In this post we create an ftp\/samba server and grant access for user to linux server, based on Centos 8, and allow listing of this content on specific url via Apache web server (eventually for testing speed download via web and upload via ftp).<\/p>\n\n\n\n
At the beginng, we install secure ftp server, apache web server and samba:<\/p>\n\n\n\n
dnf -y install vsftpd samba httpd vim nfs-utils<\/pre>\n\n\n\nCreate SAMBA shares<\/h2>\n\n\n\n
Create user, who can access our samba secure folder:<\/p>\n\n\n\n
useradd -s \/sbin\/nologin guru\ngroupadd smbgroup\nusermod -a -G smbgroup guru\nsmbpasswd -a guru<\/pre>\n\n\n\nThen, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way <\/p>\n\n\n\n
#for anonymous\nmkdir -p \/mnt\/aaa\nchmod -R 0777 \/mnt\/aaa\nsemanage fcontext -a -t samba_share_t '\/mnt\/aaa'\nchown -R nobody:nobody \/mnt\/aaa\nrestorecon -R \/mnt\/aaa<\/pre>\n\n\n\n#for another secure user \"guru\"\nmkdir -p \/mnt\/kadeco\/\nchmod -R 0755 \/mnt\/kadeco\/\nsemanage fcontext -a -t samba_share_t '\/mnt\/kadeco'\nchown -R guru:smbgroup \/mnt\/kadeco\/\nrestorecon -R \/mnt\/kadeco\/<\/pre>\n\n\n\nEdit samba config for ours anonymous and secure shares<\/p>\n\n\n\n
vim \/etc\/samba\/smb.conf\n\n[global]\n\tworkgroup = SAMBA\n\tsecurity = user\n\n\tpassdb backend = tdbsam\n\n\tprinting = cups\n\tprintcap name = cups\n\tload printers = yes\n\tcups options = raw\n \tmap to guest = bad user\n\n[Anonymous-aaa]\n path = \/mnt\/aaa\n writable = yes\n browsable = yes\n guest ok = yes\n create mode = 0777\n directory mode = 0777\n[kadeco]\n path = \/mnt\/kadeco\n writable = yes\n browsable = yes\n guest ok = no\n valid users = guru\n create mask = 0755\n directory mask = 0755\n read only = No<\/pre>\n\n\n\nNow, we can see our configuration of samba by this command and test it for errors:<\/p>\n\n\n\n
testparm<\/pre>\n\n\n\nNext, if we use firewall, we must add some ports, or service for samba to allow:<\/p>\n\n\n\n
firewall-cmd --permanent --zone=public --add-service=samba\nfirewall-cmd --reload<\/pre>\n\n\n\nAnd finally, start samba services and enable it, after reboot.<\/p>\n\n\n\n
systemctl enable smb.service --now\nsystemctl enable nmb.service --now\nsystemctl status smb\nsystemctl status nmb<\/pre>\n\n\n\nA way to restart samba services:<\/p>\n\n\n\n
systemctl restart smb\nsystemctl restart nmb<\/pre>\n\n\n\nAnd now we can use our samba server. Anonymous folder, or secured folder <\/p>\n\n\n\n
Status of samba we can list by this commands:<\/p>\n\n\n\n
smbstatus -p\n- show list of samba processes\nsmbstatus -S\n- show samba shares\nsmbstatus -L\n- show samba locks<\/pre>\n\n\n\nIf we need restart samba process, or restart server, we can list locked files by \u201csmbstatus -L\u201d. We can see, which share is locked and which specific file is accessing.<\/p>\n\n\n\n
Create FTP access<\/h2>\n\n\n\n
We want secure ftp server, then we need to modify some variables in main configuration file. And check other variables, if set by below example:<\/p>\n\n\n\n
vim \/etc\/vsftpd\/vsftpd.conf<\/p>\n\n\n\n
anonymous_enable=NO #disable anonymous access\nlocal_enable=YES \nwrite_enable=YES \nchroot_local_user=YES #chroot user to their home folder\nallow_writeable_chroot=YES<\/pre>\n\n\n\nNow we allow ftp access in firewall and start it:<\/p>\n\n\n\n
firewall-cmd --permanent --add-service=ftp --zone=public \nfirewall-cmd --reload\nsystemctl enable vsftpd --now\nsystemctl status vsftpd<\/pre>\n\n\n\nCreating an FTP User<\/h3>\n\n\n\n
