See all of the guides.

Part 9: File sharing

NFS

Basics

  • Create directory to be shared
  • No ACL for users, just servers
  • edit /etc/exports
  • restart nfs services

Simple NFSv3

Make directories

mkdir -p /data/{backups,iso}

Edit /etc/exports Add path and set permissions
/path/to/share *(ro) # user = nfsnobody
/path/to/moreshares *(rw,no_root_squash) # root user

Don't forget SE Linux

semanage fcontext -a -t public_content_rw_t "/path/to/shares(/.*)?"

restorecon -Rv /path/to/share

Install Packages

Set firewall

firewall-cmd --permanent --add-service={nfs,rpc-bind,mountd}
firewall-cmd --reload

Enable and start the nfs service

systemctl enable nfs-server && systemctl start nfs-server # nfs in later releases

Check exports

showmount -e localhost

Client Side

Install "Network File System Client" group

yum group install -y "Network File System Client"

Lookup exports

showmount -e server

Mount NFS export to client

mount server:/path/to/share /path/to/mount

Add to fstab

server:/path/to/share /path/to/mount nfs _netdev 0 0

Exam hint: reboot

NFSv4

  • Fake root mount - mount all shares on a remote to a local root directory
  • Kerberos protection - user level ACL
  • TCP 2049

Kerberos

  • Default security is only IP/hostname based
  • Different security Options
    none: anonymous access to files. SELinux nfsd_anon_write is required
    sys: GID and UID and ID mapping
    krb5: Kerberos used to provide client
    krb5i: krb5 but adds guarantee data wasn't tampered with
    krb5p: krb5i with encryption
  • Client and Server should already be in the kerberos realm

NFSv4 + Kerberos

keytab file is required

  • Client should be an ipa-client
  • Download keytab from server, or use ipa cli to create one.
    If keytab is downloaded, it must be /etc/krb5.keytab with the correct permissions.

-rw-------. 1 root root 176 Apr  1 08:45 /etc/krb5.keytab

The SELinux tag should be krb5_keytab_t

  • On ipa:
    kinit admin
    ipa service-add # enter nfs/nfs-server-name when prompted.
  • On nfs-server
    kinit admin
    ipa-getkeytab -s ipa.servername.com -p nfs/nfs-server-name -k /etc/krb5.keytab
  • Verify keytab
    klist -k
  • Add share to /etc/exports

/path/to/secure *(sec=krb5p,rw)

  • Update SELinux

semanage fcontext -a -t nfs_t "/path/to/secure(/.*)?"

restorecon -Rv /secure/

  • Start and enable the nfs-secure-server service

systemctl start nfs-secure-server # nfs-secure in later versions
systemctl enable nfs-secure-server #nfs-secure in later versions

  • Enable nfs-secure-service . (Only RHEL 7.0. Not required in 7.1 and up)

systemctl enable nfs-secure

  • Verify share

showmount -e localhost

Exam hint: Reboot and verify services, firewall, and kerberos

On the client

  • make directory
    mkdir -p /path/to/secure
  • authenticate kerberos
    kinit <user>
  • Start NFS Secure

systemctl enable nfs-secure; systemctl start nfs-secure

  • Mount the share

mount -o sec=krb5p,nfsvers=4 server:/path/to/secure /path/to/secure

  • Mount at boot
    Add the following to /etc/fstab

server:/path/to/secure /path/to/secure nfs sec=krb5p,_netdev 0 0

Samba

Share folders and files with macOS and Windows clients.

  1. Install Packages
  2. Create directories
  3. set permissions
  4. Update smb.conf
  5. set security
  6. start the services
  • install required packages

yum install -y samba samba-client cifs-utils

  • Create test users and groups

for i in user1 user2 smbnobody; do useradd -s /bin/nologin $i; done


groupadd sambagroup; for i in user1 user2; do usermod -aG sambagroup $i; done

for in in user1 user2 smbnobody; do smbpasswd -a $i; done

  • Make a share directory
    mkdir -p /data/sambashare
  • Assign permissions and update SELinux
    The samba SELinux tags are:
    samba_share_t
    public_content_t
    public_content_rw_t
  • Booleans
    samba_enable_home_dirs - Give access to Linix homes
    use_samba_home_dirs - Allow access to remote home directories
  • Set permissions.

chgrp sambagroup /data/sambashare; chmod g=rwx /data/sambashare

semanage fcontext -a -t samba_share_t "/data/sambashare(/.*)?"

restorecon -Rv /data

  • edit /etc/samba/smb.conf . This is the smallest config.

[global]
workgroup = workgroup
[share]
comment = Samba share
path = /data/sambashare
write list = @sambagroup

More smb.conf

Add hosts allow =ip or domain to limit access

writable = yes  = all authenticated users have R/W

writable = no = Use the write list for RW users.

valid users = @group or list of users

  • run testparm
  • Open the firewall

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

  • Start and enable the services

systemctl start smb nmb

systemctl enable smb nmb

  • To restart

systemctl restart smb

Testing the connection

Lookup local CIFS shares

smbclient -L //localhost

Lookup shares on another server

smbclient -L //servername

Mount a CIFS share

mount -o username=<user> //server/sambashare /mnt

  • hosts allow in [global] or share specific

man 5 host_access

example: hosts allow = 10.

example: hosts allow = .example.com

  • Read/write permissions

writable = yes: all authenticated users have read-write access

writable = no (default) use write list in that case to grant access to users or @groups

valid users = list of users and @groups

Credentials files

In /etc/fstab

//server1/sambashare /mnt/samba cifs credentials=/root/smbcreds 0 0

Create /root/sbcreds

username=user

password=password

Multiuser Mount

On client

Create the multi user file

vim /root/smb-multiuser

username=smbnobody
password=password

In /etc/fstab:

//server/sambashare /mnt/multiuser cifs credentials=/root/smb-multiuser,multiuser,sec=ntlmssp 0 0

mount -a

cifscreds add server1 # enter password of user logged in. Must be a Samba user.