Setup Samba - Filesharing with Windows
If you have other Windows computers on your LAN and want to share files from Linux with them, you must setup Samba.
To setup Samba you must (1) install samba, (2) add you 'shares', (3) add users, (4) start Samba service and (5) manage security options (Firewall and SELinux).
1. Install Samba
It is best to have Samba installed in the installation process. If not < users can install using the command line:
[alex@localhost ~]$ sudo yum install samba samba-client
2. Add Shares
You must edit /etc/samba/smb.conf as root: (use nano instead of gedit if you do not have a GUI)
[alex@localhost ~]$ sudo gedit /etc/samba/smb.conf
Set your Windows Workgroup name in [global] section.
Added shares at the end of the file. Example:
workgroup = WORKGROUP
server string = Samba Server Version %v
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
write list = +staff
[Share]
comment = Samba shares
path = /home/commons
read only = no
valid users = alex
create mask = 0775
directory mask = 0775
#
# New additional samba shares
#
[mnt_local]
comment = Local shares
path = /mnt/local
public = yes
writable = yes
browseable = yes
[mnt_resume]
comment = Resume partition
path = /mnt/resume
public = yes
writable = yes
browseable = yes
[mnt_account]
comment = Accounts partition
path = /mnt/account
public = yes
writable = yes
browseable = yes
If 'writable' the location must be writable in Linux first. Additionally permissions must match (for example: drw-rw-rw-).
If home data (all personal files under /home/username) is to be accessible, then set 'browseable = yes' under [homes] (~line 250). This configuration file is very descriptive, read through it to get more ideas or information.
3. Add Users
To access shares, you must be a valid user. Add valid users AND passwords using the smbpasswd command.
This login name WILL be the login name and password you use from Windows to access your Linux computer. The password does NOT need to match your Linux password.
[alex@localhost ~]$ sudo smbpasswd -a alex
New SMB password:
Retype new SMB password:
account_policy_get: (warnings ignored)
Added user username.
(Note: 'alex' MUST be a valid account on the Fedora machine)
4. Start Samba Service
Run samba and check for any errors:
[alex@localhost ~]$ sudo /etc/init.d/smb start
Starting SMB services: [ OK ]
Use chkconfig or serviceconf to enable samba (smb) in both runlevels 3 and 5. This will make sure to run Samba each time Fedora boots.
[alex@localhost ~]$ /sbin/chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[alex@localhost ~]$ sudo /sbin/chkconfig --level 35 smb on
[alex@localhost ~]$ /sbin/chkconfig --list smb
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Restart Samba for every change to users/passwords or 'smb.conf'
[alex@localhost ~]$ sudo /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
5. Managing Security for Samba
Firewall
The Firewall will by default block Samba, to allow access run:
[alex@localhost ~]$ system-config-firewall
To allow Samba access to work through the firewall you must set 'Samba' as a 'Trusted Service' and hit 'Apply'. Alternatively if you are only using the shell and do not have access to a graphical X-server, you can run:
[alex@localhost ~]$ sudo system-config-firewall-tui
To allow Samba access to work through the firewall, useto go to Customize. In the Trusted Services: scroll down to Samba, hit and use again to go to Close, then finally to OK.
SELinux
SELinux has significant control over restricting different parts of Samba. Run system-config-selinux. Please read lines #23 - #51 in /etc/samba/smb.conf for a better explanation. Alternatively, you can run:
[alex@localhost ~]$ system-config-selinux
Go to Boolean and type 'samba' in the Filter (without quotes).
The following is NOT complete and is NOT recommended but is a quick enable to allow Samba to work permissively through SELinux.
[alex@localhost ~]# sudo /usr/sbin/setsebool -P samba_export_all_rw on
Alternatively, you can ignore SELinux at this point and try to access your shares in Windows and SELinux TroubleShooter should give an automatic pop-up in GNOME explaining what is wrong. If you follow those recommendations you most likely will be more secure.
For any changes made above to the SELinux settings or smb.conf, it is recommended to restart Samba.
