Samba fileserver06. Mar '17
CIFS (common internet filesystem) is the official name of the fileserver protocol used by Windows filesharing subsystem. It's very similar to NFS (network filesystem) developed by Sun which is commonly found in UNIX-based systems. Samba software suite provides CIFS support for UNIX-like systems such as Linux and Mac OS X.
CIFS can make use of Kerberos protocol for authentication when used in conjunction with a domain controller software such as Active Directory or with another Samba instance configured to work as domain controller.
In this tutorial Samba fileserver setup on Ubuntu 16.04 and Fedora 25 is outlined.
Fileserver as domain member
In this case users accessing the shares are identified by Kerberos credentials eg. when accessing from domain computers. If Kerberos credentials are not available fallback to NTLM is provided and username and password is prompted upon network share access.
First install software components:
apt install packagekit samba samba-vfs-modules krb5-user \ realmd libnss-winbind libpam-winbind
Create /etc/realmd.conf, this will tell realmd to make use of winbind when joining the domain. Also it switches off fully qualified usernames (username@realm) and use the short ones instead (username), this of course assumes no local user accounts will be created:
[active-directory] default-client = winbind [users] default-home=/home/%U [office.lan] default-shell=/bin/bash fully-qualified-names=no
Join the machine to domain, this will do several things: create /etc/krb5.keytab, generate /etc/samba/smb.conf, reconfigure PAM modules, create machine account in the domain controller, create host principal in the domain controller and add DNS record for the fully qualified hostname:
realm join office.lan -U administrator
Reconfigure /etc/samba/smb.conf, keep netbios name, workgroup and realm as the ones generated by realm join:
[global] # Server operates as domain member server security = ads netbios name = DEV workgroup = OFFICE realm = OFFICE.LAN kerberos method = system keytab winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes # Bind nmbd, smbd services on certain interface, eg when others go to WAN interfaces = ens3 bind interfaces only = yes # How AD accounts are mapped to POSIX accounts on the fileserver obey pam restrictions = yes guest account = nobody invalid users = root krbtgt guest template homedir = /home/%U template shell = /bin/bash idmap config *:backend = rid idmap config *:range = 1000000-16777216 [homes] comment = Home Directories valid users = %S writable = yes [shared] comment = Shared folder for authenticated users writable = yes path = /shared
The winbind support in realmd is still a bit quirky, make sure name services are reconfigured so usernames and groups are looked up via winbind:
sed -i -e "s/^passwd:.*/passwd: compat winbind/" /etc/nsswitch.conf sed -i -e "s/^group:.*/group: compat winbind/" /etc/nsswitch.conf sed -i -e "s/^shadow:.*/shadow: compat/" /etc/nsswitch.conf
Also home directories need to be created on the fly. On Debian following file is missing completely and for Ubuntu a slightly incorrect version is supplied, but this file can easily be reset:
cat > /usr/share/pam-configs/mkhomedir << EOF Name: Create home directory on login Default: no Priority: 0 Session-Type: Additional Session: optional pam_mkhomedir.so EOF
Ubuntu and Debian ship with following command, use spacebar to tick 'Create home directory on login' and press enter:
Restart services or just reboot the box. It is of course possible to add anonymous shares as shown in the previous example, and it is possible to create shares where authentication is required. In case of authenticated shares Samba will try to do it's best to map Windows permissions to POSIX permissions and ACL-s.
Once machine is up check that both commands list the users from AD:
wbinfo -u getent passwd
Create shared directory and reset permissions:
mkdir -p /shared chown administrator:"domain users" /shared chmod 775 /shared/
Depending on your organization's needs it might be that when files get overwritten or deleted it is necessary to have the logs about who did it and when. In the 'global' section of /etc/samba/smb.conf add following:
vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE
Also configure syslog to forward events to your SIEM.
As usual stop the service and start it up in interactive mode with raised verbosity level.
For fileserver portion:
systemctl stop smbd smbd -d3 -i
For user mapping:
systemctl stop winbind winbindd -d3 -i