cheatsheet on Seneca samba setup

Home

1 Commands to know:

smbclient, smbmount (mount -t cifs), smb.conf, testparm, smbpasswd, pdbedit, getsebool, setsebool

These are my settings for the SAMBA lab of OPS 335 winter 2020 course

2 Cheat summary

/etc/samba/smb.conf
smbpasswd -a kaapvaal-zintis # create a smb user called kaapvaal-zintis
smbpasswd kaapvaal-zintis # change the smb password for kaapvaal-zintis
pdbedit -L -v # list all password databsase edit passwords
testparm # list all samba configuration parameters

#checks connectiviy to samba.

smbclient //sa/gawler -U gawler-zintis -W gawler -d 3
smbclient //sa/gawler -U gawler-zintis -W gawler
smbclient //sa/gawler -U gawler-zintis -W gawler -d 3

smbclient //192.168.107.101 -U

smbclient //localhost/home -U \kaapvaal-zintis
smbclient sa -U \kaapvaal-zintis
smbclient '\\vm2\homes' -U zintis

2.1 What services are available on the remote server?

smbclient -L vm2
smbclient -L vm2
smbclient -L vm2
smbclient -L vm2
smbclient -L vm2
smbclient -L vm2
smbclient -L sa

smbclient -L //sa that expanded to -L//southamerica (I did not specifiy a username, but it automatically inserted my linux username from which I issued the smbclient -L //sa command)
see detailed section on smbclient below.

Also, from a terminal/ssh on vm2, running testparm will show you info.

zintis@asia ~[159] $ >>> first as a user "zintis"
smbclient -L sa
directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied
Unable to initialize messaging context
Enter SAMBA\zintis's password: 
Anonymous login successful   <<<<<<<<<<<<<<<<<<<  did NOT login as zintis

	Sharename       Type      Comment
	---------       ----      -------
	sarmation       Disk      sarmation
	kaapvaal        Disk      kaapvaal
	gawler          Disk      gawler share
	laurasia        Disk      laurasia
	gondwana        Disk      gondwana share
	home            Disk      zintis-home
	IPC$            IPC       IPC Service (Zintis-Samba-SA)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
zintis@asia ~[160] $


zintis@asia ~[161] $  <<<<<<<<<<<<  now as a different user:
smbclient -L sa -U sarmation-zintis
directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied
Unable to initialize messaging context
Enter SAMBA\sarmation-zintis's password: 

	Sharename       Type      Comment
	---------       ----      -------
	sarmation       Disk      sarmation
	kaapvaal        Disk      kaapvaal
	gawler          Disk      gawler share
	laurasia        Disk      laurasia
	gondwana        Disk      gondwana share
	home            Disk      zintis-home
	IPC$            IPC       IPC Service (Zintis-Samba-SA)
	sarmation-zintis Disk      generic homes
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Error:
directory_create_or_exist: mkdir failed on directory /var/lib/samba/lock/msg.lock: Permission denied A discussion and a partial fix was found on bugzilla.redhat.com

Another source of info, try net usershare info --long using the command net
```
net usershare info --long.
/usr/bin/net -> /etc/alternatives/net
/etc/alternatives/net -> /usr/bin/net.samba3
man net

net - Tool for administration of Samba and remote CIFS servers.
```

2.2 -I option only if netbios names do not match your tcp/ip hostnames

for example smbclient -L ftp -I ftp.microsoft.com

mount -t cifs //vm2/home /tmp/vm2-home -o username=kaapvaal-zintis
dnf install nfs-utils
mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis

2.3 smb > command

smbclient command has these common parameters:

-W workgroup
-U username

Where workgroup is what is defined in the smb.conf [workgroup] lines.

