SAMBA - An Anonymous FC2 Server for XP Clients

[JonR]

How To – Set up an Anonymous Read/Write SAMBA share on an FC2 Samba-Server.

Configuring SAMBA is generally regarded as no big problem by those who have succeeded. For ordinary mortals, not least Linux newbies, it is fraught with difficulty. This HowTo provides a simple prescription for configuring a simple standalone SAMBA serve to serve a single share to other clients who are members of the same workgroup.
My particular scenario is the requirement to set up an FC2 Samba Server to provide extra space for a variety of WinXP boxes for backup purposes and to enable files used in common to be shared with the minimum of fuss. Security within the subnet was not an issue and this method is NOT RECOMMENDED for subnets where security within the subnet is important.

First of all some definitions:
Standalone SAMBA Server. This refers to a server which is a member of the same workgroup as its clients but where neither the server nor the clients are members of a domain. There is therefore no Primary Domain Controller.
Anonymous Read/Write Share. An Anonymous share is one where the files held in the share belong to a single local username on the server. All connection requests are forced to use that username. It is impossible therefore to identify the owner (i.e. the creator) of any files in the share and there is no security within the share since all connections from any client all use the same username and therefore have the same access to all the data in the share. In this case not only is Read access open to all but so is write access.

Requirement:
Configure an FC2 to serve a single share to the subnet with read/write access by all clients to the share.
Resources:
FC2 distro – 4 CDs.
P4 1.8Ghz, 512Mb, 60Gb HD.
TOSHARG – The Official Samba Howto And Reference Guide
(http://samba.mirror.ac.uk/samba/docs...Collection.pdf)
FedoraForum thread http://www.fedoraforum.org/forum/showthread.php?t=19063 .
Already in place:
100/10 subnet with NetGear DS108 hub and uplink to DG834 ADSL Router.
3 existing WinXP clients on the subnet and two FC1 clients.

1. FC2 was installed onto the P4. I took the 'Custom' Installation option so that I could review the package selection. The important thing is to make sure that the Windows File-Sharing packages (Samba) are installed.

2. Having installed FC2 and configured the system to your liking the next step is to make sure that everything is up to date with the latest packages from Red Hat. I did this by simply double clicking the RHN update icon on the right of the taskbar in Gnome and accepting all the available updates. The important thing is to install the latest Samba RPMs as the ones which ship with FC2 are broken.

3. Next, set your hostname to whatever you want to know your server as. This is most easily done by going to System Settings -> Network -> DNS tab. Replace localhost.localdomain with your preferred name. In my case this was DEACON.

4. You can set up the directory you want to share anywhere. The important thing is that the directory and file ownerships are set up correctly. I did it like this.

root# useradd -c “Network Filestore” -m -g users -p secret netfiles
root# mkdir /export
root# chmod u+rwx, g+rx, o+rx /export
root# chown netfiles,users /export

5. Now we need to create an entry in the Samba password file for our netfiles username.

root# smbpasswd -a netfiles
New SMB password: secret
Retype SMB password: secret

6. Before we can start up Samba we need a Samba Configuration file which will set up the share we want. Here's mine:

[global]
workgroup = MYGROUP
netbios name = DEACON
security = SHARE

[netfs]
comment = Network Filestore on DEA
path = /export
force user = netfiles
force group = users
read only = No
guest ok = Yes

If you prefer you can hack your way through the smb.conf that comes with FC2 un-commenting the lines you want. There are two snags with this. Firstly, there's so much in it in the way of helpful comments it's easy to get lost in the box and secondly, its size is such that it takes smb a little while to process it all at service start. Your call. Personally I find the shorter file easier to take in.
When your happy save the smb.conf file into /etc/samba and you're ready to start Samba.

7. Now go to System Settings -> Server Settings -> Services and scroll down to “smb”. Check the box and click Start to run the smbd and nmbd daemons. Don't forget to click Save before you exit to make sure that smb restarts if the machine reboots.

8. Check that smb is running by issuing # smbclient -L DEACON on your server. You should see your share listed.

9. By now it looks as though you should be able to boot an XP box and access your new share. You're right! You should! If you go to Network Neighbourhood -> Entire Network -> Microsoft Windows Network -> MYGROUP you should find both your XP box listed and your new Samba Server. Unfortunately this is the point at which it may all fall apart...
Try clicking on the Samba server and after a short pause the XP client may announce: “\\DEACON is not accessible. You might not have permission to use this network resource. The network path was not found.”
You may find this a disappointment – I did.

10. Fedora Forum to the rescue. The explanation and solution to this problem is at http://www.fedoraforum.org/forum/showthread.php?t=19063 .
The problem is nothing to do with Samba directly but is caused by the firewall settings installed by FC2. As installed udp traffic to ports 137 & 138 on the server and tcp traffic to ports 139 & 445 is rejected.
You need to open up these ports to your subnet so that the connection requests from the XP boxes make it to the server. The easiest way to do this is via System Settings -> Security Level, in “other ports” add the string: “137:udp, 138:udp, 139:tcp, 445:tcp” . Click OK.
And now, your Samba Server should respond to connection requests from your XP clients.

I hope this helps a few folk out there. Particular thanks to captain-cat and Ned whose helpful postings gave me the solution to the firewall issue.

[iain]

Thanks alot, that helped me loads, im not sure quite how but I did it thanks to you.

[rrm1981]

thanks, this is excelent. I have been wanting to set up samba but just havn't had the time to read all the stuff out there to get it done. This gives me new motivation to give it a try. Thanks again.

