cheatsheet on Seneca samba setup
1 Commands to know:
smbclient, smbmount (mount -t cifs), smb.conf, testparm, smbpasswd, pdbedit, getsebool, setsebool
These are my settings for the SAMBA lab of OPS 335 winter 2020 course
2 Cheat summary
- /etc/samba/smb.conf
- smbpasswd -a kaapvaal-zintis # create a smb user called kaapvaal-zintis
- smbpasswd kaapvaal-zintis # change the smb password for kaapvaal-zintis
- pdbedit -L -v # list all password databsase edit passwords
- testparm # list all samba configuration parameters
#checks connectiviy to samba.
- smbclient //sa/gawler -U gawler-zintis -W gawler -d 3
- smbclient //sa/gawler -U gawler-zintis -W gawler
- smbclient //sa/gawler -U gawler-zintis -W gawler -d 3
smbclient //192.168.107.101 -U
- smbclient //localhost/home -U \kaapvaal-zintis
- smbclient sa -U \kaapvaal-zintis
- smbclient '\\vm2\homes' -U zintis
2.1 What services are available on the remote server?
- smbclient -L vm2
- smbclient -L vm2
- smbclient -L vm2
- smbclient -L vm2
- smbclient -L vm2
- smbclient -L vm2
- smbclient -L sa
- smbclient -L //sa that expanded to -L//southamerica (I did not specifiy a username, but it automatically inserted my linux username from which I issued the smbclient -L //sa command)
- see detailed section on smbclient below.
Also, from a terminal/ssh on vm2, running testparm
will show you info.
zintis@asia ~[159] $ >>> first as a user "zintis" smbclient -L sa directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied Unable to initialize messaging context Enter SAMBA\zintis's password: Anonymous login successful <<<<<<<<<<<<<<<<<<< did NOT login as zintis Sharename Type Comment --------- ---- ------- sarmation Disk sarmation kaapvaal Disk kaapvaal gawler Disk gawler share laurasia Disk laurasia gondwana Disk gondwana share home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available zintis@asia ~[160] $ zintis@asia ~[161] $ <<<<<<<<<<<< now as a different user: smbclient -L sa -U sarmation-zintis directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied Unable to initialize messaging context Enter SAMBA\sarmation-zintis's password: Sharename Type Comment --------- ---- ------- sarmation Disk sarmation kaapvaal Disk kaapvaal gawler Disk gawler share laurasia Disk laurasia gondwana Disk gondwana share home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) sarmation-zintis Disk generic homes Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available
- Error:
directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied
A discussion and a partial fix was found on bugzilla.redhat.comAnother source of info, try
net usershare info --long
using the commandnet
net usershare info --long. /usr/bin/net -> /etc/alternatives/net /etc/alternatives/net -> /usr/bin/net.samba3 man net net - Tool for administration of Samba and remote CIFS servers.
2.2 -I option only if netbios names do not match your tcp/ip hostnames
for example smbclient -L ftp -I ftp.microsoft.com
- mount -t cifs //vm2/home /tmp/vm2-home -o username=kaapvaal-zintis
- dnf install nfs-utils
- mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis
2.3 smb > command
smbclient command has these common parameters:
- -W workgroup
- -U username
Where workgroup is what is defined in the smb.conf [workgroup] lines.
