Real-world Scenario: When the File-Sharing System Goes on Strike at Midnight
It was 2 AM when my phone buzzed incessantly. On the other end was the frantic voice of the operations manager: all 50 office employees were unable to access the shared drive to retrieve tax reports. The old CentOS 7 server had just died due to a motherboard failure. My mission: set up a new file server on CentOS Stream 9 and migrate over 500GB of data before business hours tomorrow morning.
If you’ve ever been in this situation, you know the pressure when Samba is installed but Windows still throws that stubborn “Windows cannot access \\server” error. During the recent CentOS 8 EOL transition, I personally migrated over 10 systems to CentOS Stream 9. Hard-earned experience shows that configuring Samba isn’t actually difficult; the real challenge lies in making it “talk” to SELinux and Firewalld on the new RHEL 9 Kernel 5.14.
Why Do Your Samba Connections Frequently Fail?
In practice, there are three main obstacles that often leave network admins scratching their heads when deploying on CentOS 9:
- Firewalld: Ports 137, 138, 139, and 445 are tightly closed by default.
- SELinux: This is the strictest security layer. It blocks Samba if the shared directory isn’t labeled with the correct context.
- Dual-Permission Errors: A user might have permissions on the SMB protocol but is still blocked by Linux’s physical read/write permissions.
The Solution: Don’t Settle for Temporary Fixes
Many people resort to setenforce 0 to disable SELinux. This is a fatal mistake. It’s like leaving your front door wide open for ransomware to attack the internal network. Instead, configure it properly so the system is both high-performing and completely secure.
Steps to Install Samba on CentOS Stream 9
Step 1: Install Software Packages and Admin Tools
First, update the repository and install Samba. I recommend installing policycoreutils-python-utils to manage SELinux more easily.
sudo dnf update -y
sudo dnf install samba samba-common samba-client policycoreutils-python-utils -yStep 2: Create Directory and Linux Permissions
I will create a storage area for the accounting department at /samba/ke-toan. Never share the /home directory directly for data security reasons.
sudo mkdir -p /samba/ke-toan
sudo groupadd ketoangroup
sudo chown -R :ketoangroup /samba/ke-toan
sudo chmod -R 770 /samba/ke-toanStep 3: Manage Samba Users
Samba passwords are independent of system passwords. Here, I’ll create the user nhanvien01 and disable direct server login to enhance security.
sudo useradd -M -s /sbin/nologin nhanvien01
sudo usermod -aG ketoangroup nhanvien01
sudo smbpasswd -a nhanvien01Step 4: Optimize the smb.conf Configuration File
Don’t forget to back up the original file before editing. A standard configuration file helps Windows recognize the server faster.
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo vi /etc/samba/smb.confBelow is the configuration I’ve fine-tuned for the best performance:
[global]
workgroup = WORKGROUP
server string = Samba Server Version %v
netbios name = FILE-SERVER-01
security = user
map to guest = bad user
# Force the use of SMB2 or higher for security
server min protocol = SMB2
[KeToan]
comment = Accounting Department Folder
path = /samba/ke-toan
valid users = @ketoangroup
writable = yes
browsable = yes
create mask = 0660
directory mask = 0770Step 5: Overcoming SELinux and Firewalld Barriers
This is the crucial step. Without it, Windows will return a “Permission Denied” error immediately.
For SELinux: You need to apply the samba_share_t label to the directory so Samba has valid access rights.
sudo semanage fcontext -a -t samba_share_t "/samba/ke-toan(/.*)?"
sudo restorecon -Rv /samba/ke-toanFor Firewalld: Open the traffic for Samba services through the firewall.
sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --reloadStep 6: Activate the Service
Finally, start and set Samba to run automatically upon every server reboot.
sudo systemctl enable --now smb nmbTesting and Verification
On a Windows machine, press Windows + R and type \\<SERVER_IP>. If the KeToan folder appears and allows you to copy files into it, you have succeeded.
A small tip: Always use the testparm command after modifying the configuration file. It will help you detect silly syntax errors before restarting the service. Administering CentOS Stream 9 isn’t difficult if you clearly understand how SELinux operates. Good luck with your stable system deployment!
