Introduction

CIFS (common internet filesystem) is the official name of the fileserver protocol used by Windows filesharing subsystem. It's very similar to NFS (network filesystem) developed by Sun which is commonly found in UNIX-based systems. Samba software suite provides CIFS support for UNIX-like systems such as Linux and Mac OS X.

CIFS can make use of Kerberos protocol for authentication when used in conjunction with a domain controller software such as Active Directory or with another Samba instance configured to work as domain controller.

In this tutorial Samba fileserver setup on Ubuntu 16.04 is outlined.

Setting up anonymous shares

In this case no Kerberos or Active Directory is involved. The fileserver becomes local master for the Network Neighbourhood search and advertises WORKGROUP named workgroup, this is NetBIOS name lookup and it's pretty much specific to Windows only because modern name lookup is done with DNS. Share accesses are not authenticated (guest), file and directory creation modes are overridden and filesystem interactions on the server are mapped to local user nobody and group nogroup.

First install software packages:

apt install samba

Create configuration file /etc/samba/smb.conf:

[global]
security = share
workgroup = WORKGROUP
netbios name = TURRIS
server string = Omnia Turris router
guest account = nobody

[ssd]
comment = Intel 240G SSD
path = /mnt/ssd/
guest ok = yes
writable = yes
force user = nobody
force group = nogroup
create mask = 0666
directory mask = 2777

Restart service:

systemctl restart samba

This should be suitable where the network is trusted and no access control is enforced, for example home network or small office.

To list shares on command-line:

smbclient -L turris -U guest%

To mount into local filesystem:

mkdir -p /mnt/ssd
mount.cifs -o guest //turris/ssd/ /mnt/ssd

Fileserver as domain member

In this case users accessing the shares are identified by Kerberos credentials eg. when accessing from domain computers. If Kerberos credentials are not available fallback to NTLM is provided and username and password is prompted upon network share access.

First install software components:

apt install packagekit samba samba-vfs-modules krb5-user \
  realmd libnss-winbind libpam-winbind

Create /etc/realmd.conf, this will tell realmd to make use of winbind when joining the domain. Also it switches off fully qualified usernames (username@realm) and use the short ones instead (username), this of course assumes no local user accounts will be created:

[active-directory]
default-client = winbind

[users]
default-home=/home/%U

[office.lan]
default-shell=/bin/bash
fully-qualified-names=no

Join the machine to domain, this will do several things: create /etc/krb5.keytab, generate /etc/samba/smb.conf, reconfigure PAM modules, create machine account in the domain controller, create host principal in the domain controller and add DNS record for the fully qualified hostname:

realm join office.lan -U administrator

Reconfigure /etc/samba/smb.conf, keep netbios name, workgroup and realm as the ones generated by realm join:

[global]
# Server operates as domain member server
security = ads
netbios name = DEV
workgroup = OFFICE
realm = OFFICE.LAN
kerberos method = system keytab
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
winbind enum users  = yes
winbind enum groups = yes

# Bind nmbd, smbd services on certain interface, eg when others go to WAN
interfaces = ens3
bind interfaces only = yes

# How AD accounts are mapped to POSIX accounts on the fileserver
obey pam restrictions = yes
guest account = nobody
invalid users = root krbtgt guest
template homedir = /home/%U
template shell = /bin/bash
idmap config *:backend = rid
idmap config *:range = 1000000-16777216

[homes]
comment = Home Directories
valid users = %S
writable = yes

[shared]
comment = Shared folder for authenticated users
writable = yes
path = /shared

The winbind support in realmd is still a bit quirky, make sure name services are reconfigured so usernames and groups are looked up via winbind:

sed -i -e "s/^passwd:.*/passwd: compat winbind/" /etc/nsswitch.conf
sed -i -e "s/^group:.*/group: compat winbind/" /etc/nsswitch.conf
sed -i -e "s/^shadow:.*/shadow: compat/" /etc/nsswitch.conf

Also home directories need to be created on the fly. On Debian following file is missing completely and for Ubuntu a slightly incorrect version is supplied, but this file can easily be reset:

cat > /usr/share/pam-configs/mkhomedir << EOF
Name: Create home directory on login
Default: no
Priority: 0
Session-Type: Additional
Session:
        optional                    pam_mkhomedir.so
EOF

Ubuntu and Debian ship with following command, use spacebar to tick 'Create home directory on login' and press enter:

pam-auth-update

Restart services or just reboot the box. It is of course possible to add anonymous shares as shown in the previous example, and it is possible to create shares where authentication is required. In case of authenticated shares Samba will try to do it's best to map Windows permissions to POSIX permissions and ACL-s.

Once machine is up check that both commands list the users from AD:

wbinfo -u
getent passwd

Create shared directory and reset permissions:

mkdir -p /shared
chown administrator:"domain users" /shared
chmod 775 /shared/

Auditing

Depending on your organization's needs it might be that when files get overwritten or deleted it is necessary to have the logs about who did it and when. In the 'global' section of /etc/samba/smb.conf add following:

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

Also configure syslog to forward events to your SIEM.

Debugging

As usual stop the service and start it up in interactive mode with raised verbosity level.

For fileserver portion:

systemctl stop smbd
smbd -d3 -i

For user mapping:

systemctl stop winbind
winbindd -d3 -i