smbclient //sa/gawler -U gawler-zintis -W gawler Enter GAWLER\gawler-zintis's password: Try "help" to get a list of possible commands. Smb: \> net use net: command not found smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> smb: \> l . D 0 Mon Jul 27 23:41:24 2020 .. D 0 Sun Apr 5 15:14:17 2020 Assignment2 D 0 Sat Apr 11 10:25:33 2020 Gawler-was-here N 0 Wed Jul 22 18:22:32 2020 .DS_Store AH 8196 Wed Jul 22 17:01:54 2020 ._mbp-gawler-zintis.rtf AH 4096 Wed Jul 22 17:01:43 2020 ._.DS_Store AH 4096 Sat Apr 11 10:58:04 2020 gawler.txt A 15 Mon Jul 27 23:41:24 2020 mbp-gawler-zintis.rtf A 422 Wed Jul 22 15:45:16 2020 3542752 blocks of size 1024. 1338124 blocks available smb: \> pwd
2.3.1 Remote server commands to teach
- cd
- pwd
- dir or ls
- mkdir or md
- rmdir or rd
- rm
- get remote-file [localfile]
- mget (mutiple get)
- put <some-local-file>
- mput (mulitple put)
- prompt
- del
- quit
2.3.2 Local commands to teach
lcd
3 Samba install
dnf install samba samba-client
Result of dnf list –installed modules:
libsmbclient.x86_64 samba.x86_64 4.10.4-101.el8_1 @BaseOS samba-client.x86_64 4.10.4-101.el8_1 @BaseOS samba-client-libs.x86_64 4.10.4-101.el8_1 @BaseOS samba-common.noarch 4.10.4-101.el8_1 @BaseOS samba-common-libs.x86_64 4.10.4-101.el8_1 @BaseOS samba-common-tools.x86_64 4.10.4-101.el8_1 @BaseOS samba-libs.x86_64 4.10.4-101.el8_1
4 Secure Enterprise Boolean Values
"A given SELinux policy can be customized by enabling or disabling a set of policy Booleans. Booleans allow parts of SELinux policy to be changed at run time, without any knowledge of SELinux policy writing. This allows changes without reloading or recompiling SELinux policy."
SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible.
For example, if you want to allow samba to export ntfs/fusefs volumes, you must turn on the sambasharefusefs boolean.
5 setsebool
Booleans setsebool
in Secure Enterprise Linux.
From the man page:
setsebool sets the current state of a particular SELinux boolean or a list of
booleans to a given value. The value may be 1
or true
or on
to enable the
boolean, or 0
or false
or off
to disable it. Without the -P option, only
the current boolean value is affected; the boot-time default settings are not
changed.
If the -P
option is given, all pending values are written to the policy file
on disk. So they will be persistant across reboots.
For example, to tell SELinux to allow samba access to home directories;
setsebool -PV use_samba_home_dirs off
setsebool -P samba_enable_dirs 1
-P
all pending values are written to the policy file on disk. So they will be persistent across reboots.-N
the policy on disk is not reloaded into the kernel-V
verbose
Here are the setsebool settings related to SAMBA to consider:
setsebool -P samba_share_fusefs 1
setsebool -P samba_export_all_ro 1
If you want to allow samba to share any file/directory read only, you must turn on the sambaexportallro boolean.setsebool -P virt_use_samba 1
If you want to allow virt to manage cifs files, you must turn on the virtusesamba boolean.setsebool -P samba_create_home_dirs 1
If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the sambacreatehomedirs boolean.setsebool -P samba_enable_home_dirs 1
If you want to allow samba to share users home directories, you must turn on the sambaenablehomedirs boolean.setsebool -P samba_share_nfs 1
If you want to allow samba to export NFS volumes, you must turn on the sambasharenfs boolean.setsebool -P sanlock_use_samba 1
If you want to allow sanlock to manage cifs files, you must turn on the sanlockusesamba boolean.setsebool -P samba_run_unconfined 1
If you want to allow samba to run unconfined scripts, you must turn on the sambarununconfined boolean.setsebool -P samba_domain_controller 1
If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the sambadomaincontroller boolean.setsebool -P samba_export_all_rw 1
If you want to allow samba to share any file/directory read/write, you must turn on the sambaexportallrw boolean.setsebool -P samba_portmapper 1
If you want to allow samba to act as a portmapper, you must turn on the sambaportmapper boolean.setsebool -P use_samba_home_dirs 1
If you want to support SAMBA home directories, you must turn on the usesambahomedirs boolean.setsebool -P allow_smbd_anon_write 1
If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled publiccontentrwt, you must turn on the allowsmbdanonwrite boolean.
