Setup a Windows/Mac file server with Samba and Netatalk on RHEL6 in Active Directory

Posted on November 21, 2011 by meltingrobot

Okay, for this post, I am going to presume that you attached your RHEL6 server to the domain using the settings from my previous RHEL6 AD authentication guide.  If not, please click on that link and go there to set it up.

Setting up Samba

First we will start by setting up your Samba/Winbind config to do some actual file sharing with Windows workstations on your domain.  And to do that, we will need to install the samba server package with the following command as root:

yum -y install samba policycoreutils-python && service smb restart

Now, we need to poke a few holes in the firewall to allow clients to connect to our Samba ports with the following commands as root:

iptables -I INPUT -p tcp --dport 139 -j ACCEPT
iptables -I INPUT -p tcp --dport 445 -j ACCEPT

And to save the changes to iptables so they will work after a reboot, do the following as root:

service iptables save

Next, we will open our smb.conf file with your favorite editor and go near the bottom of the file to the section “Share Definititions”.  You will notice that by default, samba is configured to share out home directories and printers, the home directories settings won’t work right so go ahead and just comment them out for now by putting a ; in front of those lines.  Scroll to the very bottom of the file, and we create our new share by adding the following:

[data]
	comment = Data Share
	browseable = yes
	writable = yes
	path = /data
        valid users = @MYDOMAIN"my share group"
	force group = "my share group"

Replace the word data in the brackets on the first line to what you want to name the share.  Change the comment as well to what you want, and then change the path to where on the filesystem you want to store the shared files and then change the valid users line parts of MYDOMAIN and my share group to your domain shortname and the group in AD that you want to allow access to the share.  And by having the force group line point to your my share group, and new files or folders created in that share from Windows clients will keep that group as the group owner.

Next, we need to do some SELinux magic and permission fixes so Samba has access to the folder with the following commands as root: *change the /data parts to where your share will be located on your filesystem*

chmod 770 /data
semanage fcontext -a -t samba_share_t "/data(/.*)?"
restorecon -R -v /data

Now, we can go ahead and restart Samba to check and see if our configuration works with the following command as root:

service smb restart

At this point, try connecting from a Windows box logged in as a user that is a member of the group that you granted permissions to the /data share.  It should work and allow your to create new files and delete them.  You should be able to see the files on the Linux server as well by doing an ls -l in the folder where the share is located at.

Last, we need to set this service to start after a reboot with the following command:

chkconfig smb on

Setting up Netatalk

Okay, now we are going to work on setting up Netatalk to share stuff from our /data partition as well.   We will start by getting the Netatalk RPM for our architecture at the EPEL repository with the next command as root:

yum -y install http://download.fedora.redhat.com/pub/epel/6/x86_64/netatalk-2.2.0-2.el6.x86_64.rpm

If you are using 32-bit or the command doesn’t work, you can head over to the EPEL Repo and grab it from there.

Next, we need to again open ports on the firewall to allow for the new AFP service using the following firewall commands:

iptables -I INPUT -p tcp --dport 548 -j ACCEPT
iptables -I INPUT -p tcp --dport 5353 -j ACCEPT
service iptables save

Now, we will do the minimal configuration to get our /data share up on AFP by adding the following to the bottom of the file /etc/netatalk/AppleVolumes.default

/data data allow:@"my share group"

After adding that, you should modify the /data directory to have sticky on the group so that new files/directories created using AFP will have the same group, use this command as root:

chmod g+s /data

That will also apply to local Linux users connecting via SSH.  Now to start the netatalk service and configure it to automatically start after a reboot using these commands as root:

service netatalk restart && chkconfig netatalk on

And with that, you should be able to reach your share from a Mac using AFP or SMB.  There are guides out on how to setup a Mac to backup to an AFP share with Time Machine as well.  You can use Netatalk for this by turning on the Time Machine option and optionally limiting the size of the AFP share seen by clients since Time Machine will otherwise use all the space on the drive.  Below is an example with the two settings for that:

/data data allow:@"my share group" volsizelimit:1000000 options:tm
Advertisement
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s