209.1. SAMBA Server Configuration
209.1 SAMBA Server Configuration
**Weight: **5
Description: Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
Key Knowledge Areas:
Samba 4 documentation
Samba 4 configuration files
Samba 4 tools and utilities and daemons
Mounting CIFS shares on Linux
Mapping Windows user names to Linux user names
User-Level, Share-Level and AD security
Terms and Utilities:
smbd, nmbd, winbindd
smbcontrol, smbstatus, testparm, smbpasswd, nmblookup
samba-tool
net
smbclient
mount.cifs
/etc/samba/
/var/log/samba/
In old days it was easy to find a group of computers which just talked to each other and were isolated from other types of computers, but it rarely happens nowadays. Any how as a system administrator or engineer, we might be expectedto know how to set up and maintain a network with multiple types of servers.
Two key role players of today computers world are Linux and Microsft windows. It is easy to find both of them in a server farm so we need to know about some differences and solutions which might be helpfull.
In this lesson we will talk about some differences and we will see how SAMBA can help us. The first difference between Microsoft is in name resolution method.
NetBios Name resolution
One of the important steps in trying to resolve IP problems is determining if name resolution is working. The first issue is determining the kind of name. In the Windows client world, there are two basic types of names. The first kind is a name for IP addresses. Host name resolution uses a host’s file and DNS for resolution. The second kind of name is the NetBIOS name, which is used for Windows (SMB) type sharing and messaging. These are the names that are used when you are mapping a drive or connecting to a printer. These names are resolved either by using an LMHosts file on the local machine or WINS server, or by broadcasting a request.Lets draw Name resolution big picture:
The order is not really important and can be modified, but the default order is like this:
The first resolution mechanism is not really a resolution mechanism at all. It is an internal cache that is in each Windows machine. This cache is populated by previous name resolution attempts and by a special option in the LMHosts file (described next).
The second resolution method is where the LMHosts file is consulted to see if there are any NetBIOS names that match the NetBIOS name being queried. In its simplest form, the LMHosts file contains an IP address and a host name.
The third resolution mechanism used by the local computer to resolve the NetBIOS name involves consulting one or more naming servers. In most cases, the naming server contacted is a Windows Internet Naming Server (WINS). Technically, you could create a NetBIOS naming server that is not a WINS server, but it is rarely done.
The fourth and final resolution method is to broadcast for the NetBIOS name. The computer broadcasts a special packet that is received and processed by all machines on the network. The packet then requests that the computer identify itself. This is effective within a local network but is ineffective across routers, which do not forward broadcast packets.
So if we want to communicate with Microsoft Windows Operating system we need to find a way to work with this NetBios Name resolution. The other protocol which need alittle explanation and review is SMB.
SMB Protocol
The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. Created by IBM in the 1980s, the SMB protocol has since spawned multiple variants or implementations, also known as dialects, to meet evolving network requirements over the years.
SMB protocol dialects : Variants of the SMB protocol have improved the original implementation's capabilities, scalability, security and efficiency. Here is a brief overview of the SMB protocol's notable dialects:
SMB 1.0 (1984): Created by IBM for file sharing in DOS.
CIFS (1996): Microsoft-developed SMB dialect that debuted in Windows 95. Added support for larger file sizes, transport directly over TCP/IP, and symbolic links and hard links.
SMB 2.0 (2006): Released with Windows Vista and Windows Server 2008.
SMB 2.1 (2010): Introduced with Windows Server 2008 R2 and Windows 7.
SMB 3.0 (2012): Debuted in Windows 8 and Windows Server 2012.
SMB 3.02 (2014): Introduced in Windows 8.1 and Windows Server 2012 R2.
SMB 3.1.1 (2015): Released with Windows 10 and Windows Server 2016.
CIFS vs. SMB
As noted in the list above, CIFS is an early dialect of the SMB protocol developed by Microsoft. Although the terms are sometimes used interchangeably, CIFS only refers to a single implementation of SMB. Most modern systems use more recent dialects of the SMB protocol.
Security Levels
There are two basic means for protecting resources offered on a network. Each method strives to make the protected resources available only to users who have been authorized access to these resources.
Share-level security involves securing connections to a network share point by a password. Users who know the name of the share point and the password can connect to the share point. All subdirectories and files found under the share point are accessible by using only the single password.
User-level security involves using access controls in the file system and does not stop at placing a single password on an entire tree of resources (although you can do it that way if you want). Instead, access permissions can be placed on any directory or file in a directory, or subdirectories. When a user connects to a resource protected by user-level security mechanisms, the user must first authenticate himself (log on to the server) using his username and password. The user then is granted access rights to each file or directory on the resource, either by the access control restrictions implicitly placed on the resource or by inheritance of access rights.