Top Resources
More Information
Fedora 10 - Services and Daemons in Fedora 10
Fedora 10 Blog Entries
Fedora Nvidia Driver Install Guide
Fedora 9 - Personal Installation Guide
Fedora 9 Update and Nvidia Update
Update to RPMFusion
Fedora Core 5 on Dell D810 Latitude Laptop
Managing Services in Fedora
Fedora Help Forum Posts and Threads
Top Resources
5. Managing Security for Samba
Firewall
The Firewall will by default block Samba, to allow access run:
[mirandam@charon ~]$ system-config-firewall
To allow Samba access to work through the firewall you must set 'Samba' as a 'Trusted Service' and hit 'Apply'. Alternatively if you are only using the shell and do not have access to a graphical X-server, you can run:
[mirandam@charon ~]$ sudo system-config-firewall-tui
To allow Samba access to work through the firewall, useto go to Customize. In the Trusted Services: scroll down to Samba, hit and use again to go to Close, then finally to
OK.
Thursday, May 28, 2009
Setup Samba - Filesharing with Windows
Thursday, May 7, 2009
UNIX network analysis
Finding open ports on your workstation
[root@localhost alex]# nmap -T Aggressive -O 192.168.0.106
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-07 11:38 EDT
Interesting ports on 192.168.0.106:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
902/tcp open iss-realsecure
1521/tcp open oracle
3306/tcp open mysql
6000/tcp open X11
8009/tcp open ajp13
8222/tcp open unknown
8333/tcp open unknown
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.25
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds
Finding other services on your network
[root@localhost alex]# nmap -sT 192.168.0.106/22
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-07 11:47 EDT
Stats: 0:00:08 elapsed; 104 hosts completed (2 up), 2 undergoing Connect Scan
Connect Scan Timing: About 84.28% done; ETC: 11:48 (0:00:00 remaining)
Interesting ports on 192.168.0.1:
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
5678/tcp open unknown
MAC Address: 00:1C:F0:54:4C:67 (D-Link)
Interesting ports on 192.168.0.100:
Not shown: 999 filtered ports
PORT STATE SERVICE
10000/tcp open snet-sensor-mgmt
MAC Address: 00:11:A0:04:59:EA (Vtech Engineering Canada)
Interesting ports on 192.168.0.106:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
902/tcp open iss-realsecure
1521/tcp open oracle
3306/tcp open mysql
6000/tcp open X11
8009/tcp open ajp13
8222/tcp open unknown
8333/tcp open unknown
Nmap done: 1024 IP addresses (3 hosts up) scanned in 98.37 seconds
[root@localhost alex]#
Discovering hosts on your network
[root@localhost alex]# arp
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether 00:1c:f0:54:4c:67 C wlan0
Finding other hosts on your network
[root@localhost alex]# nmap -sP 192.168.0.106/22
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-07 11:41 EDT
Host 192.168.0.1 appears to be up.
MAC Address: 00:1C:F0:54:4C:67 (D-Link)
Host 192.168.0.100 appears to be up.
MAC Address: 00:11:A0:04:59:EA (Vtech Engineering Canada)
Host 192.168.0.106 appears to be up.
Nmap done: 1024 IP addresses (3 hosts up) scanned in 81.99 seconds
[root@localhost alex]#
Windows How do I tell if a TCP network port is open or not?
So how do I tell if a TCP or UDP network port is open or not under UNIX or Linux oses? Sure iptables can be used to block or open port or to apply packet filtering. However any program can open a network port. For example if use has access to gcc / cc compiler she can open a port. So it is necessary to list open TCP or UDP ports. List open TCP port with netstat Use netstat command to list open tcp port Code: [root]# netstat -tulpn Output: Code: tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 11960/sshd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3992/mysqld tcp 0 0 64.19.12.xx:80 0.0.0.0:* LISTEN 9474/lighttpd tcp 0 0 64.19.12.xx:80 0.0.0.0:* LISTEN 9474/lighttpd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1859/master tcp 0 0 64.19.12.xx:443 0.0.0.0:* LISTEN 9474/lighttpd netstat also works under Windows XP or 2000 server Using telnet You can also use telnet to find out if port is open or not Code: telnet server-ip port-no telnet localhost 80 telnet 192.168.1.111 25 telnet also works under Windows XP or 2000 server/UNIX oses Using nmap Nmap is a free security scanner which is used to evaluate the security of computers, and to discover services or open/close port numbers Code: nmap server-ip Code: [root]# nmap localhost Sample output from my computer: Code: Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-10-10 03:52 MST Interesting ports on localhost.localdomain (127.0.0.1): (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure-sensor Nmap finished: 1 IP address (1 host up) scanned in 0.449 seconds Nmap works under Windows and UNIX oses Checking to see if a port is open, blocked, dropped, or filtered at the iptables or windows firewall is not simple. But with above three tools you can get list of open port quickly for both Windows and UNIX servers. Have fun
Wednesday, May 6, 2009
Howto create Loop Device on REDHAT, CENTOS or FEDORA
Type : System
Operating System : Redhat,Fedora,Centos
Write by : Fabien FAYE
This mini howto explain how to create more loop device on your operating system.
