Samba fileserver06. Mar '17

Introduction

CIFS (common internet filesystem) is the official name of the fileserver protocol used by Windows filesharing subsystem. It's very similar to NFS (network filesystem) developed by Sun which is commonly found in UNIX-based systems. Samba software suite provides CIFS support for UNIX-like systems such as Linux and Mac OS X.

CIFS can make use of Kerberos protocol for authentication when used in conjunction with a domain controller software such as Active Directory or with another Samba instance configured to work as domain controller.

In this tutorial Samba fileserver setup on Ubuntu 16.04 and Fedora 25 is outlined.

Setting up anonymous shares

In this case no Kerberos or Active Directory is involved. The fileserver becomes local master for the Network Neighbourhood search and advertises WORKGROUP named workgroup, this is NetBIOS name lookup and it's pretty much specific to Windows only because modern name lookup is done with DNS. Share accesses are not authenticated (guest), file and directory creation modes are overridden and filesystem interactions on the server are mapped to local user nobody and group nogroup, note that on Fedora there is no group nogroup, use nobody instead.

First install software packages:

apt install samba # Debian/Ubuntu
dnf install samba # Fedora

Create configuration file /etc/samba/smb.conf:

[global]
workgroup = WORKGROUP
netbios name = CUBIETRUCK
server string = 1TB WD storage
map to guest = Bad User
guest account = nobody

[shared]
comment = Shared folder for anonymous users
path = /home/shared
guest ok = yes
writable = yes
force user = nobody
force group = nogroup
create mask = 0666
directory mask = 2777

Create the directory:

mkdir -p /home/shared
chmod 777 /home/shared
chcon -t samba_share_t /home/shared # Change SELinux policy on Fedora

Restart service:

systemctl restart smbd nmbd # Ubuntu, Debian
systemctl restart smb nmb # Fedora

Enable for next boot:

systemctl enable smbd nmbd # Ubuntu, Debian
systemctl enable smb nmb # Fedora

This should be suitable where the network is trusted and no access control is enforced, for example home network or small office.

Note that on Fedora firewalld will probably block all incoming traffic. In case you're running Samba on a workstation, open up Wired Settings -> Identity -> Firewall zone and select Trusted for interfaces you want to allow access to fileserver. Alternatively if there is only one network interface on the machine you could disable firewall altogether:

systemctl stop firewalld
systemctl disable firewalld

Fileserver as domain member

In this case users accessing the shares are identified by Kerberos credentials eg. when accessing from domain computers. If Kerberos credentials are not available fallback to NTLM is provided and username and password is prompted upon network share access.

First install software components:

apt install packagekit samba samba-vfs-modules krb5-user \
  realmd libnss-winbind libpam-winbind

Create /etc/realmd.conf, this will tell realmd to make use of winbind when joining the domain. Also it switches off fully qualified usernames (username@realm) and use the short ones instead (username), this of course assumes no local user accounts will be created:

[active-directory]
default-client = winbind

[users]
default-home=/home/%U

[office.lan]
default-shell=/bin/bash
fully-qualified-names=no

Join the machine to domain, this will do several things: create /etc/krb5.keytab, generate /etc/samba/smb.conf, reconfigure PAM modules, create machine account in the domain controller, create host principal in the domain controller and add DNS record for the fully qualified hostname:

realm join office.lan -U administrator

Reconfigure /etc/samba/smb.conf, keep netbios name, workgroup and realm as the ones generated by realm join:

[global]
# Server operates as domain member server
security = ads
netbios name = DEV
workgroup = OFFICE
realm = OFFICE.LAN
kerberos method = system keytab
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
winbind enum users  = yes
winbind enum groups = yes

# Bind nmbd, smbd services on certain interface, eg when others go to WAN
interfaces = ens3
bind interfaces only = yes

# How AD accounts are mapped to POSIX accounts on the fileserver
obey pam restrictions = yes
guest account = nobody
invalid users = root krbtgt guest
template homedir = /home/%U
template shell = /bin/bash
idmap config *:backend = rid
idmap config *:range = 1000000-16777216

[homes]
comment = Home Directories
valid users = %S
writable = yes

[shared]
comment = Shared folder for authenticated users
writable = yes
path = /shared

The winbind support in realmd is still a bit quirky, make sure name services are reconfigured so usernames and groups are looked up via winbind:

sed -i -e "s/^passwd:.*/passwd: compat winbind/" /etc/nsswitch.conf
sed -i -e "s/^group:.*/group: compat winbind/" /etc/nsswitch.conf
sed -i -e "s/^shadow:.*/shadow: compat/" /etc/nsswitch.conf

Also home directories need to be created on the fly. On Debian following file is missing completely and for Ubuntu a slightly incorrect version is supplied, but this file can easily be reset:

cat > /usr/share/pam-configs/mkhomedir << EOF
Name: Create home directory on login
Default: no
Priority: 0
Session-Type: Additional
Session:
        optional                    pam_mkhomedir.so
EOF

Ubuntu and Debian ship with following command, use spacebar to tick 'Create home directory on login' and press enter:

pam-auth-update

Restart services or just reboot the box. It is of course possible to add anonymous shares as shown in the previous example, and it is possible to create shares where authentication is required. In case of authenticated shares Samba will try to do it's best to map Windows permissions to POSIX permissions and ACL-s.

Once machine is up check that both commands list the users from AD:

wbinfo -u
getent passwd

Create shared directory and reset permissions:

mkdir -p /shared
chown administrator:"domain users" /shared
chmod 775 /shared/

Accessing shares

To list shares on command-line:

smbclient -L dev.office.lan -U guest%

To mount into local filesystem:

mkdir -p /mnt/shared
mount.cifs -o guest //dev.office.lan/shared/ /mnt/shared

To access shares on Ubuntu open file browser (nautilus), press Ctrl-L and insert smb://dev.office.lan:

img/cifs-fileshare-on-ubuntu.png

File shares on Ubuntu

To access shares on Windows open file explorer, press Ctrl-L and insert \dev.office.lan:

img/cifs-fileshare-on-windows.png

File shares on Windows

To use Kerberos single sign-on and prevent credential prompt from appearing every time you try to access shares either join the end user computer to domain or use following to authenticate on command line:

kinit username@OFFICE.LAN

Auditing

Depending on your organization's needs it might be that when files get overwritten or deleted it is necessary to have the logs about who did it and when. In the 'global' section of /etc/samba/smb.conf add following:

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

Also configure syslog to forward events to your SIEM.

Debugging

As usual stop the service and start it up in interactive mode with raised verbosity level.

For fileserver portion:

systemctl stop smbd
smbd -d3 -i

For user mapping:

systemctl stop winbind
winbindd -d3 -i
Kerberos NFS CIFS SMB Samba