Never Ending Security

It starts all here

Tag Archives: Samba

How To Setup Sambo on Linux


HOW TO SETUP SAMBA IN LINUX


How to Setup Samba in Linux

Samba is used by sysadmin to overcome the problem of interoperability in a mixed environment where you have both Linux and Windows. It provides a common platform for both Windows and Linux to have a common sharing space.

In this tutorial we will go through setup which will configure Samba (on Linux) as a primary domain controller. A primary domain controller is a service which is used for centralized administration of users, groups or any objects in the network

Host Name

Make sure you’ve setup the appropriate hostname and static ip. If you are using internal ip-address, and if you like to access it from the internet, setup appropriate NAT rules on your firewall.

# vi /etc/sysconfig/network 
HOSTNAME=samba.n0where.net

Make sure it has appropriate static ip-address setup in the ifcfg-eth0 file.

# vi /etc/sysconfig/network-script/ifcfg-eth0
IPADDR=192.168.1.5
NETMASK=255.255.255.0

Also, assign the gateway and dns accordingly in your /etc/sysconfig/network and /etc/resolv.conf file.

Verify that your /etc/hosts file has an entry similar to the following.

# vi /etc/hosts
192.168.1.5 samba.n0where.net   samba

Also, make sure NTP service is setup and running properly on this server.

Install

On CentOS, by default samba packages will not be installed for minimal installation type.

First, install the following dependent packages.

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5 git-core openldap-devel 

Next, download the samba source as shown below.

# git clone git://git.samba.org/samba.git sambaserver

The files will be downloaded to sambaserver directory. Install the samba server as shown below.

cd sambaserver

./configure  --enable-debug --enable-selftest

make

make install

Samba will be installed in the default location /usr/local/samba/bin. You’ll see several samba client utilities installed under this directory.

# cd /usr/local/samba/bin/ 

# ls 
cifsdd       ldbsearch   ntdbrestore    regshell    smbcquotas  tdbbackup 
dbwrap_tool  locktest    ntdbtool       regtree     smbget      tdbdump 
eventlogadm  masktest    ntlm_auth      rpcclient   smbpasswd   tdbrestore 
gentest      ndrdump     oLschema2ldif  samba-tool  smbspool    tdbtool 
ldbadd       net         pdbedit        sharesec    smbstatus   testparm 
ldbdel       nmblookup   pidl           smbcacls    smbtar      wbinfo 
ldbedit      nmblookup4  profiles       smbclient   smbta-util 
ldbmodify    ntdbbackup  regdiff        smbclient4  smbtorture 
ldbrename    ntdbdump    regpatch       smbcontrol  smbtree 

Domain Provision

To start the domain provision, execute the samba-tool as shown below. This will pickup the default hostname and domain name from the configuration files.

# /usr/local/samba/bin/samba-tool domain provision 
Realm [N0WHERE.NET]: 
 Domain [N0WHERE]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: 
 DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: 8.8.8.8 
Administrator password: 
Retype password: 
...
...
Adding DNS accounts 
Creating CN=MicrosoftDNS,CN=System,DC=n0where,DC=net 
Creating DomainDnsZones and ForestDnsZones partitions 
Populating DomainDnsZones and ForestDnsZones partitions 
Setting up sam.ldb rootDSE marking as synchronized 
Fixing provision GUIDs 
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf 
Once the above files are installed, your Samba4 server will be ready to use 
Server Role:           active directory domain controller 
Hostname:              samba 
NetBIOS Domain:        N0WHERE 
DNS Domain:            n0where.net 
DOMAIN SID:            S-1-5-21-2869186506-3515775153-2841826798 

Start Service

Start the samba service, as shown below.

/usr/local/samba/sbin/samba 

Add the following entry to rc.local file to make sure samba service starts automatically during system startup.

# echo /usr/local/samba/sbin/samba >> /etc/rc.d/rc.local 

# cat /etc/rc.d/rc.local 
touch /var/lock/subsys/local 
/usr/local/samba/sbin/samba 

Check Version

You can verify the samba version using samba or smbclient command as shown below.

# /usr/local/samba/sbin/samba -V 
Version 4.2.0pre1-GIT-913b2a1 

# /usr/local/samba/bin/smbclient -V 
Version 4.2.0pre1-GIT-913b2a1 

The following command will display all Samba shares that are currently available.