SAMBA vs SMB
Released in 1992, Samba is an open source implementation of the SMB protocol for Unix systems and Linux distributions. It supports file sharing and print services, authentication and authorization, name resolution, and service announcements between Linux/Unix servers and Windows clients.
Samba Versions
For all versions of Samba, the goal is the same: sharing Windows resources with Unix-style operating systems such as Linux, and sharing Linux resources with Windows systems . Unfortunately, support for Microsoft systems is a moving target: Redmond is not exactly renowned for their willingness to publish specifications, and the software giant keeps extending its SMB/ CIFS protocols from one Windows version to the next. Open source developers try to keep track of the changes to SMB by using tools such as Ethereal to sniff connections, but Microsoft stepped up its game with Windows 2000, introducing the object-based directory system called Active Directory Service .
Samba Version 3 vs 4
When Samba 3 was released in 2003, it consisted of three services: the file server smbd, the name server nmbd, and the authentication server winbind. In their interaction with the rest of the system, these three services provided a file service and an NT4 domain controller.
In December 2012, the open source world received the first, and very long awaited, release of the Samba 4.x series. Samba 4 has been under development for 10 years. In that same time, the Samba 3.x series also has seen numerous releases and advancements. This parallel development has led to some confusion over the nature of Samba 4; and, some distributions release both samba3 and samba4 packages that can be installed in parallel, with varying degrees of success.
Samba 4.x is a full replacement and upgrade to Samba 3. For the first time, it's now possible to use Samba 4 to map a full Windows domain structure on Linux.
Samba 4's support for an Active Directory domain means that it needs to provide a wider range of services: Classic NETBIOS name resolution was superseded by DNS, authentication was centralized using Kerberos, and centralized data storage was implemented via LDAP – only the file server remained the same, with changes to match the new structure.
Traditionally Samba is comprised of three main daemons (smbd, nmbd, and winbindd).
**nmbd **: The nmbd daemon provides NetBIOS nameservice and browsing support. The configuration file for this daemon is described in smb.conf
**smbd **: The smbd daemon provides the file and print services to SMB clients, such as Windows 95/98, Windows NT, Windows for Workgroups or LanManager.
**webbindd **: winbindd is a daemon that is used for integrating authentication and the user database into unix.
According to the samba man page:
1- nmbd
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137. The configuration file for this daemon is described in smb.conf.The nmbd daemon is controlled by the smb service.
in linux we can use nmblookup command.
nmblookup
nmblookupis used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. All queries are done over UDP.
For example lets NetBios Name lookup for a Windows 7 client:
use nmblookup WORKGROUP for looking up for a bunch of Workgroup computers.
2- smbd
The smbdserver daemon provides file sharing and printing services to Windows clients . In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445. The configuration file for this daemon is described in smb.conf.The smbddaemon is controlled by the smbservice.
Setting Up Anonymous Samba File Sharing
One of the reason why Samba is so relevant is because it provides file and print services to SMB/CIFS clients, which causes those clients to see the server as if it was a Windows system.
samba instalation
There are three samba related packages that are mostly used:
**samba : **provide software for the sevrer.
**samba-client : **The package that contains all the client programs.(to connect samba servers or windows file shares )
**samba-common : **Contain softwares which are used both by the samba server as well as samba client
An there another usefull packages with Samba 4 cifs-utilswhich contains lates windows security changes inside. Here we have used Ubuntu:
Now lets create a shared samba directory where the files will be stored:
And set appropriate permissions on the directory:
/etc/samba/smb.conf
Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.confconfiguration file.
Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins.There are three special sections, [global], [homes] and [printers].
The configuration file really only has one main section. The [global] section and its directives provide all the options and parameters required for the Samba daemon (smbd) and NetBIOS daemon (nmbd) to operate within the network. This (in a nutshell) is how our server will operate and be seen on the network.
Each section in the configuration file (except for the [global] section) describes a shared resource (known as a “share”). The section name is the name of the shared resource and the parameters within the section define the shares attributes.