6 getsebool -a
You can read off all the SELinux boolean values with the command:
sudo getsebool -a
and set individual booleans with:
Or, getsebool -a | grep -i samba
root@southamerica~[1001] $ getsebool -a | grep -i samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> on # <<<< samba_export_all_ro --> off samba_export_all_rw --> off samba_load_libgfapi --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off tmpreaper_use_samba --> off use_samba_home_dirs --> off virt_use_samba --> off root@southamerica~[1002] $
7 semanage
CentOS 6 introduces a new way of listing all the available booleans, including
a short description of their function: semanage boolean -l
. Other semanage
boolean commands allow for manipulation of the variables, similar to what
setsebool does in the previous releases.
7.1 semanage boolean -l
lists all SELinux boolean values
See: wiki.centos.org for what seboolean variables most Centos systems have.
8 Samba config files:
8.1 /etc/samba/smb.conf
cat /etc/samba/smb.conf [global] workgroup = WORKGROUP server string = Zintis-Samba-vm2 encrypt passwords = yes security = user passdb backend = tdbsam unix extensions = no client use spnego = no # this should have been yes. [home] comment = Zintis-samba-vm2 path = /home/zintis public = no writable = yes printable = no create mask = 0765 valid users = zintis [homes] comment = automatic home share public = no writable = yes printable = no create mask = 0765 browseable = no hosts allow = 192.168.0.0/16 127.0.0.1
- spnego is "Simple and Protected NEGOtiation from rfc2478.
spnego is helps SAMBA 3.0 to agree upon an authentication method. It enables Kerberos authentication in particular.
client use spnego = yes is the default.
8.2 setgid in samba
I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.
force create mode = 2777 force directory mode = 2777
8.3 create mask
From the man page: create mask (S)
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.
The default value of this parameter removes the group and other write and execute bits from the UNIX modes.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.
This parameter does not affect directory masks. See the parameter directory mask for details.
Default: create mask = 0744
Example: create mask = 0775
8.4 creation masks, From O'Reilley's book on SAMBA
File and directory creation masks are similar to umasks you have probably encountered while working with Unix systems. They are used to help define the permissions that will be assigned to a file or directory at the time it is created. Samba's masks work differently in that the bits that can be set are set in the creation mask, while in Unix umasks, the bits cannot be set are set in the umask. We think you will find Samba's method to be much more intuitive.
Once in a while you might need to convert between a Unix umask and the equivalent Samba mask. It is simple: one is just the bitwise complement of the ' other. For example, an octal umask of 0022 has the same effect as a Samba mask of 0755.
Unix umasks are set on a user-by-user basis, usually while executing the GUI's or command-line shell's startup scripts. When users connect to a Samba share from a network client, these scripts are not executed, so Samba supplies the ability to set the creation masks for files and directories. By default, this is done on a share-by-share basis, although you can use the include parameter in the Samba configuration file (as explained in Chapter 6) to assign masks on a user-by-user basis, thus matching conventional Unix behavior.
To show how Samba's create masks work, suppose we have a Windows user
connecting to his Unix home directory through Samba, and Samba is configured
with create mask = 777
in the [homes] share. With this value, create mask will
not affect the bits that are set on new files. If the user creates a file with
Wordpad, it will appear in the Unix filesystem like this:
$ ls -l file.doc -rwxrw-rw- 1 jay jay 0 Sep 21 11:02 file.doc Wordpad created the file with read/write permissions
(i.e., the MS-DOS read-only attribute was not set), so Samba mapped the MS-DOS attributes to Unix read/write permissions for user, group, and other. The execute bit is set for the owner because by default, the map archive parameter is set to yes. The other execute bits are not set because map system and map hidden are set to no by default. You can customize this behavior as you see fit, and unless you do backups from MS-DOS or Windows systems, you might want to specify map archive = no to avoid Windows files from appearing as executables on the Unix system.
Now suppose we set create mask to have an effect. For example:
[homes]
8.4.1 create mask = 664
This is equivalent to a Unix umask of 113. If the user creates the Wordpad document as before, it will show up as:
$ ls -l file.doc -rw-rw-r-- 1 jay jay 0 Sep 22 16:38 file.doc
Comparing this to the previous example, notice that not only has the write permission for other disappeared as we expected, but so has the execute permission for owner. This happened because the value of create mask logically ANDs the owner's permissions with a 6, which has masked off the execute bit. The lesson here is that if you want to enable any of map archive, map system, or map hidden, you must be careful not to mask off the corresponding execute bit with your create mask.