   smbclient //sa/gawler -U gawler-zintis -W gawler 
   Enter GAWLER\gawler-zintis's password: 
   Try "help" to get a list of possible commands.
   Smb: \> net use
   net: command not found
   smb: \> help
   ?              allinfo        altname        archive        backup         
   blocksize      cancel         case_sensitive cd             chmod          
   chown          close          del            deltree        dir            
   du             echo           exit           get            getfacl        
   geteas         hardlink       help           history        iosize         
   lcd            link           lock           lowercase      ls             
   l              mask           md             mget           mkdir          
   more           mput           newer          notify         open           
   posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
   posix_unlink   posix_whoami   print          prompt         put            
   pwd            q              queue          quit           readlink       
   rd             recurse        reget          rename         reput          
   rm             rmdir          showacls       setea          setmode        
   scopy          stat           symlink        tar            tarmode        
   timeout        translate      unlock         volume         vuid           
   wdel           logon          listconnect    showconnect    tcon           
   tdis           tid            utimes         logoff         ..             
   !              
   smb: \> 
   smb: \> l
     .                                   D        0  Mon Jul 27 23:41:24 2020
     ..                                  D        0  Sun Apr  5 15:14:17 2020
     Assignment2                         D        0  Sat Apr 11 10:25:33 2020
     Gawler-was-here                     N        0  Wed Jul 22 18:22:32 2020
     .DS_Store                          AH     8196  Wed Jul 22 17:01:54 2020
     ._mbp-gawler-zintis.rtf            AH     4096  Wed Jul 22 17:01:43 2020
     ._.DS_Store                        AH     4096  Sat Apr 11 10:58:04 2020
     gawler.txt                          A       15  Mon Jul 27 23:41:24 2020
     mbp-gawler-zintis.rtf               A      422  Wed Jul 22 15:45:16 2020

		3542752 blocks of size 1024. 1338124 blocks available
  smb: \> 
pwd

2.3.1 Remote server commands to teach

cd
pwd
dir or ls
mkdir or md
rmdir or rd
rm
get remote-file [localfile]
mget (mutiple get)
put <some-local-file>
mput (mulitple put)
prompt
del
quit

2.3.2 Local commands to teach

lcd

3 Samba install

dnf install samba samba-client

Result of dnf list –installed modules:

libsmbclient.x86_64 
samba.x86_64                         4.10.4-101.el8_1                           @BaseOS    
samba-client.x86_64                  4.10.4-101.el8_1                           @BaseOS    
samba-client-libs.x86_64             4.10.4-101.el8_1                           @BaseOS    
samba-common.noarch                  4.10.4-101.el8_1                           @BaseOS    
samba-common-libs.x86_64             4.10.4-101.el8_1                           @BaseOS    
samba-common-tools.x86_64            4.10.4-101.el8_1                           @BaseOS    
samba-libs.x86_64                    4.10.4-101.el8_1

4 Secure Enterprise Boolean Values

"A given SELinux policy can be customized by enabling or disabling a set of policy Booleans. Booleans allow parts of SELinux policy to be changed at run time, without any knowledge of SELinux policy writing. This allows changes without reloading or recompiling SELinux policy."

SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible.

For example, if you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean.

5 setsebool

Booleans setsebool in Secure Enterprise Linux.

From the man page: setsebool sets the current state of a particular SELinux boolean or a list of booleans to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. Without the -P option, only the current boolean value is affected; the boot-time default settings are not changed.

If the -P option is given, all pending values are written to the policy file on disk. So they will be persistant across reboots.

For example, to tell SELinux to allow samba access to home directories;

setsebool -PV use_samba_home_dirs off
setsebool -P samba_enable_dirs 1
-P all pending values are written to the policy file on disk. So they will be persistent across reboots.
-N the policy on disk is not reloaded into the kernel
-V verbose

Here are the setsebool settings related to SAMBA to consider:

setsebool -P samba_share_fusefs 1
setsebool -P samba_export_all_ro 1 If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
setsebool -P virt_use_samba 1 If you want to allow virt to manage cifs files, you must turn on the virt_use_samba boolean.
setsebool -P samba_create_home_dirs 1 If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean.
setsebool -P samba_enable_home_dirs 1 If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
setsebool -P samba_share_nfs 1 If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
setsebool -P sanlock_use_samba 1 If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
setsebool -P samba_run_unconfined 1 If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
setsebool -P samba_domain_controller 1 If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
setsebool -P samba_export_all_rw 1 If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
setsebool -P samba_portmapper 1 If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
setsebool -P use_samba_home_dirs 1 If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean.
setsebool -P allow_smbd_anon_write 1 If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t, you must turn on the allow_smbd_anon_write boolean.

6 getsebool -a

You can read off all the SELinux boolean values with the command:

sudo getsebool -a and set individual booleans with:

Or, getsebool -a | grep -i samba

root@southamerica~[1001] $
getsebool -a | grep -i samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on     # <<<< 
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
root@southamerica~[1002] $

7 semanage

CentOS 6 introduces a new way of listing all the available booleans, including a short description of their function: semanage boolean -l . Other semanage boolean commands allow for manipulation of the variables, similar to what setsebool does in the previous releases.

