Linux Samba Server: Share Files with Windows RHCA

Samba is the open-source implementation of the SMB/CIFS protocol on Linux, enabling seamless file and printer sharing between Linux and Windows systems. While NFS is the standard for Linux-to-Linux sharing, Samba is essential whenever Windows clients need to access Linux storage — making it a core competency for any RHCA administrator working in mixed environments.

Samba Architecture

Samba consists of several daemons that work together:

smbd: The core file and printer sharing daemon. Handles SMB protocol, file operations, authentication.
nmbd: NetBIOS Name Service daemon. Handles Windows network browsing (finding "Network Neighborhood" entries). Less important with modern DNS-based service discovery.
winbindd: Integration daemon for Windows Active Directory. Maps Windows SIDs to Linux UIDs/GIDs for domain authentication.

SMB Protocol Version History

Version	Introduced In	Key Features
SMB 1.0	1990s	Original protocol. INSECURE — vulnerable to EternalBlue/WannaCry. Disable completely.
SMB 2.0	Vista/Server 2008	Pipelining, larger reads. Major performance improvement.
SMB 2.1	Win7/Server 2008 R2	Opportunistic locking improvements.
SMB 3.0	Win8/Server 2012	Encryption, multichannel, cluster support.
SMB 3.1.1	Win10/Server 2016	Pre-authentication integrity checks, improved encryption.

smb.conf Structure

The Samba configuration file /etc/samba/smb.conf is divided into sections:

[global]: Server-wide settings (workgroup, authentication, logging)
[homes]: Special section for user home directories
[printers]: Special section for printer sharing
[sharename]: Custom share definitions

# Complete smb.conf example:
[global]
    # Basic identity:
    workgroup = WORKGROUP                # Windows workgroup or domain name
    server string = Linux File Server   # description shown in network browser
    netbios name = FILESERVER           # Windows computer name

    # Authentication:
    security = user                     # user-level security (password required)
    # security = share                  # share-level (password per share, old style)
    # security = ads                    # Active Directory domain

    # Performance:
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
    use sendfile = yes

    # Logging:
    log file = /var/log/samba/log.%m   # %m = client machine name
    log level = 1                       # 0=errors only, 3=debug
    max log size = 50                   # KB, then rotate

    # Security hardening:
    client min protocol = SMB2          # reject SMB1 clients
    server min protocol = SMB2
    ntlm auth = no                      # disable weak NTLM auth

[public]
    comment = Public Share
    path = /srv/samba/public
    public = yes                        # allow guest access
    writable = yes
    guest ok = yes
    create mask = 0666                  # file permissions
    directory mask = 0777               # directory permissions

[homes]
    comment = Home Directories
    browseable = no                     # don't list in browsing (privacy)
    writable = yes                      # user can write to their home dir

[engineering]
    comment = Engineering Team Files
    path = /srv/samba/engineering
    valid users = @engineering          # only engineering group members
    write list = @engineering           # who can write (@ means group)
    read list = @managers               # read-only access for managers
    browseable = yes
    writable = no                       # default deny write
    create mask = 0664
    directory mask = 0775
    force group = engineering           # all files owned by engineering group

Samba Users and Authentication

# Samba maintains its own password database separate from /etc/shadow
# Users must exist in Linux AND be added to Samba

# Create Linux user first:
# useradd raju
# passwd raju

# Add to Samba (will prompt for Samba password):
# smbpasswd -a raju                 # add user to Samba
# smbpasswd raju                    # change Samba password
# smbpasswd -e raju                 # enable account
# smbpasswd -d raju                 # disable account
# smbpasswd -x raju                 # delete from Samba

# List Samba users:
# pdbedit -L                        # simple list
# pdbedit -Lv                       # verbose with details

# Samba password database location:
# /var/lib/samba/private/passdb.tdb  (TDB format)
# pdbedit -u raju -v                 # show user details

Testing and Validation

# Validate smb.conf syntax:
# testparm                           # shows parsed config, reports errors
# testparm -s                        # no prompts

# Test Samba share:
# smbclient -L localhost -U raju     # list shares on local server
# smbclient //localhost/engineering -U raju   # connect to specific share
smb: \> ls                          # list files
smb: \> get filename                # download
smb: \> put localfile               # upload
smb: \> quit

# Check connectivity from Linux:
# smbclient -L //192.168.1.100 -U raju

# Mount Samba share on Linux:
# yum install cifs-utils -y
# mkdir /mnt/eng
# mount -t cifs //192.168.1.100/engineering /mnt/eng -o username=raju,password=pass

# Credentials file (don't put password in command line):
# vim /root/.samba_creds
username=raju
password=MyPassword
domain=WORKGROUP

# chmod 600 /root/.samba_creds       (critical — protect credentials file)
# mount -t cifs //server/engineering /mnt/eng -o credentials=/root/.samba_creds

# Permanent mount (/etc/fstab):
//server/engineering  /mnt/eng  cifs  credentials=/root/.samba_creds,_netdev  0  0

SELinux Configuration for Samba

# Default Samba directory context:
# ls -Z /srv/samba/
# The context should be: samba_share_t

# Set correct context:
# chcon -R -t samba_share_t /srv/samba/

# Persistent context (survives restorecon):
# semanage fcontext -a -t samba_share_t "/srv/samba(/.*)?"
# restorecon -Rv /srv/samba/

# SELinux booleans for Samba:
# getsebool -a | grep samba

# Allow Samba to share all directories:
# setsebool -P samba_export_all_rw 1

# Allow Samba to share home directories:
# setsebool -P samba_enable_home_dirs 1

# Allow Samba to use NFS shares:
# setsebool -P samba_share_nfs 1

# If Samba is part of a Windows AD domain:
# setsebool -P samba_domain_controller 1

Troubleshooting Samba

# Common issues:

# Cannot connect:
# systemctl status smb               # is smbd running?
# ss -tulnp | grep smbd              # is port 139/445 open?
# firewall-cmd --list-all            # is samba service allowed?

# Permission denied:
# testparm -s | grep "valid users"   # check share permissions
# id raju                            # is user in correct group?
# pdbedit -L | grep raju             # is user in Samba DB?
# ls -lZ /srv/samba/                 # check SELinux context
# sealert -a /var/log/audit/audit.log  # SELinux denials

# Wrong credentials:
# smbpasswd raju                     # reset Samba password

# Windows cannot find the server:
# nmbd running? systemctl status nmb
# Check /etc/samba/smb.conf: netbios name and workgroup

# Share not visible:
# testparm                           # check browseable = yes
# smbclient -L //localhost -U raju   # should list shares

# Enable verbose logging:
# Edit /etc/samba/smb.conf: log level = 3
# systemctl restart smb
# tail -f /var/log/samba/log.* | grep -i error