update: 2019-02: everything was fine… until you decided to update because of the EthernalBlue exploit THAT ALSO AFFECTS OPEN SOURCE IMPLEMENTATIONS OF SMB 1.0! (WTF!? WHY?), samba now miss behaves on Debian and CentOS. (scroll down for details)

EternalBlue, sometimes stylized as ETERNALBLUE,[1] is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees.[2] It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017.[1][3][4][5][6] The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017[7] and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.[8]

as a rule of thumb: powerdown, snapshot, update, test… not working well? restore. note down all test-cases you have been running and repeat tests, after every update.

how to install and setup samba on CentOS:

tested on:

hostnamectl
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7

Kernel: Linux 3.10.0-693.21.1.el7.x86_64

yum info samba.x86_64
Version : 4.6.2
Release : 12.el7_4
Size : 1.8 M
Repo : installed
From repo : updates
Summary : Server and Client software to interoperate with Windows machines
URL : http://www.samba.org/
License : GPLv3+ and LGPLv3+
Description : Samba is the standard Windows interoperability suite of programs for Linux and
: Unix.
yum install samba samba-client samba-common; # install samba

# let samba through firewall
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

# or if one has iptables
grep -i NETBIOS /etc/services 
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp

# allow tcp and udp on port 137, 138, 139 and 445
# no reload or restart of iptables is necessary

iptables -I INPUT -p tcp --dport 137 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 138 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT

iptables -I INPUT -p tcp --dport 137 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 138 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT

# save those iptables settings
service iptables save

# make service autostart
systemctl enable smb.service
systemctl enable nmb.service

# start service
systemctl start smb.service
systemctl start nmb.service

# add a general group, for group-based access
groupadd smbgrp

# add user
# add user to system
useradd -m user
# give user a systemwide password
passwd user
usermod user -aG smbgrp; # add user to samba group
smbpasswd -a user; # set smb password, and add user to samba (-a)

# add user's private share
mkdir -p /srv/samba/user;
chmod -R 0770 /srv/samba/user;
chown -R root:smbgrp /srv/samba/user;
chcon -t samba_share_t /srv/samba/user;

vim /etc/samba/smb.conf

[global]
workgroup = WORKGROUP
netbios name = centos
security = user

[user]
comment = Secure File Server Share
path =  /srv/samba/user
valid users = @smbgrp
guest ok = no
writable = yes
browsable = yes

:wq # save and quit vim

testparm; # test samba config

# restart service
systemctl restart smb.service;
systemctl restart nmb.service;

now you can fire up your windows workstation that needs to be in the same WORKGROUP as specify under global in smb.cnf

let’s make this easier by a script

download here.add_new_samba_user_and_share.sh.txt

vim /scripts/add_new_samba_user_and_share.sh

#!/bin/bash

if [ $# -eq 0 ]
  then
    echo "please give a username. No arguments supplied."
    exit;
fi

useradd -m $1
passwd $1
usermod $1 -aG smbgrp
smbpasswd -a $1; # set smb password

# add user's private share
mkdir -p /srv/samba/$1;
chmod -R 0770 /srv/samba/$1;
chown -R root:smbgrp /srv/samba/$1;
chcon -t samba_share_t /srv/samba/$1;

echo "
 
[$1]
comment = Secure File Server Share of $1
path =  /srv/samba/$1
valid users = $1
guest ok = no
writable = yes
browsable = yes
" >> /etc/samba/smb.conf;

testparm; # test samba config

# restart service
systemctl restart smb.service;
systemctl restart nmb.service;

:wq # save and quit vim

chmod +x /scripts/*.sh; make it executable and give it a practice run

 

one share per project – project specific file server:

the idea is to have one shared folder per project in order to concentrate/collect all project concerning data/info in one place – while at the same time allowing only a users of the project-group to see edit and create files.

when you already have a one-share-per-user (usually user’s “home” directory) file server – it makes sense to start a new fileserver – if you want the user to be able to connect to user’s home directory AND project-directories at the same time – because – windows clients (tested this up to win 7) can NOT connect to the same server/ip with different user names / privileges / groups.

it just does not work.

so better put home and projects on different file servers with different IPs.

