ext3+gnu_linux+samba = fast and reliable fileserver.

WARNING! Security problems Versions from Version 3.5.0 to 4.6.4 (recent in May 2017 ) are affected and need to be patched!

patches are available from: https://www.samba.org/samba/patches/

Unfortunately EVEN Debian9 (!!!! GUYS FIX THAT FAST !!!!) is shipping an affected version?: 4.5.8-Debian https://packages.debian.org/en/stretch/samba

prior to running an debian8 fileserver a small and medium sized company was running ubuntu server with smb as virtualbox VM (1GB RAM is more than enough) on windows 7 professional.

both work flawlessly fast, reliable and we haven’t lost a single file (except when some ransomeware decided to encrypt all network shares…. but that is a different story and is not samba to blame) – while at the same time circumvent the maximum of 20 simultaneous connections that windows 7 comes with.

unfortunately – some software vendors explicitly demand a windows-share for their software to work properly. (i guess they do not want to do the double-testing)

With samba you can have as many connections as your server can handle.

Plus: it is pretty easy to get started.

setup and install

this is rather easy.


hostnamectl; # tested with (but probably works the same accross distros)
   Static hostname: debian
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-3-amd64
      Architecture: x86-64

# client version
C:\Users>ver
Microsoft Windows [Version 6.3.9600]

su; # become root
apt update;
apt install -y samba; # debian/ubuntu
yum install -y samba; # centos/redhat

samba -b; # show build/version
Samba version: 4.5.8-Debian
Build environment:
Paths:
   BINDIR: /usr/bin
   SBINDIR: /usr/sbin
   CONFIGFILE: /etc/samba/smb.conf
   NCALRPCDIR: /var/run/samba/ncalrpc
   LOGFILEBASE: /var/log/samba
   LMHOSTSFILE: /etc/samba/lmhosts
   DATADIR: /usr/share
   MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
   LOCKDIR: /var/run/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PIDDIR: /var/run/samba
   PRIVATE_DIR: /var/lib/samba/private
   CODEPAGEDIR: /usr/share/samba/codepages
   SETUPDIR: /usr/share/samba/setup
   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd

# follow samba logs
tail -f /var/log/samba/log.* &

creating a free for all shared folder: sharing files with everybody

You like to have a share where all users in your network can upload but also delete files – you can do it like this:

BE AWARE: this means – angry users might upload a virus.doc or delete the whole directory.

Aalways make daily backups and keep them a week or two!!!

(even if this share is meant for „temporary“ files.)

HAHA! Yes for sure and in the end your life depends on those „temporary“ files… „great“..

# prepare storage dirs
mkdir -p /home/shares/public
chown -R root:users /home/shares/public/
chmod -R ug+rwx,o+rx-w /home/shares/public/

vim /etc/samba/smb.conf; # edit main config file and add those lines at the very end

[public]
   path = /media/storage/
   force group = users
   create mask = 0660
   directory mask = 0771
   browsable = yes
   writable = yes
   guest ok = yes

:wq # save and quit

test the config for errors:

testparm
testparm -v; # show all settings

example output: testparm.verbose.all.settings.txt

if everything is fine restart samba service like this:

systemctl restart smbd.service; # activate config

accessing the share from windows

on your windows client hit Win+R -> RUN -> test to access the share:

with a config like this new folders and files are created (from a windows client) with those users and permissions:

ll /home/shares/public/
total 20K
drwxrwxr-x 3 root   users 4.0K Aug  2 15:04 .
drwxr-xr-x 4 root   root  4.0K Aug  2 15:01 ..
drwxrwx--x 2 nobody users 4.0K Aug  2 15:04 test
-rw-rw---- 1 nobody users    6 Aug  2 15:04 test2.txt
-rw-rw---- 1 nobody users    4 Aug  2 15:03 test.txt

accessing the share from linux

is also doable.

apt-get install cifs-utils; # install samba-client software

mkdir /mnt/cifs; # create mountpoint

mount -t cifs //172.20.0.5/public /mnt/cifs --verbose -o user=nobody;

Password for nobody@//172.20.0.5/public: # simply hit enter (no password)

mount.cifs kernel mount options: ip=172.20.0.5,unc=\\172.20.0.5\public,user=nobody,pass=********

root@debian9:/home/user# ll /mnt/cifs/
total 4.0K
drwxrwxr-x+ 3 root   users    0 Aug  2 15:35 .
drwxr-xr-x  3 root   root  4.0K Aug  2 16:25 ..
drwxrwx--x+ 2 nobody users    0 Aug  2 15:35 secret

hidden share:

if you set:

browsable = no

you can still access the share but the folder itself is not visible when accessing the host via smb.