[thick0]

I just thought I might add a line or 2 to this excellent thread. When I got to the System Settings -> Server Settings -> Services bit, smb failed to start. I had a trawl around the forums and:

http://www.fedoraforum.org/forum/sho...g+smb+services

suggests starting smb manually using

/usr/sbin/smbd -D

This works for me. In case anyone else has the same problem they might want to try this.

[morganread]

This looked just what I wanted - a no thrills, easy to read set-up to network with my partners windoze pc in my secure home network... Unfortunately it didn't work out quite so easy for me. After a few years now with Linux and periodic attempts, with varying degrees of success, it didn't seem that there was much could go wrong with this attempt. And hay, fc4 can't be so very different from fc2...

Here, below, is my terminal output with some annotations (###). (Skip to the bottom for the conclusion.) So far I've got to running samba and accessing the share from within my box, but all I get from out side my box are issues at point 9... Also, I can't access external shares from inside my box (on two windoze boxes that can see each other). So, I guess there's something blocking samba access in and out of my box? Follow-ups much appreciated.

Perhaps a text file with this set-up (corrected) for fc5 could be placed on the desktop of every account - might save a few novices a lot of hours?

######################
[root@morgansmachine ~]# useradd -c “Network Filestore” -m -g users -p secret netfiles
Usage: useradd [options] LOGIN

Options:
-b, --base-dir BASE_DIR base directory for the new user account
home directory
...
-u, --uid UID force use the UID for the new user account
### Not an auspicious start. After some discussion with my local lug I fell back to...
[root@morgansmachine ~]# useradd -c “Network Filestore” -m -g users netfiles
Usage: useradd [options] LOGIN

Options:
-b, --base-dir BASE_DIR base directory for the new user account
home directory
...
-u, --uid UID force use the UID for the new user account
### And then fell back to...
[root@morgansmachine ~]# useradd -m netfiles
### After which I used the gui (Desktop -> System Settings -> Users and Groups) for the <-c “Network Filestore” -g users> bit, and then did...
[root@morgansmachine ~]# passwd netfiles
Changing password for user netfiles.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@morgansmachine ~]# mkdir /home/export
[root@morgansmachine ~]# chmod u+rwx, g+rx, o+rx /home/export
chmod: cannot access `g+rx,': No such file or directory
chmod: cannot access `o+rx': No such file or directory
### Well clearly I can't expect to highlight and past into my terminal... There's no space between the commas, but I just did...
[root@morgansmachine ~]# chmod u+rwx /home/export
[root@morgansmachine ~]# chmod g+rx /home/export
[root@morgansmachine ~]# chmod o+rx /home/export
[root@morgansmachine ~]# chown netfiles,users /home/export
chown: `netfiles,users': invalid user
### Oops, not again...
[root@morgansmachine ~]# chown netfiles, users /home/export
chown: `netfiles,': invalid user
### And, again...
[root@morgansmachine ~]# chown netfiles,users /home/export
chown: `netfiles,users': invalid user
### And, again...
[root@morgansmachine ~]# chown netfiles, users /home/export
chown: `netfiles,': invalid user
### All right, that's enough!
[root@morgansmachine ~]# chown netfiles:users /home/export
### And, that's more like it!
[root@morgansmachine ~]# smbpasswd -a netfiles
New SMB password:
Retype new SMB password:
Added user netfiles.
### Here, following point 6 I added to /etc/samba/smb.conf this:
[global]
workgroup = 19CLARKEROAD
netbios name = MORGANSMACHINE
security = SHARE

[netfs]
comment = Network Filestore on morgansmachine
path = /home/export
force user = netfiles
force group = users
read only = No
guest ok = Yes
###
[root@morgansmachine ~]# smbclient -L MORGANSMACHINE
Password:
Domain=[19CLARKEROAD] OS=[Unix] Server=[Samba 3.0.14a-2]

Sharename Type Comment
--------- ---- -------
netfs Disk Network Filestore on morgansmachine
IPC$ IPC IPC Service (Samba 3.0.14a-2)
ADMIN$ IPC IPC Service (Samba 3.0.14a-2)
Domain=[19CLARKEROAD] OS=[Unix] Server=[Samba 3.0.14a-2]

Server Comment
--------- -------
MORGANSMACHINE Samba 3.0.14a-2

Workgroup Master
--------- -------
19CLARKEROAD MORGANSMACHINE
[root@morgansmachine ~]#
######################

Hooray, got there! Not so fast... At this point I ran into the problem at point 9, except I'd opened the ports in iptables... Couldn't even browse my network from within my own box at this stage... But hang on, there's that new (a bit old by now) tab to the "Security Level" gui... So, I've turned on all the SELinux Samba access options - any follow-ups on what can be safely turned back off?

Now, I can browse my Samba shares from with in my box - reliably my share is alway there at "Computer -> Network -> MORGANSMACHINE -> netfs (or via Computer -> Network -> Windows Network -> 19clarkeroad -> MORGANSMACHINE...). Also, I can see Morgansmachine from the windoze boxes but trying to access them results in errors as per point 9 (but, the firewall ports have been opened and all the SELinux Samba access options have been enabled). A bit deflating.

Clearly, I've missed something obvious. If someone could point me in the right direction with a follow-up it'd be much appreciated.

Thanks all.

[morganread]

fc5 - racing...
Seems fc5 has cleaned up the iptables and selinux issues in fc4 (above) with some tidy features - not tried the above HowTo for fc5 but imagine it'll work based on fc5 client access to XP shares (which is very straight forward, sweet).