Centos 8 and Samba/NFS/FTP access and apache (httpd) listing nfs content

In this post we create an ftp/samba server and grant access for user to linux server, based on Centos 8, and allow listing of this content on specific url via Apache web server (eventually for testing speed download via web and upload via ftp).

At the beginng, we install secure ftp server, apache web server and samba:

dnf -y install vsftpd samba httpd vim nfs-utils

Create SAMBA shares

Create user, who can access our samba secure folder:

useradd -s /sbin/nologin guru
groupadd smbgroup
usermod -a -G smbgroup guru
smbpasswd -a guru

Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way

#for anonymous
mkdir -p /mnt/aaa
chmod -R 0777 /mnt/aaa
semanage fcontext -a -t samba_share_t '/mnt/aaa'
chown -R nobody:nobody /mnt/aaa
restorecon -R /mnt/aaa
#for another secure user "guru"
mkdir -p /mnt/kadeco/
chmod -R 0755 /mnt/kadeco/
semanage fcontext -a -t samba_share_t '/mnt/kadeco'
chown -R guru:smbgroup /mnt/kadeco/
restorecon -R /mnt/kadeco/

Edit samba config for ours anonymous and secure shares

vim /etc/samba/smb.conf

[global]
	workgroup = SAMBA
	security = user

	passdb backend = tdbsam

	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw
 	map to guest = bad user

[Anonymous-aaa]
        path = /mnt/aaa
        writable = yes
        browsable = yes
        guest ok = yes
        create mode = 0777
        directory mode = 0777
[kadeco]
        path = /mnt/kadeco
        writable = yes
        browsable = yes
        guest ok = no
        valid users = guru
        create mask = 0755
        directory mask = 0755
        read only = No

Now, we can see our configuration of samba by this command and test it for errors:

testparm

Next, if we use firewall, we must add some ports, or service for samba to allow:

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

And finally, start samba services and enable it, after reboot.

systemctl enable smb.service --now
systemctl enable nmb.service --now
systemctl status smb
systemctl status nmb

A way to restart samba services:

systemctl restart smb
systemctl restart nmb

And now we can use our samba server. Anonymous folder, or secured folder

Status of samba we can list by this commands:

smbstatus -p
- show list of samba processes
smbstatus -S
- show samba shares
smbstatus -L
- show samba locks

If we need restart samba process, or restart server, we can list locked files by “smbstatus -L”. We can see, which share is locked and which specific file is accessing.

Create FTP access

We want secure ftp server, then we need to modify some variables in main configuration file. And check other variables, if set by below example:

vim /etc/vsftpd/vsftpd.conf

anonymous_enable=NO #disable anonymous access
local_enable=YES 
write_enable=YES 
chroot_local_user=YES #chroot user to their home folder
allow_writeable_chroot=YES

Now we allow ftp access in firewall and start it:

firewall-cmd --permanent --add-service=ftp --zone=public 
firewall-cmd --reload
systemctl enable vsftpd --now
systemctl status vsftpd

Creating an FTP User

To test the FTP server, we will create a new user.

Create a new user named ftpguru

adduser ftpguru

Next, you’ll need to set the user password :

passwd ftpguru

Create the FTP directory tree and set the correct permissions :

mkdir -p /home/ftpguru/ftp/upload
chmod 550 /home/ftpguru/ftp
chmod 750 /home/ftpguru/ftp/upload
chown -R ftpguru: /home/ftpguru/ftp
systemctl restart vsftpd

As discussed in the previous section, the user will be able to upload its files to the ftp/upload directory

At this point, your FTP server is fully functional, and you should be able to connect to your server with any FTP client.

