Part 9: File sharing
NFS
Basics
- Create directory to be shared
- No ACL for users, just servers
- edit /etc/exports
- restart nfs services
Simple NFSv3
Make directories
mkdir -p /data/{backups,iso}
Edit /etc/exports Add path and set permissions
/path/to/share *(ro) # user = nfsnobody
/path/to/moreshares *(rw,no_root_squash) # root user
Don't forget SE Linux
semanage fcontext -a -t public_content_rw_t "/path/to/shares(/.*)?"
restorecon -Rv /path/to/share
Install Packages
Set firewall
firewall-cmd --permanent --add-service={nfs,rpc-bind,mountd}
firewall-cmd --reload
Enable and start the nfs
service
systemctl enable nfs-server && systemctl start nfs-server
# nfs
in later releases
Check exports
showmount -e localhost
Client Side
Install "Network File System Client" group
yum group install -y "Network File System Client"
Lookup exports
showmount -e server
Mount NFS export to client
mount server:/path/to/share /path/to/mount
Add to fstab
server:/path/to/share /path/to/mount nfs _netdev 0 0
Exam hint: reboot
NFSv4
- Fake root mount - mount all shares on a remote to a local root directory
- Kerberos protection - user level ACL
- TCP 2049
Kerberos
- Default security is only IP/hostname based
- Different security Options
none: anonymous access to files. SELinuxnfsd_anon_write
is required
sys: GID and UID and ID mapping
krb5: Kerberos used to provide client
krb5i: krb5 but adds guarantee data wasn't tampered with
krb5p: krb5i with encryption - Client and Server should already be in the kerberos realm
NFSv4 + Kerberos
keytab file is required
- Client should be an ipa-client
- Download keytab from server, or use ipa cli to create one.
If keytab is downloaded, it must be /etc/krb5.keytab with the correct permissions.
-rw-------. 1 root root 176 Apr 1 08:45 /etc/krb5.keytab
The SELinux tag should be krb5_keytab_t
- On ipa:
kinit admin
ipa service-add # enter nfs/nfs-server-name when prompted. - On nfs-server
kinit admin
ipa-getkeytab -s ipa.servername.com -p nfs/nfs-server-name -k /etc/krb5.keytab - Verify keytab
klist -k - Add share to /etc/exports
/path/to/secure *(sec=krb5p,rw)
- Update SELinux
semanage fcontext -a -t nfs_t "/path/to/secure(/.*)?"
restorecon -Rv /secure/
- Start and enable the
nfs-secure-server
service
systemctl start nfs-secure-server
# nfs-secure in later versionssystemctl enable nfs-secure-server
#nfs-secure in later versions
- Enable
nfs-secure-service
. (Only RHEL 7.0. Not required in 7.1 and up)
systemctl enable nfs-secure
- Verify share
showmount -e localhost
Exam hint: Reboot and verify services, firewall, and kerberos
On the client
- make directory
mkdir -p /path/to/secure - authenticate kerberos
kinit <user> - Start NFS Secure
systemctl enable nfs-secure; systemctl start nfs-secure
- Mount the share
mount -o sec=krb5p,nfsvers=4 server:/path/to/secure /path/to/secure
- Mount at boot
Add the following to/etc/fstab
server:/path/to/secure /path/to/secure nfs sec=krb5p,_netdev 0 0
Samba
Share folders and files with macOS and Windows clients.
- Install Packages
- Create directories
- set permissions
- Update smb.conf
- set security
- start the services
- install required packages
yum install -y samba samba-client cifs-utils
- Create test users and groups
for i in user1 user2 smbnobody; do useradd -s /bin/nologin $i; done
groupadd sambagroup; for i in user1 user2; do usermod -aG sambagroup $i; done
for in in user1 user2 smbnobody; do smbpasswd -a $i; done
- Make a share directory
mkdir -p /data/sambashare
- Assign permissions and update SELinux
The samba SELinux tags are:
samba_share_t
public_content_t
public_content_rw_t - Booleans
samba_enable_home_dirs - Give access to Linix homes
use_samba_home_dirs - Allow access to remote home directories - Set permissions.
chgrp sambagroup /data/sambashare; chmod g=rwx /data/sambashare
semanage fcontext -a -t samba_share_t "/data/sambashare(/.*)?"
restorecon -Rv /data
- edit /etc/samba/smb.conf . This is the smallest config.
[global]
workgroup = workgroup
[share]
comment = Samba share
path = /data/sambashare
write list = @sambagroup
More smb.conf
Add hosts allow =ip or domain
to limit access
writable = yes
= all authenticated users have R/W
writable = no
= Use the write list
for RW users.
valid users = @group or list of users
- run
testparm
- Open the firewall
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
- Start and enable the services
systemctl start smb nmb
systemctl enable smb nmb
- To restart
systemctl restart smb
Testing the connection
Lookup local CIFS shares
smbclient -L //localhost
Lookup shares on another server
smbclient -L //servername
Mount a CIFS share
mount -o username=<user> //server/sambashare /mnt
- hosts allow in [global] or share specific
man 5 host_access
example: hosts allow = 10.
example: hosts allow = .example.com
- Read/write permissions
writable = yes: all authenticated users have read-write access
writable = no (default) use write list in that case to grant access to users or @groups
valid users = list of users and @groups
Credentials files
In /etc/fstab
//server1/sambashare /mnt/samba cifs credentials=/root/smbcreds 0 0
Create /root/sbcreds
username=user
password=password
Multiuser Mount
On client
Create the multi user file
vim /root/smb-multiuser
username=smbnobody
password=password
In /etc/fstab:
//server/sambashare /mnt/multiuser cifs credentials=/root/smb-multiuser,multiuser,sec=ntlmssp 0 0
mount -a
cifscreds add server1
# enter password of user logged in. Must be a Samba user.