7.1 semanage boolean -l

lists all SELinux boolean values

See: wiki.centos.org for what seboolean variables most Centos systems have.

8 Samba config files:

8.1 /etc/samba/smb.conf

cat /etc/samba/smb.conf

[global]
workgroup = WORKGROUP
server string = Zintis-Samba-vm2 
encrypt passwords = yes
security = user
passdb backend = tdbsam
unix extensions = no
client use spnego = no    # this should have been yes.

[home]
comment = Zintis-samba-vm2  
path = /home/zintis
public = no
writable = yes
printable = no
create mask = 0765
valid users = zintis

[homes]
comment = automatic home share 
public = no
writable = yes
printable = no
create mask = 0765
browseable = no
hosts allow = 192.168.0.0/16 127.0.0.1

spnego is "Simple and Protected NEGOtiation from rfc2478.

spnego is helps SAMBA 3.0 to agree upon an authentication method. It enables Kerberos authentication in particular.

client use spnego = yes is the default.

8.2 setgid in samba

I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.

force create mode = 2777
force directory mode = 2777

8.3 create mask

From the man page: create mask (S)

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.

The default value of this parameter removes the group and other write and execute bits from the UNIX modes.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.

This parameter does not affect directory masks. See the parameter directory mask for details.

Default: create mask = 0744

Example: create mask = 0775

8.4 creation masks, From O'Reilley's book on SAMBA

File and directory creation masks are similar to umasks you have probably encountered while working with Unix systems. They are used to help define the permissions that will be assigned to a file or directory at the time it is created. Samba's masks work differently in that the bits that can be set are set in the creation mask, while in Unix umasks, the bits cannot be set are set in the umask. We think you will find Samba's method to be much more intuitive.

Once in a while you might need to convert between a Unix umask and the equivalent Samba mask. It is simple: one is just the bitwise complement of the ' other. For example, an octal umask of 0022 has the same effect as a Samba mask of 0755.

Unix umasks are set on a user-by-user basis, usually while executing the GUI's or command-line shell's startup scripts. When users connect to a Samba share from a network client, these scripts are not executed, so Samba supplies the ability to set the creation masks for files and directories. By default, this is done on a share-by-share basis, although you can use the include parameter in the Samba configuration file (as explained in Chapter 6) to assign masks on a user-by-user basis, thus matching conventional Unix behavior.

To show how Samba's create masks work, suppose we have a Windows user connecting to his Unix home directory through Samba, and Samba is configured with create mask = 777 in the [homes] share. With this value, create mask will not affect the bits that are set on new files. If the user creates a file with Wordpad, it will appear in the Unix filesystem like this:

$ ls -l file.doc
-rwxrw-rw-    1 jay      jay             0 Sep 21 11:02 file.doc
Wordpad created the file with read/write permissions

(i.e., the MS-DOS read-only attribute was not set), so Samba mapped the MS-DOS attributes to Unix read/write permissions for user, group, and other. The execute bit is set for the owner because by default, the map archive parameter is set to yes. The other execute bits are not set because map system and map hidden are set to no by default. You can customize this behavior as you see fit, and unless you do backups from MS-DOS or Windows systems, you might want to specify map archive = no to avoid Windows files from appearing as executables on the Unix system.

Now suppose we set create mask to have an effect. For example:

[homes]

8.4.1 create mask = 664

This is equivalent to a Unix umask of 113. If the user creates the Wordpad document as before, it will show up as:

 $ ls -l file.doc
-rw-rw-r--    1 jay      jay             0 Sep 22 16:38 file.doc

Comparing this to the previous example, notice that not only has the write permission for other disappeared as we expected, but so has the execute permission for owner. This happened because the value of create mask logically ANDs the owner's permissions with a 6, which has masked off the execute bit. The lesson here is that if you want to enable any of map archive, map system, or map hidden, you must be careful not to mask off the corresponding execute bit with your create mask.

The directory mask option works similarly, masking permissions for newly created directories. The following example will allow the permissions of a newly created directory to be, at most, 755:

[data]

8.4.2 directory mask = 755

Also, you can force various bits with the force create mode and force directory mode options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.

In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file created on the Windows side, you can use the force user and force group options. For example:

[data]
create mask = 744
directory mask = 755
force user = joe
force group = accounting

These options assign the same Unix username and group to every client that connects to the share. However, this occurs after the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.

Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.

DOS filesystems are not designed for multiple users, and so its designers decided that read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows filesystems exhibit the same behavior.

Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs—which were first written for Unix—run on Windows and require the ability to delete read-only files. Samba permits this behavior with the delete readonly option. To enable this functionality, set the option to yes:

[data] delete readonly = yes File and Directory Permission Options

8.5 diretory mask

directory mask (S)

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.

The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter.

This parameter is set to 000 by default (i.e. no extra mode bits are added).

Default: directory mask = 0755

Example: directory mask = 0775

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

8.6 Lastly, tell SELinux that it has write access to the "share" folder

In our case since I created a share with path = /supercontinents/cratons I have to issue the command:

chcon -R -t samba_share_t /windata

See man chcon, but basically, -R (recursively) make everything in /windata have rights as a type (-t) as a samba_share_t type.

chcon is for changing context

8.7 create mask vs create mode

From linux-training.be

"Similar to create mask, but different. Where the mask from above was a logical AND, the mode you set here is a logical OR (so it adds permissions). You can use the force create mode and force directory mode to set the minimal required permissions for newly created files and directories."

9 Setting up smb users **

9.1 smbpasswd -a <userid>

Each user that will access an smb share on a Samba server has to be defined in smb, using the smbpasswd -a <userid> command.

The userid has to already be defined as a userid on the unix system i.e. in /etc/passwd.

Once a user has been created (using the above smbpasswd -a command) you can change a user's password by dropping the -a For example: smbpasswd userid

9.2 pdbedit -L -v

Confirm that the user was created using pdbedi -L -v Remember it as "Password Database Edit"

---------------
Unix username:        zintis
NT username:          

Account Flags:        [U          ]
User SID:             S-1-5-21-1353011415-3308762633-1882441262-1000
Primary Group SID:    S-1-5-21-1353011415-3308762633-1882441262-513
Full Name:            zintis
Home Directory:       \\vm2\zintis
HomeDir Drive:        
Logon Script:         
Profile Path:         \\vm2\zintis\profile
Domain:               VM2
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 10:06:39 EST
Kickoff time:         Wed, 06 Feb 2036 10:06:39 EST
Password last set:    Fri, 06 Mar 2020 18:45:54 EST
Password can change:  Fri, 06 Mar 2020 18:45:54 EST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root@vm2 /etc/samba [309]$

9.3 pbdedit as generic user editing tool

From the man page: There are five main ways to use pdbedit:

adding a user account,
removing a user account,
modifying a user account,
listing user accounts,
importing users accounts.

9.3.1 options

-v verbose

9.3.2 examples:

pbdedit -L -v

9.4 testparm

To see the current parameters of a Sambsa server, use the testparm command.

testparm
Load smb config files from /etc/samba/smb.conf
WARNING: No path in service home - making it unavailable!
NOTE: Service home is flagged unavailable.
Loaded services file OK.
Server role: ROLE_STANDALONE
---
Press enter to see a dump of your service definitions
---
# Global parameters
[global]
     security = USER
     server string = Zintis-Samba-vm2 encrypt passwords = yes
     idmap config * : backend = tdb


[home]
     available = No
     comment = Zintis-samba-vm2 path = /home/<yourSenecaID>
     create mask = 0765
     read only = No
     valid users = zintis


[homes]
     browseable = No
     comment = automatic home share public = no
     create mask = 0765
     hosts allow = 192.168.111.0/24 127.0.0.1
     read only = No
root@vm2 /etc/samba [308]$

10 smbclient

10.1 smbclient -L

This lists the available shares, to a user based on a login:

smbclient -L vm2 # this is an anonymous connection (no passwd needed)
smbclient -L southamerica # this is an anonymous connection (no passwd needed)
smbclient -L //sa # this is an anonymous connection (no passwd needed)a that expanded to -L//southamerica (I did not specifiy a username, but it automatically inserted my linux username from which I issued the smbclient -L //sa command)
smbclient -L //sa -U kaapvaal-zintis this failed "Unable to connect with SMB1 – no workgroup available" That was because user "kaapvaal-zintis" was not set up as a "valid user" for the share /home, only zintis. ? No it is deeper than that…

zintis@southamerica ~ [159]$
smbclient -L //southamerica
Unable to initialize messaging context
Enter WORKGROUP\zintis's password: 

     Sharename       Type      Comment
     ---------       ----      -------
     pana            Disk      panaeaic
     cratons         Disk      craton
     home            Disk      zintis-home
     IPC$            IPC       IPC Service (Zintis-Samba-SA)
     zintis          Disk      generic homes
Reconnecting with SMB1 for workgroup listing.