# let's get started
# if not already
# create a user that is allowed to work on the project
useradd -m user
passwd user
smbpasswd -a user
# let's add a group that is called like the project
groupadd projectname
# let's add this user to the project group
usermod user -aG projectname
# let's create project folder
mkdir -p /srv/samba/projectname
# and give group read and write permissions
chmod -R g+rw /srv/samba/projectname
chmod -R 0770 /srv/samba/projectname
chown -R root:projectname /srv/samba/projectname
chcon -t samba_share_t /srv/samba/projectname

# this is what smb.conf looks like
cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = WORKGROUP
        netbios name = projects
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[projectname]
comment = project folder
path = /srv/samba/projectname
valid users = @projectname
guest ok = no
writable = yes
browsable = yes

# change yours :wq save and quit
# test config
testparm
# and restart
systemctl restart smb.service;systemctl restart nmb.service; # restart samba 

… if all goes well you should be able to connect to the project-file-server as user user and be allowed to access the share “projectname”.

if not, run this on your server while you try to connect via client to see if it’s a permissions or technical problem…

find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +

SELinux trouble: visible folders – invisible files

it happened to me with the above mentioned one-share-per-project-fileserver, that it would show folders but no files!? (i was able to see the files in terminal on server, but windows 7 client could not “see” em)

# possible messy fix
# this is possibly not the most elegant solution...

# the problem:
# all folders are empty
# samba showing folders but not files
# temporarily disable SELinux
setenforce 0
# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?
# then it's a SELinux problem

# switching SELinux back on
setenforce 1

# try this fix
chcon -R -t public_content_rw_t /srv/samba/

# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?

# no? continue:

# either completely disable selinux
vim /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing -> disabled

# or
setsebool -P samba_export_all_rw 1

# and restart samba
systemctl restart smb.service;systemctl restart nmb.service; # restart samba		
# are files visible in smb client?

additional stuff:

# list currently connected clients
smbstatus

# delet a samba user
pdbedit -x -u username

# info about samba

yum info samba
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fra10.de.leaseweb.net
 * epel: mirror.23media.de
 * extras: centos.copahost.com
 * updates: ftp.rz.uni-frankfurt.de
Installed Packages
Name        : samba
Arch        : x86_64
Version     : 4.6.2
Release     : 12.el7_4
Size        : 1.8 M
Repo        : installed
From repo   : updates
Summary     : Server and Client software to interoperate with Windows machines
URL         : http://www.samba.org/
License     : GPLv3+ and LGPLv3+
Description : Samba is the standard Windows interoperability suite of programs for Linux and
            : Unix.

[root@privat scripts]# smbstatus --version
Version 4.6.2

problems & errors after updates on: Debian 8 (Jessie)

updates are beasty. Under Windows, but also under Linux.

Expect things to fail, have backups/snapshots and documented test-cases if you intend to upgrade in production systems.

for example: often it is better to reinstall from scratch than to do a “dist upgrade” under Debian. Sounds stupid but that is the way it is.

Massive changes due to security problems are happening under Windows but also Linux-Samba (SMB 1.0 no more, force everything to SMB 2.0) the danger of things to fail or get slow or incompatible is even greater.

Similar to Word.doc formats, Microsoft keeps changing its SMB “standard” every few days – which even gives Windows boxes problems talking to each other (because they do not speak the same dialect of SMB?

smbstatus --version
Version 4.2.14-Debian

problems: the share with name “data” can not be accessed, all the other shares behave normal.

install lnav to colorize log output: (better overview, spot errors faster)

apt update;
apt install lnav;

increase samba logging level:

# open up main samba config file
vim /etc/samba/smb.conf

[global]
log level = 3 passdb:5 auth:5
# log level = 3 = very detailed
# log level = 2, could be enough
:wq # save and quit
# restart samba
service smbd restart

try to connect to share

what i can see is:

pdb_getsampwnam (tdb) error fetching database

“I think you will find that you are trying to create a samba user and samba cannot find a Unix user with the same name.

To prove this, create the user first as a Unix user with adduser or whatever centos (useradd -m username) uses, then try again with pdbedit.” (src: lists.samba.org)

okay… yes, i do have a share “data” defined, but not an unix user with the same name. Why would i need this?

I just added the user:

useradd -m data
passwd data
smbpasswd -a data
service smbd restart

and the error went away.

but i still CAN NOT ACCESS the share! X-D

because there is another error:

SID "username" is not in a valid format

i had two options, either update samba only, and test if it fixes the problem, or reinstall.

optione one is faster so, powerdown, snapshot, powerup, update:

# check what is installed
dpkg -l|grep samba
# try only to update samba
apt-get install --only-upgrade samba*
# restart
sync; shutdown -r now;

now the SID error message was gone, other messages appeared that were just informational.

… i still was not able to access the “data” share.

but i figured it out, the only thing that makes the data share different from all the other shares, is that it comes last in the smb.conf.

so i created another share “test” below “data”

vim /etc/samba/smb.conf

[test]
comment = "test"
browseable = yes
read only = no
valid users = this, that, default, user
create mask = 0755
:wq # save quit
# restart
service smbd restart

… now it works X-D

i guess i will not update this thing in the next billion years. rather reinstall it.

client used: Windows 7 64Bit

more links tips and tricks:

Samba share on CentOS7 – empty folders – can view directories but no files – what is SELinux context?

Access denied in Win7 to Samba server

 

admin