tech_documents:linux:samba_nfs_rocky [He holds the keys]

This will install a Samba4 and NFS server on Rocky Linux 8 with sharing the same data from Samba and NFS, extended ACLs will also be used.

Install Rocky Linux 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage (use separate /home mount point if going over 100GB), set FQDN, set static IP, enable NTP.

3.) After install if finished reboot → login → perform a “dnf update”.

Create limited user account and add to wheel group for sudo

useradd example_user && passwd example_user
usermod -aG wheel example_user

Install dependencies and vim

dnf install vim tar

Logout of root and login using sudo user

Disallow root login over SSH

sudo vim /etc/ssh/sshd_config

then set

PermitRootLogin no

Restart sshd

sudo systemctl restart sshd

Configure hosts

sudo vim /etc/hosts

Add a line for your FQDN

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30  websrv01.domainname.com websrv01

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/

sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf

Set:

upgrade_type = security
download_updates = yes
apply_updates = yes
system_name = (your system name)
emit_via = motd

Enable the auto-update timer

sudo systemctl enable --now dnf-automatic.timer

https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

sudo dnf install epel-release
sudo dnf install fail2ban

Create a Jail for SSHd

sudo vim /etc/fail2ban/jail.d/sshd.local

Add the following:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s

Start fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd

https://www.tecmint.com/install-samba-on-rhel-8-for-file-sharing-on-windows/
https://www.techrepublic.com/article/how-to-create-a-linux-user-that-cannot-log-in/

Install Base Packages

sudo dnf install samba samba-client samba-common

Enable Services

sudo systemctl start smb
sudo systemctl enable smb

Configure Firewall

sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --reload

Create Group & User

sudo groupadd smb_users
sudo useradd smbadmin --shell=/bin/false && sudo passwd smbadmin
sudo usermod -aG smb_users smbadmin
sudo smbpasswd -a smbadmin

Create Dir for Share and Set Permissions

sudo mkdir -p /home/samba/public
sudo chmod -R 0770 /home/samba/public
sudo chown -R root:smb_users /home/samba/public
sudo chcon -t samba_share_t /home/samba/public

Configure Share

sudo vim /etc/samba/smb.conf

Add the following:

[public]
        comment = Public Share
        path =  /home/samba/public
        valid users = @smb_users
        guest ok = no
        writable = yes
        browsable = yes
        acl_xattr:ignore system acls = yes

Restart services:

sudo systemctl restart smb.service
sudo systemctl restart nmb.service

Add other users if needed and add them to the smb_users group, then fire up a Windows computer to create your initial folder structure with permissions from there…