     Server               Comment
     ---------            -------

     Workgroup            Master
     ---------            -------
zintis@southamerica ~ [160]$
smbclient -L //southamerica -U gawler-zintis
Unable to initialize messaging context
Enter WORKGROUP\gawler-zintis's password: 

     Sharename       Type      Comment
     ---------       ----      -------
     pana            Disk      panaeaic
     cratons         Disk      craton
     home            Disk      zintis-home
     IPC$            IPC       IPC Service (Zintis-Samba-SA)
     gawler-zintis   Disk      generic homes
Reconnecting with SMB1 for workgroup listing.

     Server               Comment
     ---------            -------

     Workgroup            Master
     ---------            -------
zintis@southamerica ~ [161]$

smbclient ‘//127.0.0.1/home’ -U zintis
smbclient vm2/home -U zintis
smbclient '\\vm2\homes' -U zintis
smbclient -U zintis -L sa # where sa resolves to southamerica (dns)
smbclient //localhost/home -U \kaapvaal-zintis

10.2 smbclient by ip address

Usually samba servers are referred to or called by name.

smbclient '\\vm2\home' -U zintis
smbclient //sa/gawler -U gawler-zintis -W gawler

But if you don't have dns or /etc/hosts defined, you can simply smbclient //sa/gawler -U galwer-zintis -I 172.28.105.5

Also using mount via ip address: mount -t cifs //sa/gawler <mount-point> -o ip=172.28.105.8

Apparently you don't even need the -I so this should work: smbclient //172.28.105.5/home -U zintis

Apprently though, you need to provide a different client max protocol by using the -m tag, like so: =smblcient /172.28.105.8/home -m SMB3 ?

10.3 troubleshooting smbclient

smbclient -d 3 -L //sa -W WORKGROUP -U zintis smbclient -d3 -L //10.5.4.25 -W workgroup -U userid ( i.e. include the workgroup )

10.4 Sample output after successful smbclient run on Europe:

root@southamerica ~ [991]$
smbclient -L //sa -U gawler-zintis
Enter WORKGROUP\gawler-zintis's password: 

	Sharename       Type      Comment
	---------       ----      -------
	pana            Disk      panaeaic
	cratons         Disk      craton
	home            Disk      zintis-home
	IPC$            IPC       IPC Service (Zintis-Samba-SA)
	gawler-zintis   Disk      generic homes
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
root@southamerica ~ [992]$
root@southamerica ~ [992]$
smbclient -d 3 -L //sa -U gawler-zintis
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface ens3 ip=172.28.105.8 bcast=172.28.105.8 netmask=255.255.255.255
Client started (version 4.10.4).
Connecting to 172.28.105.8 at port 445
got OID=1.3.6.1.4.1.311.2.2.10
Enter WORKGROUP\gawler-zintis's password: 
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215

	Sharename       Type      Comment
	---------       ----      -------
	pana            Disk      panaeaic
	cratons         Disk      craton
	home            Disk      zintis-home
	IPC$            IPC       IPC Service (Zintis-Samba-SA)
	gawler-zintis   Disk      generic homes
Reconnecting with SMB1 for workgroup listing.
Connecting to 172.28.105.8 at port 139
got OID=1.3.6.1.4.1.311.2.2.10
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
root@southamerica ~ [993]$

10.5 session log on vm2 as root

  root@vm2 /etc/samba [341]$ 
  smbclient //localhost/home -U zintis
  Enter WORKGROUP\zintis's password: 
  Try "help" to get a list of possible commands.
  smb: \> 
  smb: \> help
  ?              allinfo        altname        archive        backup         
  blocksize      cancel         case_sensitive cd             chmod          
  chown          close          del            deltree        dir            
  du             echo           exit           get            getfacl        
  geteas         hardlink       help           history        iosize         
  lcd            link           lock           lowercase      ls             
  l              mask           md             mget           mkdir          
  more           mput           newer          notify         open           
  posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
  posix_unlink   posix_whoami   print          prompt         put            
  pwd            q              queue          quit           readlink       
  rd             recurse        reget          rename         reput          
   rm             rmdir          showacls       setea          setmode        
  scopy          stat           symlink        tar            tarmode        
  timeout        translate      unlock         volume         vuid           
  wdel           logon          listconnect    showconnect    tcon           
  tdis           tid            utimes         logoff         ..             
  !              
  smb: \> 
  smb: \> l
  .                                   D        0  Wed Mar  4 23:12:43 2020
  ..                                  D        0  Fri Mar  6 10:25:42 2020
  .bash_logout                        H       18  Fri May 10 20:16:55 2019
  .bash_profile                       H      141  Fri May 10 20:16:55 2019
  .ssh                               DH        0  Sun Jan 26 23:39:47 2020
  .bash_history                       H    11509  Fri Mar  6 21:13:45 2020
  iptab-original-clean                N     1069  Sun Feb  9 18:47:20 2020
  iptab-vm2-lab2b-needs-work          N     1261  Sun Feb  9 19:16:18 2020
  iptab-vm2-lab2b-clean               N     1406  Mon Feb 10 01:20:38 2020
  dead.letter                         N     1700  Fri Feb 28 11:33:44 2020
  .lesshst                            H       51  Mon Feb 24 13:12:44 2020
  iptables-clean-Mar-2nd              N     1557  Mon Mar  2 20:11:40 2020
  .bashrc                             H     1147  Wed Mar  4 19:20:30 2020
  iptables-clean-lab4b-thunderbird      N     1634  Wed Mar  4 23:12:43 2020