To test the FTP server, we will create a new user.<\/p>\n\n\n\n
Create a new user named
ftpguru<\/code><\/p>\n\n\n\nadduser ftpguru<\/code><\/pre>\n\n\n\nNext, you\u2019ll need to set the user password :<\/p>\n\n\n\n
passwd ftpguru<\/pre>\n\n\n\nCreate the FTP directory tree and set the correct permissions :<\/p>\n\n\n\n
mkdir -p \/home\/ftpguru\/ftp\/upload<\/code>\nchmod 550 \/home\/ftpguru<\/code>\/ftp<\/code>\nchmod 750 \/home\/ftpguru<\/code>\/ftp\/uploa<\/code>d\nchown -Rftpguru<\/code>: \/home\/ftpguru<\/code>\/ftp<\/code>\nsystemctl restart vsftpd<\/pre>\n\n\n\nAs discussed in the previous section, the user will be able to upload its files to the
ftp\/upload<\/code> directory<\/p>\n\n\n\nAt this point, your FTP server is fully functional, and you should be able to connect to your server with any FTP client.<\/p>\n\n\n\n
Create NFS access<\/h2>\n\n\n\n
Allow nfs service in firewalld:<\/p>\n\n\n\n
firewall-cmd --permanent --zone=public --add-service=nfs\nfirewall-cmd --reload\n#if sometimes on clients don't working showmount, and it create an error:\nshowmount -e 11.22.33.44\nrpc mount export: RPC: Unable to receive; errno = No route to host\nclnt_create: RPC: Unable to receive\n#we must add another ports to firewall:\nfirewall-cmd --permanent --zone=public --add-service=rpc-bind\nfirewall-cmd --permanent --zone=public --add-service=mountd\nfirewall-cmd --reload<\/pre>\n\n\n\nNow enable nfs-server to run after poweron server and start it:<\/p>\n\n\n\n
systemctl enable nfs-server.service\nsystemctl start nfs-server.service<\/pre>\n\n\n\nNow we create a directory, where we want to enable nfs access:<\/p>\n\n\n\n
mkdir \/mnt\/nfs<\/pre>\n\n\n\nAnd edit file \/etc\/exports for this folder to by allowed for everybody in network:<\/p>\n\n\n\n
\/mnt\/nfs *(rw,sync,no_root_squash,no_all_squash)<\/pre>\n\n\n\nAnd apply this change:<\/p>\n\n\n\n
exportfs -arv<\/pre>\n\n\n\nWe can see our settings with command “exportfs”:<\/p>\n\n\n\n
\/mnt\/nfs <world><\/pre>\n\n\n\nAnd from other linux machine, we can mount this folder:<\/p>\n\n\n\n
mount 11.22.33.44:\/mnt\/nfs \/mnt\/nfs\/\n#see this disk report space\ndf -h\nFilesystem Size Used Avail Use% Mounted on\n11.22.33.44:\/mnt\/nfs\n 1.5T 200G 1.3T 14% \/mnt\/nfs<\/pre>\n\n\n\nAnd we can test it with 1GB file:<\/p>\n\n\n\n
dd if=\/dev\/zero of=\/mnt\/nfs\/1gb bs=1M count=1000\n1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB\/s\n...\n...\nls -lah \/mnt\/nfs\/\ndrwxr-xr-x. 18 nfsnobody nfsnobody 4.0K Feb 28 10:47 .\ndrwxr-xr-x. 3 root root 4.0K Feb 28 10:24 ..\n-rw-r--r--. 1 root root 1000M Feb 28 10:47 1gb\n<\/pre>\n\n\n\nAnd if everything is ok, umount it:<\/p>\n\n\n\n
umount \/mnt\/nfs\/<\/pre>\n\n\n\nApache web server<\/h2>\n\n\n\n
Now, we set the firewall for http port (80), enable apache to start after boot:<\/p>\n\n\n\n
systemctl enable httpd.service\nfirewall-cmd --add-service=http --permanent\nfirewall-cmd --reload<\/pre>\n\n\n\nNow, we create an configuration file for one folder from nfs storage:<\/p>\n\n\n\n
vim \/etc\/httpd\/conf.d\/media.exmaple.com.conf\n\n<VirtualHost *:80>\n ServerAdmin user@example.com\n DocumentRoot \"\/mnt\/nfs\/kadeco\/install\"\n ServerName installs.example.com\n<Directory \"\/mnt\/nfs\/kadeco\/install\">\n AllowOverride All\n Require all granted\n Options Indexes \n<\/Directory>\nErrorLog \/var\/log\/httpd\/install.example.com-error_log\nCustomLog \/var\/log\/httpd\/install.example.com-access_log common\n<\/VirtualHost><\/pre>\n\n\n\nIf we reload apache web server (via command “apachectl graceful”), we can see an error log, if we access to this web content:<\/p>\n\n\n\n
