
7259    jack         jack         192.168.122.1 (ipv4:192.168.122.1:40148)  SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
family       7259    192.168.122.1 Fri May 29 14:03:26 2020 AEST    -            -           

No locked files
....

[[trouble_with_accessing_the_share]]
=== Trouble with accessing the share

Some things to check if you cannot access the share.

. Be sure that the user exists as a system user as well as a Samba user
+
Find `maria` in the Samba database:
+
....
sudo pdbedit -L | grep maria

maria:1002:
....
+
Confirm that `maria` also exists as a system user.
+
....
cat /etc/passwd | grep maria

maria:x:1002:1002::/home/maria:/bin/bash
....
+
. Check if the shared directory and sub-directories have the correct SELinux context.
+
....
ls -dZ /home/share

unconfined_u:object_r:samba_share_t:s0 /home/share
....
+
. Check if the system user has access permission to the shared directory.
+
....
ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
....
+
In this case, the user should be in the `myfamily` group.

. Check in the configuration file `/etc/samba/smb.conf` that the user and group have access permission.
+
....
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
....
+
In this case, the user should be in the `myfamily` group.

[[trouble_with_writing_in_the_share]]
=== Trouble with writing in the share

. Check in the samba configuration file if the user/group has write permissions.
+
....
[family]
        comment = Family Share
        path = /home/share
        writeable = yes
        browseable = yes
        public = yes
        valid users = @myfamily
        create mask = 0660
        directory mask = 0770
        force group = +myfamily
....
+
In this example, the user should be in the `myfamily` group.

. Check the share directory permissions.
+
....
ls -ld /home/share 

drwxrwx---. 2 root myfamily 4096 May 29 14:03 /home/share
....
+
This example assumes the user is part of the `myfamily` group which has read, write, and execute permissions for the folder.