Configuring SELinux to allow the sharing of a directory by Samba

Tested on RHEL6/CentOS6.

As root:

# mkdir /data
# ls -dZ /data
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data
# semanage fcontext -a -t samba_share_t ‘/data(/.*)?’
# restorecon -R /data
# ls -dZ /data
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /data

You may also want to run the following:
setsebool -P samba_export_all_rw 1

Copying Samba users from one server to another

Coping Samba users from one server to another is not as difficult as it sounds.

The following steps require root access. pdbedit won’t work as a regular user.

  1. On the source server export the user database.  In this example we use smbpasswd format.
    pdbedit -e smbpasswd:/root/samba-users.backup
  2. Copy the file to the second samba server.
  3. Import the backup into the password database.
    pdbedit -i smbpasswd:/root/samba-users.backup

That’s it.

It should be said, that if you are running multiple Samba servers and you want to have common users and groups, you should really be looking and a centralized user solution.  Samba 3 By Example is a good place to start.


Note on sharing a single LDAP database with multiple Samba servers


“… to share a single set of users/groups in LDAP to multiple samba
servers you will need LDAP and a PDC and the other servers will be
BDCs. yes you will join BDC’s with net rpc join -D domain -S
pdc_server_name -U root%password

read chapter 5.3 of samba 3 by example.pdf”

– Adam Williams


How to add a schema file to OpenLDAP 2.4

The following are the steps I used to add samba.schema to an already running OpenLDAP 2.4 installation.

  1. Create a file called convert.conf that contains a list of the of schema file(s) to be converted. To make things go smoother later on, include all the schema files already in your OpenLDAP installation. Make sure to list them in the same order they are listed in your existing setup. Add the schema file(s) to be added at the end.

For example:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema

In this example, core.schema through openldap.schema are already in the OpenLDAP server.  samba.schema is the new schema we’re adding.

  1. Create a diretory to hold the generated configuration.
mkdir /tmp/ldif_output
  1. Run slapcat(1) command passing it our convert.conf to create the ldif.
slapcat -f ./convert.conf -F /tmp/ldif_output -n0 -s 'cn={5}samba,cn=schema,cn=config' > samba.ldif

The number 5 in ‘cn={5}samba,cn=schema,cn=config’ is based on samba.schema being the 5th entry in convert.conf when you count the rows in the file starting at 0.

  1. Next, edit samba.ldif and remove the following lines from the end of the file.
structuralObjectClass: olcSchemaConfig
entryUUID: eba68f74-d586-1030-94a1-d3d0db45d1cb
creatorsName: cn=config
createTimestamp: 20120117184341Z
entryCSN: 20120117184341.297933Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120117184341Z

The field names in your file will match, but the values will be different.

You’ll note that we didn’t have to update the DN value in samba.ldif. This is because we put the schema files in the proper order in our convert.conf. If we didn’t, you would have to edit the value before running proceeding to the next step.

  1. Now add the the converted samba schema to your OpenLDAP server.
ldapadd -x -W -D 'cn=config' -W -f ./samba.ldif

If it worked you should receive the message:

adding new entry "cn={5}samba,cn=schema,cn=config"