this can be usefull to hide shares from the „normal“ user – but don’t expect super-hackers to not find and encrypt-for-ransom all your hidden files….

accessing user’s home directories with password protection/auth

useradd tom -m -G users; # add new user to linux
passwd tom; # define linux-login-password for user

smbpasswd -a tom; # define smb-password for user you could use "tomtom"

vim /etc/samba/smb.conf; # edit main config file and add those lines at the very end

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700

:wq # save and quit vim

systemctl restart smbd.service; # restart samba

 

works like a charm:

manpages:

testparm.man.txt

samba.man.txt

samba and security:

if you need to share files securely over internet or inside a LAN SFTP IS THE CHOICE!

It is basically FTP over SSH.

if you know SSH you will have a SFTP server in 10minutes.

http://dwaves.de/2017/05/10/linux-sftp-ssh-how-to-limit-users-to-their-home-directories/

FileZilla or MobaXTerm can do SFTP – allowing you to access linux files and folders with a windows client.

it is funny – that if you program a linux-clone for a windows-program/protocol… you end up implementing the same security problems. X-D

(okay … NFS security is not better)

https://www.samba.org/samba/security/CVE-2017-7494.html

https://wiki.illumos.org/display/illumos/WannaCry+-+SambaCry+CVE-2017-7494

Versions from Version 3.5.0 to 4.6.4 (recent in May 2017 ) are affected.

patches are available from:

https://www.samba.org/samba/patches/

Testing for wcry

start up a second debian linux, modify the host’s IP (172.20.0.5) to that of your samba-server and go:

apt install nmap; # install nmap scanner
wget https://raw.githubusercontent.com/Waffles-2/SambaCry/master/CVE-2017-7494.nse

nmap -sC -p 445 --script CVE-2017-7494.nse 172.20.0.5

Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-02 16:48 CEST
Nmap scan report for 172.20.0.5
Host is up (0.00065s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:15:5D:00:07:13 (Microsoft)

Host script results:
| CVE-2017-7494:
|   State is: POTENTIALLY VULNERABLE
|   Samba-vuln-CVE-2017-7494
|   Summary: Remote code execution from a writable share.
|   Description: A Samba vulnerability (CVE-2017-7494) enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.
|   Affected Version: All versions of Samba from 3.5.0 onwards.
|_  For more info: https://www.guardicore.com/2017/05/samba/

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

# IF YOU WANT TO SCAN AN ENTIRE NETWORK! (WARNING! THIS MIGHT CRASH THE SMB-SERVER!)
nmap -sC -p 445 --script CVE-2017-7494.nse 172.20.0.0/24

Im Mai 2017 wurde bekannt, dass in Anlehnung an Sicherheitsprobleme bei der Software von Microsoft, welche in Form von WannaCry ausgenutzt werden können, in ähnlicher Form auch bei Samba bestehen.

[11]Bei diesem Fehler, welcher in Anlehnung als SambaCry bezeichnet wird, ist es möglich injizierten Schadcode am betreffenden Samba-System auszuführen.

Der Fehler betrifft alle Samba-Versionen seit der Version 3.5.0 bis zur der im Mai 2017 aktuellen Version 4.6.4.

[12]Dieser Fehler ist vor allem bei NAS-Systemen, welche üblicherweise auf Samba aufsetzen, kritisch. D

links:

RedHat security dashboard – https://access.redhat.com/security/security-updates/#/cve?q=&p=1&sort=cve_publicDate%20desc&rows=10&documentKind=Cve&cve_threatSeverity=Critical

https://www.howtoforge.com/tutorial/debian-samba-server/

https://www.heise.de/security/meldung/SambaCry-Gefaehrliche-Sicherheitsluecke-in-Samba-finden-und-patchen-3726053.html

Donations

Nowadays, the Samba Team needs a dollar instead of pizza 😉

-> Samba Team
c/o Software Freedom Conservancy, Inc.
137 Montague St Ste 380
Brooklyn, NY 11201-3548

Why do we need money?

You may be wondering why the Samba Team needs money. The main expenses that we have are travel expenses for team members to the major Samba related conferences and expenses for running the main samba.org site. We occasionally have other expenses (eg. small pieces of hardware and books) but that is less common.

A good example of our travel expenses is the CIFS conference in San Jose. We usually have between ten and fifteen team members attending each year and while most of them are covered by the company they work for, we do need to provide international travel and accomodation for some of them.

admin