RHEL 7 New Features: Samba 4 Changes

I’ve recently been describing some of the many changes in the past few years since Red Hat Enterprise Linux 6 came out. Its successor RHEL 7 have been out for almost a year, but from what I’ve seen both in consulting and in teaching Learning Tree’s Linux server administration & support course and their Linux troubleshooting and performance tuning course many organizations still haven’t done anything about moving to the latest release.

Part of the RHEL 6 to 7 migration includes an upgrade to Samba. Samba used to be configured with a web-based interface. It was nice, it always worked the same way, no need for distribution-specific tools. Well, that went away because of security problems, but the good news is that Samba is pretty easy to set up by hand. Given the Samba 4 changes, this blog post shows how to configure and set it up.

How Samba Has Been Improved

One of the big changes you encounter in moving to the latest Red Hat release (or the latest Ubuntu, or Oracle Linux, or Scientific Linux, or whatever) is a significant upgrade to Samba. This system provides file and print service over the SMB/CIFS protocol. Samba 4 finally brings the ability for a Linux (or Mac OS X, or BSD, or whatever) system to be a fully-functioning Active Directory server. Even if you aren’t going to be that ambitious, the provided Samba tool kit provides much better integration with Windows servers and clients.

Samba Software
Samba Software

Now How do I Configure Samba 4?

I’m no fan of distribution-specific graphical tools. Graphical tools usually make it very easy to do very simple things (which should be easy already!) and then get in the way of doing more interesting things, and provide no way of automating large projects they way we can with the command line and scripts.

Worse yet, graphical tools developed within one distribution only exist there. But all these tools really do in most cases is make changes in text configuration files. Those files and their syntax come with the subsystems, and so they are the same on every distribution. Learn how to make changes by directly modifying the configuration files, and then you know how to do it on every current distribution.

An exception was Samba, which supported a notorious amount of complexity if you chose to take advantage of it. Remember that part about becoming a complete Active Directory server plus more? So the Samba Web Admin Tool or SWAT project was born.

SWAT was included with Samba. No matter which Linux distribution or non-Linux operating system you had, Samba was Samba and so SWAT was SWAT. Point a web browser at TCP port 901 on the server, and you saw the same interface.

Why SWAT was Discontinued

There are archives on discontinuing SWAT and why we should put SWAT out of its misery, plus details on Swat security problems and SWAT vulnerabilities. I think Kai Blin‘s initial remarks really sum it up:

I think it’s time to put SWAT out of its misery. In the past few years, the only commits ever touching it were either API housekeeping or fixing remote root exploit security issues.
[…]
There might be the need for a web-based samba configuration tool, but I don’t think SWAT is fulfilling that need well enough.

Meanwhile the O’Reilly book on using Samba is a 450-page doorstop which is now two major Samba releases behind. What are we do to if we want to provide file and print service to Windows clients?

Don’t Panic!

It’s not that hard to create and maintain your own /etc/samba/smb.conf file! Start small and simple, add features one at a time. Learning Tree’s Linux server administration course gets you started, providing authenticated file and print service to clients and showing you how to do access control by Windows domain and by IPv4/IPv6 network blocks. The Linux troubleshooting and performance tuning course takes integration a step further, authenticating Linux into Active Directory and using Kerberos. To go further, see the useful Samba wiki collection and not their outdated document collection.

Beware an Overly “Helpful” Tool

You might consider using a distribution-specific graphical tool to “cheat” and get something into your Samba configuration, but make a backup first.

Some time ago I was helping an organization that had been using Samba for some time for file and print service to thousands of Windows and Mac OS X desktops. Their local Samba guru had carefully built an enormous Samba configuration file.

Someone had suggested trying this SWAT tool. The Samba guru tried it and said, “I suppose that’s nice if you need it, but I really don’t.”

What no one involved realized was that Samba relentlessly “improves” your configuration by stripping out all comments and explicit choices that specify what would have been the default behavior, along with reordering everything. Minimized, reordered, stripped of documentation, “improved”.

The Samba guru, having planned ahead, simply copied the backup file into place as the configuration file. But without that backup, this sort of behavior by a tool could really inject a lot of confusion into a complex Samba system. Those comments are needed for maintenance, any author will forget why some obscure option is in there. And explicitly setting what would have been default anyway can make security audits much easier.

So try out Samba, don’t be intimidated, and remember to make backup copies of all your system’s configuration!

If you are considering migrating to RHEL 7 because of the many changes bringing improvements in capability, performance, and interoperability, have a look at Learning Tree’s Linux server administration & support course. I just turned in a complete revision of it, really more of a redesign, of the  and it now uses RHEL 7 and the updated 7.1 release.

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.