Setting up Samba home folder shares for a CentOS 6 server and Mac OS X client

Update: Setting up home directory shares is now much easier on CentOS 7.

On Mac OS X if you want to share your home folder over the network with authentication, you only have to tick a check box in System Preferences and It Just Works™. On CentOS Linux? Well…

Today I wanted to access my home folder on our Linux analysis machine over the network on a Mac OS X client. Although I could have just done everything in a Terminal, I like the pretty graphics of Finder and being able to see my files without typing ls -l. The Linux machine in question is one I installed CentOS 6 on a while back. (Which, by the way, was a big mistake, since CentOS apparently does not maintain packages for things younger than a decade).

I first looked into using NFS since apparently that’s the thing you use for Linux machines, but if you don’t want NFS to share your files with the entire world, you need to set up a Kerberos key distribution service. That is unappealing given that I just want to access my own files over the network. So I settled on Samba instead. (Apple Filing Protocol, the only other option for an OS X client, is 100% out of the question because it is awful and I’m pretty sure it’s not supported on Linux).

Configuration files

There are roughly a dozen configuration files you need to edit in order for Samba to work properly. I don’t actually know which files I need to edit, I just kept doing things I found on the Internet until Samba started working.

/etc/samba/smb.conf: We want to let each user access their own home directory over Samba.

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   netbios name = SAMBA
   # change hosts allow to the subnet you want to share files across
   hosts allow = 192.168.0.
   log file = /var/log/samba/log.%m
   max log size = 50
   security = user
   map to guest = bad user
   passdb backend = tdbsam

# this will let people log into their own home directories
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   create mask = 0700
   directory mask = 0700

/etc/sysconfig/iptables: I don’t know if these are all needed but it seems to work. Again change the subnet with the one you want to actually share across (to match hosts allow in smb.conf)

-A INPUT -s 192.168.0.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p udp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -p udp --dport 445 -j ACCEPT

Then restart the services with

# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
# service smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]

We also need to let SELinux know that we’re not doing any terrorist activities on our Samba share:

# setsebool -P samba_enable_home_dirs on

Now to test it locally with smbclient:

$ smbclient //localhost/myuser -U myuser
Enter myuser's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-12.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED

OK, so that bit in smb.conf about passdb backend = tdbsam requiring “no further configuration” is apparently a total lie. Luckily there exists smbpasswd for backwards compatibility, so let’s just use that:

# smbpasswd -a myuser
New SMB password:
Retype new SMB password:
Added user myuser.

Trying smbclient again yields:

$ smbclient //localhost/myuser -U myuser
Enter myuser's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-12.el6]
smb: \>

Victory! Now to test it on OS X. In Finder, click Go => Connect to Server… and enter smb://192.168.0.101 (or whatever your server is called) and type in your credentials. Hopefully it works!

Footnote

I don’t know why it is so complicated. I suspect that ultimately it’s my own fault for installing CentOS but honestly I’m inclined to think that everything involving Linux is awful and terrible.