You need to create more loop device in some case like encrypted file system or HVM xen virtualization.
By default there are 7 devices available, named /dev/loop0 through to /dev/loop7 .
* INFORMATION
* HOT CREATION
* STANDARD CREATION
* MODULE LIMITATION
* TIPS & COMMAND
INFORMATION
-----------
You can find the loop device like that :
# ls -al /dev/loop*
brw-r----- 1 root disk 7, 0 Mar 19 09:34 /dev/loop0
brw-r----- 1 root disk 7, 1 Mar 19 09:34 /dev/loop1
brw-r----- 1 root disk 7, 2 Mar 19 09:34 /dev/loop2
brw-r----- 1 root disk 7, 3 Mar 19 09:34 /dev/loop3
brw-r----- 1 root disk 7, 4 Mar 19 09:34 /dev/loop4
brw-r----- 1 root disk 7, 5 Mar 19 09:34 /dev/loop5
brw-r----- 1 root disk 7, 6 Mar 19 09:34 /dev/loop6
brw-r----- 1 root disk 7, 7 Mar 19 09:34 /dev/loop7
The creation of the loop device is very simple but you have 2 options for this creation one is without reboot and the other one is with a reboot.
HOT CREATION
------------
Creation of loop8, loop9, loop10 :
[root]# mknod -m640 /dev/loop8 b 7 8
[root]# mknod -m640 /dev/loop9 b 7 9
[root]# mknod -m640 /dev/loop10 b 7 10
a.) -m640 define the permission of the device
b.) /dev/loop8 define the name of the device
c.) b for the creation of the special block device
d.) 7 8 the number 7 AND 8 define the MAJOR AND the MINOR
Note: If you made a mistake, just delete the note using:
[root]# rm /dev/loop8
Check if the loop is created
----------------------------
[root]# ls -l /dev/loop8
brw-r----- 1 root root 7, 8 Oct 3 14:54 /dev/loop8
[root]# ls -l /dev/loop9
brw-r----- 1 root root 7, 9 Oct 3 14:54 /dev/loop9
[root]# ls -l /dev/loop10
brw-r----- 1 root root 7, 10 Oct 3 14:54 /dev/loop10
Now you have the applied the proper owner on these devices
----------------------------------------------------------
[root]# chown root:disk /dev/loop8
[root]# chown root:disk /dev/loop9
[root]# chown root:disk /dev/loop10
Now you have to change the module limitation and reboot your system.
STANDARD CREATION
-----------------
You have to modify this file /etc/udev/makedev.d/50-udev.nodes
[root] # vi /etc/udev/makedev.d/50-udev.nodes
loop0
loop1
loop2
loop3
loop4
loop5
loop6
loop7
loop8
loop9
loop10
parport0
parport1
parport2
parport3
net/tun
ppp
console
null
zero
Now you have to change the module limitation and reboot your system.
MODULE LIMITATION
-----------------
In the kernel, you have to allow more creation of loop device.
There is an absolute maximum of 256 devices limited in the kernel. The default limit is set to 8.
# modinfo loop
filename: /lib/modules/2.6.18-53.1.14.el5.centos.plusxen/kernel/drivers/block/loop.ko
alias: block-major-7-*
license: GPL
srcversion: 82DB6DB3DABF3B945D6394D
depends:
vermagic: 2.6.18-53.1.14.el5.centos.plusxen SMP mod_unload gcc-4.1
parm: max_loop:Maximum number of loop devices (1-256) (int)
module_sig: 883f35047d15787f0a982eee333b2d8112f51f09f68f09b79223a34983b3aef66820c08cc6e8cd3709f6d7c56171e5a579ee1ca2ca56349c56b983a7c46
Now you have to change this value with the modprobe.conf file.
#vi /etc/modprobe.conf
...
options loop max_loop=64
...
TIPS & COMMAND
The command line losetup is used for set up and control loop device.
# losetup
usage:
losetup loop_device # give info
losetup -d loop_device # delete
losetup -f # find unused
losetup -a # list all used
losetup -r # read-only loop
losetup [-e encryption] [-o offset] [-r] {-f|loop_device} file # setup
Last Updated on Tuesday, 03 February 2009 22:17
Subscribe to:
Posts (Atom)