Configuring Red Hat Enterprise Linux 7.6 for SMB/HTTPS File Share Distribution with Jamf Pro

Updated: 01 July 2021

Product: Jamf Pro

This article explains how to use Samba to host a file share distribution point with an SMB share on a Linux server. The distribution point can then be added to the Jamf Pro server and used with Jamf Pro.

Note:

The procedure may vary depending on your specific Linux operating system.

The procedure involves the following two main steps:

Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6
Setting Up an HTTP Distribution Point on Jamf Pro

Step 1: Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6

Confirm the version of Red Hat Enterprise Linux you are using by executing the following command:
```
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
```
Install net-tools to allow for basic network operations by executing the following command:
```
$ sudo yum -y install net-tools
```
Install the Samba service by executing the following command:
```
$ sudo yum -y install samba*
```
Add users for the service and set passwords. You will need two accounts: one with read-only permissions and another with full permissions to the file share.
1. Create the read-only account, jamfR by executing the following command:
```
$ sudo useradd -d /home/jamfR jamfR -s /bin/false -N
```
2. Set the password by executing the following command:
```
$ sudo smbpasswd -a jamfR 
New SMB password: 
Retype new SMB password: 
Added user jamfR.
```
3. Create the full-access account, jamfRW by executing the following command:
```
$ sudo useradd -d /home/jamfRW jamfRW -s /bin/false -N
```
4. Set the password by executing the following command:
```
$ sudo smbpasswd -a jamfRW 
New SMB password: 
Retype new SMB password: 
Added user jamfRW.
```
Create a location for the file share by executing the following command:
```
$ sudo mkdir -p /usr/local/jamf/jamfShare
```
Set the owner of the account that has full access to the file share by executing the following command:
```
$ sudo chown jamfRW /usr/local/jamf/jamfShare
```
Set permissions on the file share by executing the following command:
```
$ sudo chmod 755 /usr/local/jamf/jamfShare
```
Edit the Samba configuration file by executing the following command:
```
$ sudo vi /etc/samba/smb.conf
```

Add the following code block directly above the line that starts with [global]:

[jamfShare]
    comment = jamfShare
    path = /usr/local/jamf/jamfShare
    browsable = yes
    guest ok = no
    read only = yes
    create mask = 0755
    read list = jamfR
    write list = jamfRW
    valid users = jamfR, jamfRW

Configure the firewall to allow Samba traffic by executing the following command:
```
$ sudo firewall-cmd --add-service=samba —permanent
```
Reload the firewall to activate the new rule by executing the following command:
```
$ sudo firewall-cmd --reload
```
To manage SELinux configuration, install semanage by executing the following command:
```
$ sudo yum -y install policycoreutils-python
```

Set the SELinux configuration to allow Samba read/write permissions by executing the following commands:

$ sudo setsebool -P smbd_anon_write=1
$ sudo semanage fcontext -a -t public_content_rw_t "/usr/local/jamf(/.*)?"
$ sudo restorecon -Rv /usr/local/jamf

Start the Samba service by executing the following command:
```
$ sudo systemctl start smb
```
Enable the service at startup by executing the following command:
```
$ sudo systemctl enable smb
```
Using Terminal on a Mac, ensure you can connect to the file share (use port 139 and/or 445) by executing the following command:
```
$ nc -v fqdn.of.server 139
Connection to 172.27.1.33 port 139 [tcp/netbios-ssn] succeeded!
```
Add the file share to your Jamf Pro server:
1. In Jamf Pro, click Settings in the top-right corner of the page.
2. Click Server Infrastructure, and then click File Share Distribution Points.
3. Click New.
4. Enter a Display Name for the file share and the fully qualified domain name of the server:
5. Click the File Sharing tab and enter the Share Name that was defined in the Samba configuration file. Leave the Workgroup Or Domain field blank and the Port set to 139:
6. Enter the credentials for the two Samba accounts that you created earlier:
7. Click Save.

Step 2: Setting Up an HTTP Distribution Point on Jamf Pro

Install httpd (Apache) to allow for distribution over HTTP by executing the following command:
```
$ sudo yum -y install httpd
```
To secure the web share. install mod_ssl (for sharing over HTTPS) by executing the following command:
```
$ sudo yum -y install mod_ssl
```
Create a configuration file that will be used to generate a certificate request by executing the following command:
```
$ vi req.conf
```

Enter information similar to the following, and adjust the settings as needed for your environment:

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = fqdn.of.server
emailAddress = admin@your.domain
O = Corp
OU = IT
L = Minneapolis
ST = Minnesota
C = US
[ req_ext ]
subjectAltName = DNS: fqdn.of.server, DNS: cname.of.server

Create the certificate signing request by executing the following command:

$ openssl req -new -config req.conf -keyout sslkey.pem -out ssl.csr
Generating a 4096 bit RSA private key
.....................................................................++
...++
writing new private key to 'sslkey.pem'
-----

Note:

This command also creates the private key file (sslkey.pem). Store the private key file in a secure location.

Copy the contents of the ssl.csr file.

Note: When copying, be sure to include the first (-----BEGIN CERTIFICATE REQUEST-----) and last (-----END CERTIFICATE REQUEST-----) lines.