AH01276: Cannot serve directory \/mnt\/nfs\/kadeco\/install\/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive<\/em><\/p>\n\n\n\n
So, we install som softvare to modify file and folders context with selinux:<\/p>\n\n\n\n
yum install setroubleshoot<\/pre>\n\n\n\nAnd change context to this folder:<\/p>\n\n\n\n
semanage fcontext -a -t httpd_sys_content_t \"\/mnt\/nfs\/kadeco\/install(\/.*)?\"\nrestorecon -R \/mnt\/nfs\/kadeco\/install\n#comment out every line in welcome.conf bellow, or delete it:\nrm \/etc\/httpd\/conf.d\/welcome.conf\nsystemctl restart httpd.service<\/pre>\n\n\n\nNow, we can see the content of folder \/mnt\/nfs\/kadeco\/install<\/em>. But if we want actively copy files here through samba access, we can’t, because we change security content of those folder ( httpd_sys_content_t ). <\/p>\n\n\n\n
So, now we must change this behavior in 2 responsibilities: <\/p>\n\n\n\n
1, set samba permissions, to write everywhere (security risk) by:<\/p>\n\n\n\n
setsebool -P samba_export_all_rw 1<\/pre>\n\n\n\n2, or if you want to be a little more descrite about it (my prefered way):<\/p>\n\n\n\n
SHARING FILES\n If you want to share files with multiple domains (Apache, FTP, rsync,\n Samba), you can set a file context of public_content_t and public_content_rw_t. <\/em>\nThese context allow any of the above domains to read the\n content. If you want a particular domain to write to the public_con\u2010\n tent_rw_t domain, you must set the appropriate boolean.\n allow_DOMAIN_anon_write.<\/em><\/code><\/pre>\n\n\n\nsemanage fcontext -a -t public_content_rw_t '\/mnt\/nfs\/kadeco\/install(\/.*)?'\nrestorecon -Rv \/mnt\/nfs\/kadeco\/install\nsetsebool -P allow_smbd_anon_write 1 #allow write samba to public_content\n\n chcon -t public_content_rw_t \/mnt\/nfs\/kadeco 2) setsebool -P allow_smbd_anon_write 1 3) setsebool -P allow_httpd_anon_write 1 <\/pre>\n\n\n\nIf you create a NFS shared folder and you want to share its content via another apache configuration, you must set, that apache is allowed to use NFS files:<\/p>\n\n\n\n
setsebool -P httpd_use_nfs on<\/pre>\n\n\n\nHave a nice day<\/p>\n\n\n\n
<\/p>\n ","protected":false},"excerpt":{"rendered":"
In this post we create an ftp\/samba server and grant access for user to linux server, based on Centos 8, and allow listing of this content on specific url via Apache web server (eventually for testing speed download via web and upload via ftp). At the beginng, we install secure ftp server, apache web server … Continue reading Centos 8 and Samba\/NFS\/FTP access and apache (httpd) listing nfs content<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[116,147,94,36,148],"class_list":["post-905","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-centos-8","tag-ftp","tag-httpd","tag-samba","tag-vsftp"],"_links":{"self":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/905","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=905"}],"version-history":[{"count":14,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/905\/revisions"}],"predecessor-version":[{"id":921,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/905\/revisions\/921"}],"wp:attachment":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=905"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}