The directory mask option works similarly, masking permissions for newly created directories. The following example will allow the permissions of a newly created directory to be, at most, 755:
[data]
8.4.2 directory mask = 755
Also, you can force various bits with the force create mode
and force
directory mode
options. These options will perform a logical OR against the
file and directory creation masks, ensuring that those bits that are
specified will always be set. You would typically set these options globally
to ensure that group and world read/write permissions have been set
appropriately for new files or directories in each share.
In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file created on the Windows side, you can use the force user and force group options. For example:
[data] create mask = 744 directory mask = 755 force user = joe force group = accounting
These options assign the same Unix username and group to every client that connects to the share. However, this occurs after the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.
Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.
DOS filesystems are not designed for multiple users, and so its designers decided that read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows filesystems exhibit the same behavior.
Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs—which were first written for Unix—run on Windows and require the ability to delete read-only files. Samba permits this behavior with the delete readonly option. To enable this functionality, set the option to yes:
[data] delete readonly = yes File and Directory Permission Options
8.5 diretory mask
directory mask (S)
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.
The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).
Default: directory mask = 0755
Example: directory mask = 0775
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
8.6 Lastly, tell SELinux that it has write access to the "share" folder
In our case since I created a share with path = /supercontinents/cratons I have to issue the command:
chcon -R -t samba_share_t /windata
See man chcon, but basically, -R (recursively) make everything in /windata have rights as a type (-t) as a sambasharet type.
chcon is for changing context
8.7 create mask vs create mode
From linux-training.be
"Similar to create mask, but different. Where the mask from above was a logical AND, the mode you set here is a logical OR (so it adds permissions). You can use the force create mode and force directory mode to set the minimal required permissions for newly created files and directories."
9 Setting up smb users **
9.1 smbpasswd -a <userid>
Each user that will access an smb share on a Samba server has to be
defined in smb, using the smbpasswd -a <userid>
command.
The userid has to already be defined as a userid on the unix system i.e. in /etc/passwd.
Once a user has been created (using the above smbpasswd -a command)
you can change a user's password by dropping the -a For example:
smbpasswd userid
9.2 pdbedit -L -v
Confirm that the user was created using pdbedi -L -v
Remember it as "Password Database Edit"
--------------- Unix username: zintis NT username: Account Flags: [U ] User SID: S-1-5-21-1353011415-3308762633-1882441262-1000 Primary Group SID: S-1-5-21-1353011415-3308762633-1882441262-513 Full Name: zintis Home Directory: \\vm2\zintis HomeDir Drive: Logon Script: Profile Path: \\vm2\zintis\profile Domain: VM2 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set: Fri, 06 Mar 2020 18:45:54 EST Password can change: Fri, 06 Mar 2020 18:45:54 EST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF root@vm2 /etc/samba [309]$
9.3 pbdedit as generic user editing tool
From the man page: There are five main ways to use pdbedit:
- adding a user account,
- removing a user account,
- modifying a user account,
- listing user accounts,
- importing users accounts.
9.3.1 options
-v verbose
9.3.2 examples:
pbdedit -L -v
9.4 testparm
To see the current parameters of a Sambsa server, use the
testparm
command.