For now we just want to setup an anonymous share so we add a new section on th bottom of smb.conf configuration file:
where
[Anonymous]: The name inside the brackets is the name of our share.
comment: A brief description of the share.
path: The directory of our share.
browsable: When set to yes, file managers such as Ubuntu's default file manager will list this share under "Network" (it could also appear as browseable).
read only: Permission to modify the contents of the share folder is only granted when the value of this directive is no.
writable : Inverted synonym for read only.
guest ok : If this parameter is yes for a service, then no password is required to connect to the service.
force user :This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. We should also use it carefully as using it incorrectly can cause security problems.
keep in mind that altough we are setting some permissions here, but still underlying File system permissions are still going to apply.
testparm
Now verify current samba settings by running the testparm command (Not testparam be carefull) :
Finally, start and enable samba services to start automatically at next boot and also apply the above changes to take effect.On modern Ubuntu the main Samba service issamba-ad-dc
Inorder to our changes take effect we need need to restart samba service, but there is a samba tool called smbcontrol. The
smbcontrol
smbcontrol is a very small program, which sends messages to a smbd, a nmbd, or a winbindd daemon running on the system. smbcontrol -? command print a summary of command line options. The general format of command is like this:
We can use it to reload smb.conf configurations without restarting the service:
After reloading configurations in a way that you like, we can show all Samba shares with smbclietn:
smbclient
smbclient is a client that is part of the Samba software suite. It communicates with a LAN Manager server, offering an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
To see which shares are available on a given host:
and it time ti check result from our windows 7 client:
smbstatus
smbstatusis a very simple program to list who is connected, and what shares they currently have as well as locked file(s) if there are any:
in our example:
net
The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols.
The net status command can list all smb connections :
and sessions:
Secure Samba File Sharing
The first step for securing Samba File share is making a union between passwords. Both Linux and Microsoft Windows operating systems using Hashed passwords. Since a hash function is one-way, this provides some measure of security for the storage of the passwords. But the problem is that Linux and Windows do not use the same Hash Algorithem inorder to store passwords!
Normally, Windows store passwords on single computer systems usnig SAM . The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 10. It stores users' passwords in a hashed format (in LM hash and NTLM hash).
In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the MD5 algorithm. The security of the MD5 hash function has been severely compromised by collision vulnerabilities. This does not mean MD5 is insecure for password hashing but in some distrobutions SHA algorithems are used (as NSA has been recommended)which are more secure and dosen't have known weaknesses .(we can change it using pam_unit module, will be describe in PAM course).
Offf, so it seems impossible to come to a conclusion. The solution is using a seperate mechanisem to hash and store passwords and use it for smb shares authentication.
For demonstration we create a new share directory :
and a new samba user:
smbpasswd
This tool lets us to create smbpasswd file which is the Samba encrypted password file:
It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed.In Ubuntu try cat /usr/bin/smbpasswd to see the contents.
Okey now lets configure smb.conf for adding a new secure share:
after checking configurations with testparm and restarting samba service (samba|samba-ad-dc), check the results:
Do not forget that Samba default security level is user level , how ever it is configurable. Also we create a test file inside it called "testfileinsecured.txt"
Mounting the Samba Share in Linux
First lets make sure the Samba share is accessible from our CentOS client(need samba-client):
It is good to know that smbclient can be used to access a share without mounting it:
We can mount (and later unmount) this network share when needed with mount command:
also we could have use mount.cifs command(same as mount -t cifs) which is a part of the cifs-utils suite. cifs-utils is available with Samba v4 and generaly it is not required when we talk about Samba V3.The reason to use that goes back to the security enhancements and changes in New Micorosft Windows versions and New cifs-utils nows how to deal with that.(In Samaba3 use user=user1).
To make our share permanent, we should add the following entry in**/etc/fstab ** file:
Obviously it is not a good idea to set username an password in fstab file, so lets define it some where else:
Where the hidden file /mnt/.smbcredentials (whose permissions and ownership have been set to 600 and root:root, respectively) contains two lines that indicate the username and password of an account that is allowed to use the share:
and inorder to check it without rebooting:
Also there are some GUI options that we can use.
/var/log/samba
Samba is extremely robust. Once we have everything set up the way we want, we'll probably forget that it is running. When trouble occurs, it's typically during installation or when we're trying to reconfigure the server. The Samba log files can help diagnose the vast majority of the problems faced by beginning- to intermediate-level Samba administrators.
The level of logging that Samba uses can be set in the smb.conf file using the global log level or debug level option.
Samba and Active Directory
Till now we have seen that Samba provides file and print services for various Microsoft Windows clients but as we mentioned in introduction it has another ability and it can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.
Samba configuration is straightforward.Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
3- winbindd
The winbind service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
The winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this manual.
refrences:
https://www.serverbrain.org/network-services-2003/lesson-configuring-netbios-name-resolution.html
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-samba-daemons.html
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-samba-services.htm
https://flylib.com/books/en/4.152.1.242/1/
https://www.samba.org/samba/docs/
https://wiki.archlinux.org/index.php/SHA_password_hashes
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-samba-servers.html
Last updated