# /usr/local/samba/bin/smbclient -L localhost -U% 
Domain=[N0WHERE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 

    Sharename       Type      Comment 
    ---------       ----      ------- 
    netlogon        Disk      
    sysvol          Disk      
    IPC$            IPC       IPC Service (Samba 4.2.0pre1-GIT-913b2a1) 
Domain=[N0WHERE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 

    Server               Comment 
    ---------            ------- 

    Workgroup            Master 
    ---------            ------- 

Verify that you are able to login using the administrator username and password.

# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator -c 'ls' 
Enter administrator's password: 
Domain=[N0WHERE] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-913b2a1] 
  .   D        0  Fri Nov 7 15:06:15 2014 
  ..  D        0  Fri Nov 7 15:06:28 2014 
57901 blocks of size 8388608. 54372 blocks available 

Verify Domains

Now let us check if the domain is functioning as expected. Check the SRV and A record as shown below.

# host -t SRV _ldap._tcp.n0where.net 
_ldap._tcp.n0where.net has SRV record 0 100 389 samba.n0where.net. 

# host -t SRV _kerberos._udp.n0where.net 
_kerberos._udp.n0where.net has SRV record 0 100 88 samba.n0where.net. 

# host -t A samba.n0where.net 
samba.n0where.net has address 192.168.1.5

Use the samba-tool command to verify the realm name as shown below.

# /usr/local/samba/bin/samba-tool testparm --suppress-prompt | grep realm 
    realm = N0WHERE.NET 

Configure Kerberos

Copy the sample krb5.conf file to the /etc directory.

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf 

Set the default_realm to your domain name. In this case, we’ll set it to n0where.net

# cat /etc/krb5.conf 
[libdefaults] 
    default_realm = N0WHERE.NET 
    dns_lookup_realm = false 
    dns_lookup_kdc = true 

Use kinit command to make sure the Kerberos is setup properly as shown below.

# kinit administrator@N0WHERE.NET 
Password for administrator@N0WHERE.NET: 
Warning: Your password will expire in 41 days on Fri Apr  4 15:06:25 2014 

Finally, you can use Windows remote administrator tool to connect to the Samba server and use it as a domain controller.

If you face any issues during the above process, make sure you bring the system up-to-date by updating all packages. You can also disable SELinux temporarily, and review the audit.log for any SELinux related error messages. Also, make sure your IPTables rules are not blocking the ports that are required by Samba to communicate between the servers.

Setup And Configuring Linux Samba (SMB) For Linux To Windows File Sharing


Resource sharing, like file systems and printers, in Microsoft Windows systems, is accomplished using a protocol called the Server Message Block or SMB. For working with such shared resources over a network consisting of Windows systems, an RHEL system must support SMB. The technology used for this is called SAMBA. This provides integration between the Windows and Linux systems. In addition, this is used to provide folder sharing between Linux systems. There are two parts to SAMBA, a Samba Server and a Samba Client.

When an RHEL system accesses resources on a Windows system, it does so using the Samba Client. An RHEL system, by default, has the Samba Client installed.

When an RHEL system serves resources to a Windows system, it uses the package Samba Server or simply Samba. This is not installed by default and has to be exclusively set up.

INSTALLING SAMBA ON LINUX REDHAT/CENTOS

Whether Samba is already installed on your RHEL, Fedora or CentOS setup, it can be tested with the following command:”

$ rpm -q samba

The result could be – “package samba is not installed,” or something like “samba-3.5.4-68.el6_0.1.x86_64” showing the version of Samba present on the system.

To install Samba, you will need to become root with the following command (give the root password, when prompted):

$ su –       

Then use Yum to install the Linux Samba package:

# yum install samba

This will install the samba package and its dependency package, samba-common.

Before you begin to use or configure Samba, the Linux Firewall (iptables) has to be configured to allow Samba traffic. From the command-line, this is achieved with the use of the following command:

# firewall-cmd –enable –service=samba

CONFIGURING LINUX SAMBA

The Samba configuration is meant to join an RHEL, Fedora or CentOS system to a Windows Workgroup and setting up a directory on the RHEL system, to act as a shared resource that can be accessed by authenticated Windows users.

To start with, you must gain root privileges with (give the root password, when prompted):

$ su –

Edit the Samba configuration file:

# vi /etc/samba/smb.conf

THE SMB.CONF [GLOBAL] SECTION

An smb.conf file is divided into several sections. the [global] section, which is the first section, has settings that apply to the entire Samba configuration. However, settings in the other sections in the configuration file may override the global settings.