testparm Load smb config files from /etc/samba/smb.conf WARNING: No path in service home - making it unavailable! NOTE: Service home is flagged unavailable. Loaded services file OK. Server role: ROLE_STANDALONE --- Press enter to see a dump of your service definitions --- # Global parameters [global] security = USER server string = Zintis-Samba-vm2 encrypt passwords = yes idmap config * : backend = tdb [home] available = No comment = Zintis-samba-vm2 path = /home/<yourSenecaID> create mask = 0765 read only = No valid users = zintis [homes] browseable = No comment = automatic home share public = no create mask = 0765 hosts allow = 192.168.111.0/24 127.0.0.1 read only = No root@vm2 /etc/samba [308]$
10 smbclient
10.1 smbclient -L
This lists the available shares, to a user based on a login:
- smbclient -L vm2 # this is an anonymous connection (no passwd needed)
- smbclient -L southamerica # this is an anonymous connection (no passwd needed)
- smbclient -L //sa # this is an anonymous connection (no passwd needed)a that expanded to -L//southamerica (I did not specifiy a username, but it automatically inserted my linux username from which I issued the smbclient -L //sa command)
- smbclient -L //sa -U kaapvaal-zintis this failed "Unable to connect with SMB1 – no workgroup available" That was because user "kaapvaal-zintis" was not set up as a "valid user" for the share /home, only zintis. ? No it is deeper than that…
zintis@southamerica ~ [159]$ smbclient -L //southamerica Unable to initialize messaging context Enter WORKGROUP\zintis's password: Sharename Type Comment --------- ---- ------- pana Disk panaeaic cratons Disk craton home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) zintis Disk generic homes Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- zintis@southamerica ~ [160]$ smbclient -L //southamerica -U gawler-zintis Unable to initialize messaging context Enter WORKGROUP\gawler-zintis's password: Sharename Type Comment --------- ---- ------- pana Disk panaeaic cratons Disk craton home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) gawler-zintis Disk generic homes Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- zintis@southamerica ~ [161]$
- smbclient ‘//127.0.0.1/home’ -U zintis
- smbclient vm2/home -U zintis
- smbclient '\\vm2\homes' -U zintis
- smbclient -U zintis -L sa # where sa resolves to southamerica (dns)
- smbclient //localhost/home -U \kaapvaal-zintis
10.2 smbclient by ip address
Usually samba servers are referred to or called by name.
smbclient '\\vm2\home' -U zintis
smbclient //sa/gawler -U gawler-zintis -W gawler
But if you don't have dns or /etc/hosts defined, you can simply
smbclient //sa/gawler -U galwer-zintis -I 172.28.105.5
Also using mount
via ip address:
mount -t cifs //sa/gawler <mount-point> -o ip=172.28.105.8
Apparently you don't even need the -I so this should work:
smbclient //172.28.105.5/home -U zintis
Apprently though, you need to provide a different client max protocol by using the -m tag, like so: =smblcient /172.28.105.8/home -m SMB3 ?
10.3 troubleshooting smbclient
smbclient -d 3 -L //sa -W WORKGROUP -U zintis smbclient -d3 -L //10.5.4.25 -W workgroup -U userid ( i.e. include the workgroup )
10.4 Sample output after successful smbclient run on Europe:
root@southamerica ~ [991]$ smbclient -L //sa -U gawler-zintis Enter WORKGROUP\gawler-zintis's password: Sharename Type Comment --------- ---- ------- pana Disk panaeaic cratons Disk craton home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) gawler-zintis Disk generic homes Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- root@southamerica ~ [992]$ root@southamerica ~ [992]$ smbclient -d 3 -L //sa -U gawler-zintis lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface ens3 ip=172.28.105.8 bcast=172.28.105.8 netmask=255.255.255.255 Client started (version 4.10.4). Connecting to 172.28.105.8 at port 445 got OID=1.3.6.1.4.1.311.2.2.10 Enter WORKGROUP\gawler-zintis's password: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 Sharename Type Comment --------- ---- ------- pana Disk panaeaic cratons Disk craton home Disk zintis-home IPC$ IPC IPC Service (Zintis-Samba-SA) gawler-zintis Disk generic homes Reconnecting with SMB1 for workgroup listing. Connecting to 172.28.105.8 at port 139 got OID=1.3.6.1.4.1.311.2.2.10 Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 Server Comment --------- ------- Workgroup Master --------- ------- root@southamerica ~ [993]$
10.5 session log on vm2 as root
root@vm2 /etc/samba [341]$ smbclient //localhost/home -U zintis Enter WORKGROUP\zintis's password: Try "help" to get a list of possible commands. smb: \> smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> smb: \> l . D 0 Wed Mar 4 23:12:43 2020 .. D 0 Fri Mar 6 10:25:42 2020 .bash_logout H 18 Fri May 10 20:16:55 2019 .bash_profile H 141 Fri May 10 20:16:55 2019 .ssh DH 0 Sun Jan 26 23:39:47 2020 .bash_history H 11509 Fri Mar 6 21:13:45 2020 iptab-original-clean N 1069 Sun Feb 9 18:47:20 2020 iptab-vm2-lab2b-needs-work N 1261 Sun Feb 9 19:16:18 2020 iptab-vm2-lab2b-clean N 1406 Mon Feb 10 01:20:38 2020 dead.letter N 1700 Fri Feb 28 11:33:44 2020 .lesshst H 51 Mon Feb 24 13:12:44 2020 iptables-clean-Mar-2nd N 1557 Mon Mar 2 20:11:40 2020 .bashrc H 1147 Wed Mar 4 19:20:30 2020 iptables-clean-lab4b-thunderbird N 1634 Wed Mar 4 23:12:43 2020 6486016 blocks of size 1024. 4755716 blocks available smb: \> --------------------------
11 Useful smbclient commands
smbclient '\\vm2\homes' -U zintis
This opens up an interactive smbclient session to the remote server vm2.
