How To Provide SMB/CIFS Network Shares For Group Collaboration

Samba is an open source implementation of the server message block (SMB) and common internet file system (CIFS) protocols, it allows us to access Windows file share resources from Linux.

With Samba we can export specific directories within a file system over the network to other Windows or Linux clients, allowing us to share various files over the network between different operating systems.

Here we’re going to cover setting up a samba file share that allows for group collaboration. Users within a particular group will be able to create content within a samba share that other users within the same group will be able to access and modify.

We have previously covered how to setup samba shares for specific clients, this post will be expanding upon this information.

Example Environment

Here is a list of our servers that we will be testing with, both are running CentOS 7.

  • Samba Client: 192.168.0.100 – This Linux client will mount a directory from the SMB/CIFS server.
  • Samba Server: 192.168.0.200 – This Linux server will serve a directory over SMB/CIFS to the client.

Samba Server Configuration

Basic Samba Server Setup

The server that has the data to share will act as the samba server and needs the samba package installed.

yum install samba -y

Once installed we can enable our Samba server to automatically start the required SMB service on boot, we’ll also start the service up now as it’s not running by default after installation. We also do this with the NMB service, which is responsible for NetBIOS and is part of the samba package.

systemctl enable smb nmb
systemctl start smb nmb

For further information on basic service management with systemctl, see our guide here.

Next the firewall must be configured in order to correctly allow SMB traffic through, this can be done as shown below with firewalld. This change will allow TCP ports 135/445 SMB/CIFS traffic into the server from any source IP address. The firewall configuration must also be reloaded as we have put a permanent rule in place which will not apply to the running configuration.

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

Configure The Group Share

Next we need to configure samba and the group share on our server.

Let’s begin with creating a group and two users, in this case group1 will be the group both of our users will be in.

[[email protected] ~]# groupadd group1
[[email protected] ~]# useradd -s /sbin/nologin -G group1 user1
[[email protected] ~]# useradd -s /sbin/nologin -G group1 user2

These two users are not going to be used to log in directly to the system which is why the /sbin/nologin shell has been specified, they will be SMB users only. This is done by setting their passwords with smbpasswd, as shown below.

[[email protected] ~]# smbpasswd -a user1
New SMB password:
Retype new SMB password:
Added user user1.

[[email protected] ~]# smbpasswd -a user2
New SMB password:
Retype new SMB password:
Added user user2.

Now let’s prepare the directory to share to the group, we will be sharing /groupshare from the server.

[[email protected] ~]# mkdir /groupshare
[[email protected] ~]# chown root:group1 /groupshare
[[email protected] ~]# chmod 2770 /groupshare

We have set the group of the /groupshare directory to be owned by our newly created group1. The permissions have been set to 2770, where the first 2 denotes SetGID while 770 are standard permissions. SetGID is used to set the group of files and directories created within /groupshare to the same group that has been set on the /groupshare directory itself. As /groupshare is owned by group1, any files or directories created within /groupshare will be owned by the group1 group which is required for group collaboration.

This will show up as an ‘s’ where the ‘x’ permission is usually found on the directory for the group. If there is no ‘x’ permission for the group, the ‘s’ would instead appear as ‘S’.

[[email protected] ~]# ls -la /groupshare/
total 4
drwxrws---.  2 root group1    6 May 22 02:55 .

Next we need to configure SELinux, a directory requires the samba_share_t context in order to be shared with samba.

[[email protected] ~]# semanage fcontext -a -t samba_share_t "/groupshare(/.*)?"
[[email protected] ~]# restorecon -v /groupshare/
restorecon reset /groupshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0

Finally we need to actually define the group file share in the /etc/samba/smb.conf configuration file, we have added the below content to this file.

[groupshare]
        create mask = 0660
        force create mode = 0660
        comment = This allows us to share the /groupshare directory to group1
        path = /groupshare
        valid users = @group1
        writable = yes

The “create mask” and “force create mode” ensure that when a user in group1 creates a new file, the permissions will be set to 660. By default files were created with 644 which prevents other members of the group from writing to the files. The “valid users” specifies our group1, groups are specified with the ‘@’ prefix.

To apply these changes, restart or reload the smb service.

[[email protected] ~]# systemctl restart smb

Samba Client Configuration

Now that the server is ready to accept SMB connections, we need to prepare the client.

First install the samba-client package and cifs-utils which is used for mounting SMB shares.

yum install samba-client cifs-utils -y

Next modify the firewall by allowing the samba-client service.

firewall-cmd --permanent --add-service=samba-client
firewall-cmd --reload

Testing Group File Share

The client system should now be able to mount the samba fileshare as either user1 or user2. Both of these users should be able to modify the same files as they will be owned by group1.

First as user1 let’s mount the /groupshare directory from the server and create ‘shared-file’ with some content.

[[email protected] ~]# mount //192.168.0.200/groupshare /mnt -o username=user1
Password for user1@//192.168.0.200/groupshare:  ********
[[email protected] ~]# echo user1 > /mnt/shared-file

Now that’s done, we’ll unmount and remount as user2 this time and add more content to the file.

[[email protected] ~]# umount /mnt

[[email protected] ~]# mount //192.168.0.200/groupshare /mnt -o username=user2
Password for user2@//192.168.0.200/groupshare:  ********
[[email protected] ~]# echo user2 >> /mnt/shared-file

Now on the server we can check this shared-file file and see that it has correctly been set to the permissions of 660, allowing the group of group1 both read and write access as expected. We’ll also see that it contains the contents from both user1 and user2, confirming both users are able to modify the file in the samba share.

[[email protected] ~]# ls -la /groupshare/shared-file
-rw-rw----. 1 user1 group1 12 May 22 03:19 /groupshare/shared-file
[[email protected] ~]# cat /groupshare/shared-file
user1
user2

Summary

As shown we can create a directory for file sharing and share it out with samba, allowing for group collaboration with the help of SetGID. Users within the same group are able to work together to access and modify content in the same directory.


This post is part of our Red Hat Certified Engineer (RHCE) exam study guide series. For more RHCE related posts and information check out our full RHCE study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>