Basic SMB / No systemctl Units

How does one enable SMB?

The RedHat 8 documentation indicates that SMB can be enabled with systemctl but I get an error:

# systemctl enable --now smb
Failed to enable unit: Unit file smb.service does not exist.

Even though Samba is installed, it looks like I don’t have systemctl units for it:

# systemctl list-unit-files | grep smb
# systemctl list-unit-files | grep samba
# rpm -qa | grep samba
samba-common-4.14.5-10.el8_5.noarch
samba-common-libs-4.14.5-10.el8_5.x86_64
samba-client-libs-4.14.5-10.el8_5.x86_64

Are unit files installed separately?

What am I missing?

Mike

UPDATE:

As sweh already mentioned, I needed to install the samba package to get the server.

Since I already started this post I might as well finish it properly.

The path of least resistance to a fully working but minimalistic SMB share is as follows:

# dnf install samba
# vi /etc/samba/smb.conf
[global]
        workgroup = SAMBA
        security = user
        local master = no
        wins support = no
        load printers = no
[someshare]
        path = /path/to/shared/dir
        valid users = someuser
        writable = yes
# smbpasswd -a someuser
# smbpasswd -e someuser
# firewall-cmd --permanent --add-port=445/tcp
# firewall-cmd --reload
# systemctl restart smb

Note that the RH docs recommend the following for the firewall-cmd:

# firewall-cmd --permanent --add-port={139/tcp,445/tcp}

However port 139 is only for SMB1 which is disabled on new Windows systems.

Note that if SELinux is set to enforcing, it will block new SMB connections. Clients, like smbclient, will get an error:

$ smbclient //rocky.soho.lan/someshare
Password for [SAMBA\someuser]:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

I elected to disable SELinux because this is for an SOHO server and I’m positive that I’ll never be hacked ever!

To disable SELinux do:

# vi /etc/sysconfig/selinux
SELINUX=disabled

Then reboot.

You need the samba package installed; that contains the server components; you only have the client installed.

1 Like

Fascinating. One of the services that is predefined, is “samba”:

# firewall-cmd --info-service=samba
samba
  ports: 137/udp 138/udp 139/tcp 445/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
  includes: 
  helpers: netbios-ns

Red Hat / firewalld usually recommends use of ‘–add-service’ over ‘–add-port’ as the services are able to enable “helpers”, while the ports won’t.

You are right though, opening ports that you don’t need is bad practice.
All defined services you can list with: firewall-cmd --get-services

What did we just agree on? That opening more than necessary is bad.
https://stopdisablingselinux.com/

SELinux has several booleans about Samba. See getsebool -a | grep -E "samba|smd"
I seem to have on one system:

samba_enable_home_dirs --> on
samba_export_all_rw --> on

… and that is sufficient for that system – SELinux enforcing.

Overall, SELinux does log the deny-events and audit2why can propose necessary change that would allow those accesses.

Yeah, I’m definitely not using that. Even if you wanted to use the “browser” service or “Network Neighborhood” or whatever it’s called these days, only one machine needs to have it open to make it the “master browser”. I didn’t think anyone even used that anymore.

And I don’t know why 138 would be there. I don’t think I’ve ever seen 138 datagram traffic and I’ve looked at a lot of packet captures of Windows traffic.

And even SMB1 uses 445. I think you would have to have pre-Vista machines to see 139. Unless maybe 445 was blocked. Then a client might try 139.

So most people probably need only port 445.

Oops. If only I had seen that website before I disabled it!