The password prompt is for the smb password, not the login password,
of user zintis.
smbclient -L vm2
From vm1 or vm3
This will list info about the smb share
mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis
This is giving me grief about bad option you might need a /sbin/mount.<type> helper program
???
Online someone was trying
mount -t cifs -o username=user //server/share /mountpoint
Order did not matter, both gave the same error.
I had to install nfs-utils and then no more error. (on vm2 by zintis)
sudo dnf install nfs-utils
mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis
Some people installed cifs-utils
then it worked no problem.
11.1 Trying mount -t cifs on europe.continents.earth.ops
mount -t cifs //eu/home /tmp/eu-home -o username=zintis Password for zintis@//eu/home: ** mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
I was able to mount //vm2/home from vm1
11.2 sudo umount -a -t cifs -l.
To un-mount all cifs mounts.
12 Trying konqueror and brave browsers and URL smb://vm2/home
The proper URL syntax is: smb://username@server/share/fubar
12.1 Konqueror in 2004 needed to mount first
(remember this is old, and probably obsolete) mkdir /mnt/smb mount -t smbfs -o username=yoursmbusernamehere //remotemachineip/remotesharename /mnt/smb
then you will probably be prompted for a password
12.2 Konqueror settings need smb?
add kdebase3-samba package and check that smb protocol is activated in konqueror settings (previews&meta-data)
Shall I install kdebase3-samba ?
12.3 chrome on my macbook pro
Open smb://<outside ip address of c8host/home Where home is a "share" defined in /etc/samba/smb.conf file as a section, [home]
I did this successfully just by going ot the root smb URL and then logging in as one of the three users. Each user would be mounted to the correct corresponding directory. Cool.
13 Accessing from Windows 10
Can open file explorer, then click the dropdown arrow in access window (at top) then type: \\192.168.128.76\ and voila! (192.168.128.76 has to be the outside interface on your c8host, and you need propoer iptables masquerading set up.)
Also, you can use the net map command from a windows command line:
net use <driveletter>: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES
That is another way to switch different users for different shares.
From the GUI you can do is as well, using: TOOLS menu, select "Map Network Drive" Then click "connect using different credentials" checkbox.
For the net use
command, if you enter * for the password, you should be
prompted to enter the password. Safer not to leave passwords lying around
in network map shortcuts…
For my Windows 10 guest vm I did the following:
net use Z: \\192.168.128.76\gawler /USER:gawler-zintis * /PERSISTENT:YES
14 smbstatus
When a user is logged in / has a mounted SAMBA share you can see that vith:
smbstatus
smbstatus Samba version 4.11.2 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 50695 kaapvaal-zintis kaapvaal-zintis 192.168.128.70 (ipv4:192.168.128.70:62378) SMB3_02 - partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- kaapvaal 50695 192.168.128.70 Wed Jul 22 06:26:41 PM 2020 EDT - - Locked files: Pid User(ID) DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 50695 1004 DENY_NONE 0x100081 RDONLY NONE /supercontinents/cratons/kaapvaal . Wed Jul 22 18:26:40 2020 50695 1004 DENY_NONE 0x100081 RDONLY NONE /supercontinents/cratons/kaapvaal . Wed Jul 22 18:26:43 2020
15 SAMBA iptables on c8host
SAMBA uses TCP ports:
- 139 for clear text SAMBA
- 443 for encrypted SAMBA
And while we are here,
- 389 for ldap (could be Active Directory, or openldap in our case.)