		6486016 blocks of size 1024. 4755716 blocks available
  smb: \> 
--------------------------

11 Useful smbclient commands

smbclient '\\vm2\homes' -U zintis This opens up an interactive smbclient session to the remote server vm2. The password prompt is for the smb password, not the login password, of user zintis.

smbclient -L vm2 From vm1 or vm3 This will list info about the smb share

mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis This is giving me grief about bad option you might need a /sbin/mount.<type> helper program ???

Online someone was trying mount -t cifs -o username=user //server/share /mountpoint Order did not matter, both gave the same error.

I had to install nfs-utils and then no more error. (on vm2 by zintis) sudo dnf install nfs-utils mount -t cifs //vm2/home /tmp/vm2-home -o username=zintis

Some people installed cifs-utils

then it worked no problem.

11.1 Trying mount -t cifs on europe.continents.earth.ops

mount -t cifs //eu/home /tmp/eu-home -o username=zintis Password for zintis@//eu/home: ** mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

I was able to mount //vm2/home from vm1

11.2 sudo umount -a -t cifs -l.

To un-mount all cifs mounts.

12 Trying konqueror and brave browsers and URL smb://vm2/home

The proper URL syntax is: smb://username@server/share/fubar

12.1 Konqueror in 2004 needed to mount first

(remember this is old, and probably obsolete) mkdir /mnt/smb mount -t smbfs -o username=yoursmbusernamehere //remotemachineip/remotesharename /mnt/smb

then you will probably be prompted for a password

12.2 Konqueror settings need smb?

add kdebase3-samba package and check that smb protocol is activated in konqueror settings (previews&meta-data)

Shall I install kdebase3-samba ?

12.3 chrome on my macbook pro

Open smb://<outside ip address of c8host/home Where home is a "share" defined in /etc/samba/smb.conf file as a section, [home]

I did this successfully just by going ot the root smb URL and then logging in as one of the three users. Each user would be mounted to the correct corresponding directory. Cool.

13 Accessing from Windows 10

Can open file explorer, then click the dropdown arrow in access window (at top) then type: \\192.168.128.76\ and voila! (192.168.128.76 has to be the outside interface on your c8host, and you need propoer iptables masquerading set up.)

Also, you can use the net map command from a windows command line: net use <driveletter>: \\<server>\<sharename> /USER:<domain>\<username> <password> /PERSISTENT:YES That is another way to switch different users for different shares.

From the GUI you can do is as well, using: TOOLS menu, select "Map Network Drive" Then click "connect using different credentials" checkbox.

For the net use command, if you enter * for the password, you should be prompted to enter the password. Safer not to leave passwords lying around in network map shortcuts…

For my Windows 10 guest vm I did the following: net use Z: \\192.168.128.76\gawler /USER:gawler-zintis * /PERSISTENT:YES

14 smbstatus

When a user is logged in / has a mounted SAMBA share you can see that vith: smbstatus

smbstatus

  Samba version 4.11.2
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
50695   kaapvaal-zintis kaapvaal-zintis 192.168.128.70 (ipv4:192.168.128.70:62378) SMB3_02           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
kaapvaal     50695   192.168.128.70 Wed Jul 22 06:26:41 PM 2020 EDT  -            -           

Locked files:
Pid          User(ID)   DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
50695        1004       DENY_NONE  0x100081    RDONLY     NONE             /supercontinents/cratons/kaapvaal   .   Wed Jul 22 18:26:40 2020
50695        1004       DENY_NONE  0x100081    RDONLY     NONE             /supercontinents/cratons/kaapvaal   .   Wed Jul 22 18:26:43 2020

15 SAMBA iptables on c8host

SAMBA uses TCP ports:

139 for clear text SAMBA
443 for encrypted SAMBA

And while we are here,

389 for ldap (could be Active Directory, or openldap in our case.)