Create NFS access

Allow nfs service in firewalld:

firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload
#if sometimes on clients don't working showmount, and it create an error:
showmount -e 11.22.33.44
rpc mount export: RPC: Unable to receive; errno = No route to host
clnt_create: RPC: Unable to receive
#we must add another ports to firewall:
firewall-cmd --permanent --zone=public --add-service=rpc-bind
firewall-cmd --permanent --zone=public --add-service=mountd
firewall-cmd --reload

Now enable nfs-server to run after poweron server and start it:

systemctl enable nfs-server.service
systemctl start nfs-server.service

Now we create a directory, where we want to enable nfs access:

mkdir /mnt/nfs

And edit file /etc/exports for this folder to by allowed for everybody in network:

/mnt/nfs *(rw,sync,no_root_squash,no_all_squash)

And apply this change:

exportfs -arv

We can see our settings with command “exportfs”:

/mnt/nfs        <world>

And from other linux machine, we can mount this folder:

mount 11.22.33.44:/mnt/nfs /mnt/nfs/
#see this disk report space
df -h
Filesystem            Size  Used Avail Use% Mounted on
11.22.33.44:/mnt/nfs
                      1.5T  200G  1.3T  14% /mnt/nfs

And we can test it with 1GB file:

dd if=/dev/zero of=/mnt/nfs/1gb bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB/s
...
...
ls -lah /mnt/nfs/
drwxr-xr-x. 18 nfsnobody nfsnobody  4.0K Feb 28 10:47 .
drwxr-xr-x.  3 root      root       4.0K Feb 28 10:24 ..
-rw-r--r--.  1 root      root      1000M Feb 28 10:47 1gb

And if everything is ok, umount it:

umount /mnt/nfs/

Apache web server

Now, we set the firewall for http port (80), enable apache to start after boot:

systemctl enable httpd.service
firewall-cmd --add-service=http --permanent
firewall-cmd --reload

Now, we create an configuration file for one folder from nfs storage:

vim /etc/httpd/conf.d/media.exmaple.com.conf

<VirtualHost *:80>
    ServerAdmin user@example.com
    DocumentRoot "/mnt/nfs/kadeco/install"
    ServerName installs.example.com
<Directory "/mnt/nfs/kadeco/install">
    AllowOverride All
    Require all granted
    Options Indexes 
</Directory>
ErrorLog /var/log/httpd/install.example.com-error_log
CustomLog /var/log/httpd/install.example.com-access_log common
</VirtualHost>

If we reload apache web server (via command “apachectl graceful”), we can see an error log, if we access to this web content:

AH01276: Cannot serve directory /mnt/nfs/kadeco/install/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

So, we install som softvare to modify file and folders context with selinux:

yum install setroubleshoot

And change context to this folder:

semanage fcontext -a -t httpd_sys_content_t "/mnt/nfs/kadeco/install(/.*)?"
restorecon -R /mnt/nfs/kadeco/install
#comment out every line in welcome.conf bellow, or delete it:
rm /etc/httpd/conf.d/welcome.conf
systemctl restart httpd.service

Now, we can see the content of folder /mnt/nfs/kadeco/install. But if we want actively copy files here through samba access, we can’t, because we change security content of those folder ( httpd_sys_content_t ).

So, now we must change this behavior in 2 responsibilities:

1, set samba permissions, to write everywhere (security risk) by:

setsebool -P samba_export_all_rw 1

2, or if you want to be a little more descrite about it (my prefered way):

SHARING FILES
   If you want to share files with multiple domains (Apache,  FTP,  rsync,
   Samba),  you can set a file context of public_content_t and  public_content_rw_t. 
These context allow any of the above domains  to  read  the
   content.   If  you want a particular domain to write to the public_con‐
   tent_rw_t   domain,   you   must   set   the    appropriate    boolean.
   allow_DOMAIN_anon_write.
semanage fcontext -a -t public_content_rw_t '/mnt/nfs/kadeco/install(/.*)?'
restorecon -Rv /mnt/nfs/kadeco/install
setsebool -P allow_smbd_anon_write 1  #allow write samba to public_content

 chcon -t public_content_rw_t /mnt/nfs/kadeco 2) setsebool -P allow_smbd_anon_write 1 3) setsebool -P allow_httpd_anon_write 1 

If you create a NFS shared folder and you want to share its content via another apache configuration, you must set, that apache is allowed to use NFS files:

setsebool -P httpd_use_nfs on

Have a nice day

Total Page Visits: 836 - Today Page Visits: 2