Other related ports:
- 137 Netbios name service
- 138 Netbios datagram service
- 139 Netbios session service
- 445 microsfot ds if you are using active directory
Can find the list of netbios services with grep -i netbios /etc/services
From cyberciti.biz a sample iptables chain for SAMBA is:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
Here are my FORWARD rules for SAMBA:
iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . F O R W A R D smb 139 to vm2 . ." --log-level 6 iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 139 -m comment --comment "Forward SMB to VM2" -j ACCEPT iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 445 -m comment --comment "Forward SMSs to VM2" -j ACCEPT iptables iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . F O R W A R D smb south america ." --log-level 6 iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 139 -m comment --comment "Forward SMB to SA" -j ACCEPT iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 445 -m comment --comment "Forward SMSs to SA" -j ACCEPT iptables
And, here are my NAT rules for SAMBA when I want to forward SAMBA to 172.28.105.8
sudo iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . D N A T smb to southamer" --log-level 6 sudo iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 139 -m comment --comment "translate SMB destination to southamer" -j DNAT --to-destination 172.28.105.8 sudo iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 445 -m comment --comment "translate SMB destination to southamer" -j DNAT --to-destination 172.28.105.8 sudo iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 sudo iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 sudo iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -j MASQUERADE
16 IPTABLES for smb
c8host kernel: . . D N A T smb to southamerIN=ens33 OUT= SRC=192.168.128.78 DST=192.168.128.76 PROTO=TCP SPT=50370 DPT=139 c8host kernel: . . F O R W A R D smb 139 toIN=ens33 OUT=virbr1 SRC=192.168.128.78 DST=172.28.105.8 PROTO=TCP SPT=50370 DPT=139
^C
F O R W A R D smb 139 to
smbd[1498]: [2020/04/06 18:18:22.592661, 0] ../../lib/util/access.c:365(allowaccess) smbd[1498]: Denied connection from 192.168.128.78 (192.168.128.78)
kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50370 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50371 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
smbd[1499]: [2020/04/06 18:18:22.798985, 0] ../../lib/util/access.c:365(allowaccess) smbd[1499]: Denied connection from 192.168.128.78 (192.168.128.78)
kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50409 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
smbd[1555]: [2020/04/06 18:30:38.223874, 0] ../../lib/util/access.c:365(allowaccess) smbd[1555]: Denied connection from 192.168.128.78 (192.168.128.78)
kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50410 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50411 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
smbd[1556]: [2020/04/06 18:30:38.419425, 0] ../../lib/util/access.c:365(allowaccess) smbd[1556]: Denied connection from 192.168.128.78 (192.168.128.78)
kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= MAC=52:54:00:f3:b2:58:52:54:00:a5:97:c3:08:00 SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50413 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
smbd[1611]: [2020/04/06 18:31:33.654037, 0] ../../lib/util/access.c:365(allowaccess) smbd[1611]: Denied connection from 192.168.128.78 (192.168.128.78)
kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50414 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50415 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
smbd[1614]: [2020/04/06 18:31:33.878762, 0] ../../lib/util/access.c:365(allowaccess) smbd[1614]: Denied connection from 192.168.128.78 (192.168.128.78)
17 troublehsooting
17.1 Lock files
Seems like the group for files/directories under var/lib/samba should perhaps be something like samba into which any authorized users could be added and thus be able to create/access files under /var/lib/samba/lock or /var/lib/samba/private. doing this manually eliminates this error message and allows msg.sock & msg.lock to be created (though they are created as the user running smbclient - which would then likely cause problems for another user)
This seems to be related to the lock directory option from smb.conf (https://bugzilla.redhat.com/show_bug.cgi?id=1661959) set to a non writable folder for users.