To begin with, set the workgroup, which by default is set as “MYGROUP”:

workgroup = MYGROUP

Since most Windows networks are named WORKGROUP by default, the settings have to be changed as:

workgroup = workgroup

CONFIGURE THE SHARED RESOURCE

In the next step, a shared resource that will be accessible from the other systems on the Windows network has to be configured. This section has to be given a name by which it will be referred to when shared. For our example, let’s assume you would like share a directory on your Linux system located at /data/network-applications.  You’ll need to entitle the entire section as [NetApps] as shown below in oursmb.conf file:

[NetApps]       

path = /data/network-applications

writeable = yes
browseable = yes
valid users = administrator

When a Windows user browses to the Linux Server, they’ll see a network share labeled
“NetApps”.

This concludes the changes to the Samba configuration file.

CREATE A SAMBA USER

Any user wanting to access any Samba shared resource must be configured as a Samba User and assigned a password. This is achieved using the smbpasswd  command as a root user. Since you have defined “administrator” as the user who is entitled to access the “/data/network-applications” directory of the RHEL system, you have to add “administrator” as a Samba user.

You must gain root privileges with the following command (give the root password, when prompted):

$ su –

Add “administrator” as a Windows user –

# smbpasswd -a administrator

The system will respond with

New SMB password: <Enter password>
Retype new SMB password: <Retype password>

This will result into the following message:

Added user administrator

It will also be necessary to add the same account as a simple linux user, using the same password we used for the samba user:

# adduser administrator
# passwd administrator
Changing password for user administrator
New UNIX password: ********
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.

Now it is time to test the samba configuration file for any errors. For this you can use the command line tool “testparm” as root:

# testparm
Load smb config files from /etc/samba/smb.conf
Rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)Processing section “[NetApps]”

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

If you would like to ensure that Windows users are automatically authenticated to your Samba share, without prompting for a username/password, all that’s needed is to add the samba user and password exactly as you Windows clients usernames and password. When a Windows system accesses a Samba share, it will automatically try to log in using the same credentials as the user logged into the Windows system.

STARTING SAMBA AND NETBIOS NAME SERVICE ON RHEL

The Samba and NetBios Nameservice or NMB services have to be enabled and then started for them to take effect:

# systemctl enable smb.service

# systemctl start smb.service
# systemctl enable nmb.service
# systemctl start nmb.service

In case the services were already running, you may have to restart them again:

# systemctl restart smb.service
# systemctl restart nmb.service

If you are not using systemctl command, you can alternatively start the Samba using a more classic way:

[root@gateway] service smb start
Starting SMB services:  [OK]

To configure your Linux system to automatically start the Samba service upon boot up, the above command will need to be inserted in the/etc/rc.local file. For more information about this, you can read our popular Linux Init Process & Different run levels article

 

ACCESSING THE SAMBA SHARES FROM WINDOWS

Now that you have configured the Samba resources and the services are running, they can be tested for sharing from a Windows system. For this, open the Windows Explorer and navigate to the Network page. Windows should show the RHEL system. If you double-click on the RHEL icon, you will be prompted for the username and password. The username to be entered now is “administrator” with the password that was assigned.

Again, if you are logged on your Windows workstation using the same account and password as that of the Samba service (e.g Administrator), you will not be prompted for any authentication as the Windows  operating system will automatically authenticate to the RHEL Samba service using these credentials.

ACCESSING WINDOWS SHARES FROM RHEL WORKSTATION OR SERVER

To access Windows shares from your RHEL system, the package samba-client may have to be installed, unless it is installed by default. For this you must gain root privileges with (give the root password, when prompted):

$ su – 

Install samba-client using the following commands:

# yum install samba-client

To see any shared resource on the Windows system and to access it, you can go to Places > Network. Clicking on the Windows Network icon will open up the list of workgroups available for access.

Linux network troubleshooting (Red Hat) & Network file-sharing services (NFS, CIFS & Samba)


Network Configuration and troubleshooting for Linux (Red Hat) can be found here:
http://www.forbidden-access.org/network-configuration-and-troubleshooting

And how to access network file-sharing services like NFS, CIFS & Samba can be found here:
http://www.forbidden-access.org/network-file-sharing-services