Use cat to display the file contents by executing the following command:

$ cat ssl.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFETCCAvkCAQAwgY4xFzAVBgNVBAMMDmZxZG4ub2Yuc2VydmVyMSAwHgYJKoZI
hvcNAQkBFhFhZG1pbkB5b3VyLmRvbWFpbjENMAsGA1UECgwEQ29ycDELMAkGA1UE
.
.
.
gMDxBCeRhg2uctDYH4z7DXkA9facd+Ij0Ws73p75Jz7gCFE9D1BtCeF7RZhniBUl
jvi93tjtXNUseQQRy4TfheQneeF8hoRqCm7/Tzju2+Yxvv9ew4gsvCmVu/GQqlea
vR/veW4=
-----END CERTIFICATE REQUEST-----

In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.
Click on the Management Certificate Template tab, and then click the Create Certificate from CSR button:
Click the Certificate Type pop-up menu, choose Web Server Certificate, and then paste the CSR into the text field:
Click Create and the certificate will download to the Downloads folder. (If prompted about permitting the download, click Allow).
Copy the certificate (.pem file) to the Red Hat Enterprise Linux server by executing the following command.
```
$ scp ~/Downloads/C\=US\,ST\=Minnesota\,L\=Minneapolis\,OU\=IT\,O\=Corp\,E\=admin@your.domain\,CN\=fqdn.of.server.pem jssadmin@fqdn.of.server:webshareSSL.pem
```
Note:
Rename the certificate file while copying it to make the name more manageable.
Move the certificate and private key .pem files to their respective default directories by executing the following commands:
```
$ sudo mv /home/jssadmin/webshareSSL.pem /etc/pki/tls/certs/
$ sudo mv /home/jssadmin/sslkey.pem /etc/pki/tls/private/
```

Set the owner and permissions on the certificate and private key files by executing the following commands:

$ sudo chown root:root /etc/pki/tls/certs/webshareSSL.pem
$ sudo chown root:root /etc/pki/tls/private/sslkey.pem
$ sudo chmod 600 /etc/pki/tls/certs/webshareSSL.pem
$ sudo chmod 600 /etc/pki/tls/private/sslkey.pem

Modify the ssl.conf file so it will use the certificate and private key that you created. Change the lines ssl.conf as indicated in the table below after executing the following command:

$ sudo vi /etc/httpd/conf.d/ssl.conf


Original Lines	Change to the Following
`Listen 443 https`	`Listen 0.0.0.0:443 https`
`#DocumentRoot "/var/www/html"`	`DocumentRoot "/usr/local/jamf"`
`#ServerName www.example.com:443`	`ServerName fqdn.of.server:443`
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt`	`SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem`
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key`	`SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem`
`<Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments:`	`<Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Directory "/usr/local/jamf"> AuthType Basic AuthName "Authorization Required" AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory> # SSL Protocol Adjustments:`

Modify the document root in the httpd.conf file by executing the following command and changing the line as indicated in the table below:

$ sudo vi /etc/httpd/conf/httpd.conf


Original Line	Change to the Following
`DocumentRoot "/var/www/html"`	`DocumentRoot "/usr/local/jamf"`

Create the password file and configure the Samba read-only user to have access to the HTTPS share by executing the following command:
Important:
The -c option will delete and recreate the password file if one exists. If you have an existing configuration do not use the -c option.
```
$ sudo htpasswd -c /etc/httpd/.htpasswd jamfR
New password:
Re-type new password:
Adding password for user jamfR
```

Set owner and permissions on the password file by executing the following command:

$ sudo chown apache:root /etc/httpd/.htpasswd
$ sudo chmod 0460 /etc/httpd/.htpasswd

Configure the firewall to allow HTTPS traffic. List the currently active zones by executing the following command:
```
$ sudo firewall-cmd --get-active-zones public interfaces: ens192
```
Add the zone and the service to the firewall configuration by executing the following command:
```
$ sudo firewall-cmd --zone=public --add-service=https --permanent
```
Activate the new configuration by reloading the firewall by executing the following command:
```
$ sudo firewall-cmd --reload
```
Configure SELinux policies to allow read access to the web share by executing the following command:
```
$ sudo semanage fcontext -a -t httpd_sys_content_t "/usr/local/jamf(/.*)?"
```
Apply the new configuration by executing the following command:
```
$ sudo restorecon -Rv /usr/local/jamf
```

Configure SELinux to allow access to the certificate and private key:

Allow access to the certificate by executing the following commands:

$ sudo semanage fcontext -a -t cert_t /etc/pki/tls/certs/webshareSSL.pem
$ sudo restorecon -v /etc/pki/tls/certs/webshareSSL.pem

Allow access to the private key by executing the following commands:

$ sudo semanage fcontext -a -t cert_t /etc/pki/tls/private/sslkey.pem 
$ sudo restorecon -v /etc/pki/tls/private/sslkey.pem

Disable the default web page by executing the following command:

$ sudo mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.backup

Start the web server (httpd) by executing the following command:
```
$ sudo systemctl start httpd
```
Enable the service at startup by executing the following command:
```
$ sudo systemctl enable httpd
```
Add the web share to the Jamf Pro server:
1. Navigate to the SMB share that you created earlier, and click the HTTP/HTTPS tab.
2. Select Use HTTP downloads to enable the service.
3. Complete the configuration and click Save.
You should now be able to use Jamf Admin to replicate packages to the new distribution point. After replication is complete, the HTTPS distribution point can quickly be tested by directing your web browser to a URL similar to the following:
```
https://fqdn.of.server/jamfShare/Packages/<somePackage.pkg>
```
When prompted for credentials, enter the read-only (JamfR) account credentials and click Log In.
If prompted about permitting the download, click Allow, and the package should successfully download.