18 OPS 335 proper smbclient use:
smbclient //sa/gawler -U gawler-zintis -W gawler -d 3
root@c8host ~[1007] $ smbclient //sa/gawler -U gawler-zintis -W gawler -d 3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface virbr1 ip=172.28.105.1 bcast=172.28.105.255 netmask=255.255.255.0 added interface virbr0 ip=192.168.111.1 bcast=192.168.111.255 netmask=255.255.255.0 added interface ens33 ip=192.168.128.76 bcast=192.168.128.255 netmask=255.255.255.0 Client started (version 4.10.4). resolve_lmhosts: Attempting lmhosts lookup for name sa<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name sa<0x20> Connecting to 172.28.105.8 at port 445 got OID=1.3.6.1.4.1.311.2.2.10 Enter GAWLER\gawler-zintis's password: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 Try "help" to get a list of possible commands. smb: \> list 0: server=sa, share=gawler smb: \>
18.1 A successful login from c8host to south america
Here is an example (FROM ROOT) smbclient //sa/gawler -U gawler-zintis -W gawler
root@c8host ~[1008] $ smbclient //sa/gawler -U gawler-zintis -W gawler Enter GAWLER\gawler-zintis's password: Try "help" to get a list of possible commands. smb: \> net use net: command not found smb: \> help smb: \> pwd Current directory is \\sa\gawler\ smb: \> ls . D 0 Mon Apr 6 19:59:24 2020 .. D 0 Sun Apr 5 15:14:17 2020 three N 0 Mon Apr 6 19:59:24 2020 one N 0 Mon Apr 6 19:59:24 2020 two N 0 Mon Apr 6 19:59:24 2020 3542752 blocks of size 1024. 1470436 blocks available smb: \>
And now notice the EXACT SAME OUTPUT when I leave off the workgroup. So, who sets the workgroup? the //sa/galwer is just the "share" defined in [gawler] section in /etc/samba/smb.conf I think. - confirm.
19 SAMBA SHARES Configuration
These are some of the most common shares.
- read list: who can read (could also be a group name, not just a user name)
- valid users: valid write users (could also be a group name)
- invalid users: obvious
- create mask : octal value
- directory mask: octal value, remember directories must have the execute bit set for proper access Default IS 0755
- force user = sambashareuser is another option (not explored in OPS335)
- force create mask = what permissions to assign new files created
- read only = yes # controls whether a user has the ability to create or modify
- guest = ok # if OK then no password is required This is synonymous with PUBLIC
- writeable = yes # what it says (for the whole share. This can be over-ridden by write list
- write-list = user1 user2 user3 # a list of users who have write access
20 Checking samba shares on OPS335
The following smbclient commands confirm the detailed samba permissions requirements for Assignment 2.
This was run from the guest vm, asia. It has an smbclient installed.
Step 1) was to create 3 different files, 1 for each samba user to write (or attempt to write) into each samba share:
cat > kaapvaal.txt cat > sarmation.txt cat > gawler.txt cat > laurasia.txt cat > gondwana.txt
Then we try each of the samba share from each of the 3 users, for a total of 15 attempts.
smbclient //sa/sarmation -U sarmation-zintis > can write smbclient //sa/sarmation -U gawler-zintis > can write smbclient //sa/sarmation -U kaapvaal-zintis X smbclient //sa/kaapvaal -U kaapvaal-zintis > can write smbclient //sa/kaapvaal -U gawler-zintis > can write smbclient //sa/kaapvaal -U sarmation-zintis X smbclient //sa/laurasia -U sarmation-zintis > can write smbclient //sa/laurasia -U kaapvaal-zintis > can write smbclient //sa/laurasia -U sarmation-zintis > can write smbclient //sa/laurasia -U kaapvaal-zintis > can write smbclient //sa/laurasia -U gawler-zintis > can write smbclient //sa/gondwana -U gawler-zintis smbclient //sa/gondwana -U zintis smbclient //sa/gondwana -U kaapvaal-zintis smbclient //sa/gondwana -U sarmation-zintis smbclient //sa/gawler -U gawler-zintis