Other related ports:

137 Netbios name service
138 Netbios datagram service
139 Netbios session service
445 microsfot ds if you are using active directory

Can find the list of netbios services with grep -i netbios /etc/services

From cyberciti.biz a sample iptables chain for SAMBA is:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Here are my FORWARD rules for SAMBA:

iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . F O R W A R D smb 139 to vm2 . ." --log-level 6
iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 139 -m comment --comment "Forward SMB to VM2" -j ACCEPT
iptables -A FORWARD -d 192.168.111.12/32 -p tcp -m tcp --dport 445 -m comment --comment "Forward SMSs to VM2" -j ACCEPT
iptables 
iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . F O R W A R D smb south america ." --log-level 6
iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 139 -m comment --comment "Forward SMB to SA" -j ACCEPT
iptables -A FORWARD -d 172.28.105.8/32 -p tcp -m tcp --dport 445 -m comment --comment "Forward SMSs to SA" -j ACCEPT
iptables

And, here are my NAT rules for SAMBA when I want to forward SAMBA to 172.28.105.8

sudo  iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 139 -j LOG --log-prefix " . . D N A T smb to southamer" --log-level 6
sudo  iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 139 -m comment --comment "translate SMB destination to southamer" -j DNAT --to-destination 172.28.105.8
sudo  iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp --dport 445 -m comment --comment "translate SMB destination to southamer" -j DNAT --to-destination 172.28.105.8
sudo  iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
sudo  iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
sudo  iptables -t nat -A POSTROUTING -s 172.28.105.0/24 ! -d 172.28.105.0/24 -j MASQUERADE

16 IPTABLES for smb

c8host kernel: . . D N A T smb to southamerIN=ens33 OUT= SRC=192.168.128.78 DST=192.168.128.76 PROTO=TCP SPT=50370 DPT=139 c8host kernel: . . F O R W A R D smb 139 toIN=ens33 OUT=virbr1 SRC=192.168.128.78 DST=172.28.105.8 PROTO=TCP SPT=50370 DPT=139

F O R W A R D smb 139 to

smbd[1498]: [2020/04/06 18:18:22.592661, 0] ../../lib/util/access.c:365(allow_access) smbd[1498]: Denied connection from 192.168.128.78 (192.168.128.78)

kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50370 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50371 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

smbd[1499]: [2020/04/06 18:18:22.798985, 0] ../../lib/util/access.c:365(allow_access) smbd[1499]: Denied connection from 192.168.128.78 (192.168.128.78)

kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50409 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

smbd[1555]: [2020/04/06 18:30:38.223874, 0] ../../lib/util/access.c:365(allow_access) smbd[1555]: Denied connection from 192.168.128.78 (192.168.128.78)

kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50410 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50411 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

smbd[1556]: [2020/04/06 18:30:38.419425, 0] ../../lib/util/access.c:365(allow_access) smbd[1556]: Denied connection from 192.168.128.78 (192.168.128.78)

kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= MAC=52:54:00:f3:b2:58:52:54:00:a5:97:c3:08:00 SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50413 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

smbd[1611]: [2020/04/06 18:31:33.654037, 0] ../../lib/util/access.c:365(allow_access) smbd[1611]: Denied connection from 192.168.128.78 (192.168.128.78)

kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50414 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 kernel: .oO8Oo. .oO8Oo.IN=ens3 OUT= SRC=192.168.128.78 DST=172.28.105.8 ID=0 DF PROTO=TCP SPT=50415 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

smbd[1614]: [2020/04/06 18:31:33.878762, 0] ../../lib/util/access.c:365(allow_access) smbd[1614]: Denied connection from 192.168.128.78 (192.168.128.78)

17 troublehsooting

17.1 Lock files

Seems like the group for files/directories under var/lib/samba should perhaps be something like samba into which any authorized users could be added and thus be able to create/access files under /var/lib/samba/lock or /var/lib/samba/private. doing this manually eliminates this error message and allows msg.sock & msg.lock to be created (though they are created as the user running smbclient - which would then likely cause problems for another user)

This seems to be related to the lock directory option from smb.conf (https://bugzilla.redhat.com/show_bug.cgi?id=1661959) set to a non writable folder for users.

18 OPS 335 proper smbclient use:

smbclient //sa/gawler -U gawler-zintis -W gawler -d 3

root@c8host ~[1007] $
smbclient //sa/gawler -U gawler-zintis -W gawler -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface virbr1 ip=172.28.105.1 bcast=172.28.105.255 netmask=255.255.255.0
added interface virbr0 ip=192.168.111.1 bcast=192.168.111.255 netmask=255.255.255.0
added interface ens33 ip=192.168.128.76 bcast=192.168.128.255 netmask=255.255.255.0
Client started (version 4.10.4).
resolve_lmhosts: Attempting lmhosts lookup for name sa<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name sa<0x20>
Connecting to 172.28.105.8 at port 445
got OID=1.3.6.1.4.1.311.2.2.10
Enter GAWLER\gawler-zintis's password: 
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Try "help" to get a list of possible commands.
smb: \> list
0:	server=sa, share=gawler
smb: \>

18.1 A successful login from c8host to south america

Here is an example (FROM ROOT) smbclient //sa/gawler -U gawler-zintis -W gawler

root@c8host ~[1008] $
smbclient //sa/gawler -U gawler-zintis -W gawler 

Enter GAWLER\gawler-zintis's password: 
Try "help" to get a list of possible commands.
smb: \> net use
net: command not found
smb: \> help


smb: \> pwd
Current directory is \\sa\gawler\
smb: \> ls
  .                                   D        0  Mon Apr  6 19:59:24 2020
  ..                                  D        0  Sun Apr  5 15:14:17 2020
  three                               N        0  Mon Apr  6 19:59:24 2020
  one                                 N        0  Mon Apr  6 19:59:24 2020
  two                                 N        0  Mon Apr  6 19:59:24 2020

		3542752 blocks of size 1024. 1470436 blocks available
smb: \>

And now notice the EXACT SAME OUTPUT when I leave off the workgroup. So, who sets the workgroup? the //sa/galwer is just the "share" defined in [gawler] section in /etc/samba/smb.conf I think. - confirm.

19 SAMBA SHARES Configuration

These are some of the most common shares.

read list: who can read (could also be a group name, not just a user name)
valid users: valid write users (could also be a group name)
invalid users: obvious
create mask : octal value
directory mask: octal value, remember directories must have the execute bit set for proper access Default IS 0755
force user = sambashareuser is another option (not explored in OPS335)
force create mask = what permissions to assign new files created
read only = yes # controls whether a user has the ability to create or modify
guest = ok # if OK then no password is required This is synonymous with PUBLIC
writeable = yes # what it says (for the whole share. This can be over-ridden by write list
write-list = user1 user2 user3 # a list of users who have write access

20 Checking samba shares on OPS335

The following smbclient commands confirm the detailed samba permissions requirements for Assignment 2.

This was run from the guest vm, asia. It has an smbclient installed.

Step 1) was to create 3 different files, 1 for each samba user to write (or attempt to write) into each samba share:

cat > kaapvaal.txt
cat > sarmation.txt
cat > gawler.txt
cat > laurasia.txt
cat > gondwana.txt

Then we try each of the samba share from each of the 3 users, for a total of 15 attempts.

smbclient //sa/sarmation -U sarmation-zintis  > can write
smbclient //sa/sarmation -U gawler-zintis     > can write
smbclient //sa/sarmation -U kaapvaal-zintis   X

smbclient //sa/kaapvaal -U kaapvaal-zintis    > can write
smbclient //sa/kaapvaal -U gawler-zintis      > can write
smbclient //sa/kaapvaal -U sarmation-zintis   X

smbclient //sa/laurasia -U sarmation-zintis  > can write  
smbclient //sa/laurasia -U kaapvaal-zintis   > can write
smbclient //sa/laurasia -U sarmation-zintis  > can write
smbclient //sa/laurasia -U kaapvaal-zintis   > can write
smbclient //sa/laurasia -U gawler-zintis     > can write

smbclient //sa/gondwana -U gawler-zintis
smbclient //sa/gondwana -U zintis
smbclient //sa/gondwana -U kaapvaal-zintis
smbclient //sa/gondwana -U sarmation-zintis
smbclient //sa/gawler -U gawler-zintis

21 Linux umasks

Best explained with a graphic.