update: 2019-02: everything was fine… until you decided to update because of the EthernalBlue exploit THAT ALSO AFFECTS OPEN SOURCE IMPLEMENTATIONS OF SMB 1.0! (WTF!? WHY?), samba now miss behaves on Debian and CentOS. (scroll down for details)
EternalBlue, sometimes stylized as ETERNALBLUE,[1] is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees.[2] It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017.[1][3][4][5][6] The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017[7] and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.[8]
as a rule of thumb: powerdown, snapshot, update, test… not working well? restore. note down all test-cases you have been running and repeat tests, after every update.
how to install and setup samba on CentOS:
tested on:
hostnamectl Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-693.21.1.el7.x86_64 yum info samba.x86_64 Version : 4.6.2 Release : 12.el7_4 Size : 1.8 M Repo : installed From repo : updates Summary : Server and Client software to interoperate with Windows machines URL : http://www.samba.org/ License : GPLv3+ and LGPLv3+ Description : Samba is the standard Windows interoperability suite of programs for Linux and : Unix.
yum install samba samba-client samba-common; # install samba # let samba through firewall firewall-cmd --permanent --zone=public --add-service=samba firewall-cmd --reload # or if one has iptables grep -i NETBIOS /etc/services netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp # allow tcp and udp on port 137, 138, 139 and 445 # no reload or restart of iptables is necessary iptables -I INPUT -p tcp --dport 137 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 138 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 137 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 138 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT iptables -I INPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT # save those iptables settings service iptables save # make service autostart systemctl enable smb.service systemctl enable nmb.service # start service systemctl start smb.service systemctl start nmb.service # add a general group, for group-based access groupadd smbgrp # add user # add user to system useradd -m user # give user a systemwide password passwd user usermod user -aG smbgrp; # add user to samba group smbpasswd -a user; # set smb password, and add user to samba (-a) # add user's private share mkdir -p /srv/samba/user; chmod -R 0770 /srv/samba/user; chown -R root:smbgrp /srv/samba/user; chcon -t samba_share_t /srv/samba/user; vim /etc/samba/smb.conf [global] workgroup = WORKGROUP netbios name = centos security = user [user] comment = Secure File Server Share path = /srv/samba/user valid users = @smbgrp guest ok = no writable = yes browsable = yes :wq # save and quit vim testparm; # test samba config # restart service systemctl restart smb.service; systemctl restart nmb.service;
now you can fire up your windows workstation that needs to be in the same WORKGROUP as specify under global in smb.cnf
let’s make this easier by a script
download here.add_new_samba_user_and_share.sh.txt
vim /scripts/add_new_samba_user_and_share.sh
#!/bin/bash if [ $# -eq 0 ] then echo "please give a username. No arguments supplied." exit; fi useradd -m $1 passwd $1 usermod $1 -aG smbgrp smbpasswd -a $1; # set smb password # add user's private share mkdir -p /srv/samba/$1; chmod -R 0770 /srv/samba/$1; chown -R root:smbgrp /srv/samba/$1; chcon -t samba_share_t /srv/samba/$1; echo " [$1] comment = Secure File Server Share of $1 path = /srv/samba/$1 valid users = $1 guest ok = no writable = yes browsable = yes " >> /etc/samba/smb.conf; testparm; # test samba config # restart service systemctl restart smb.service; systemctl restart nmb.service; :wq # save and quit vim
chmod +x /scripts/*.sh; make it executable and give it a practice run
one share per project – project specific file server:
the idea is to have one shared folder per project in order to concentrate/collect all project concerning data/info in one place – while at the same time allowing only a users of the project-group to see edit and create files.
when you already have a one-share-per-user (usually user’s “home” directory) file server – it makes sense to start a new fileserver – if you want the user to be able to connect to user’s home directory AND project-directories at the same time – because – windows clients (tested this up to win 7) can NOT connect to the same server/ip with different user names / privileges / groups.
it just does not work.
so better put home and projects on different file servers with different IPs.
# let's get started # if not already # create a user that is allowed to work on the project useradd -m user passwd user smbpasswd -a user # let's add a group that is called like the project groupadd projectname # let's add this user to the project group usermod user -aG projectname # let's create project folder mkdir -p /srv/samba/projectname # and give group read and write permissions chmod -R g+rw /srv/samba/projectname chmod -R 0770 /srv/samba/projectname chown -R root:projectname /srv/samba/projectname chcon -t samba_share_t /srv/samba/projectname # this is what smb.conf looks like cat /etc/samba/smb.conf # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = WORKGROUP netbios name = projects security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [projectname] comment = project folder path = /srv/samba/projectname valid users = @projectname guest ok = no writable = yes browsable = yes # change yours :wq save and quit # test config testparm # and restart systemctl restart smb.service;systemctl restart nmb.service; # restart samba
… if all goes well you should be able to connect to the project-file-server as user user and be allowed to access the share “projectname”.
if not, run this on your server while you try to connect via client to see if it’s a permissions or technical problem…
find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +
SELinux trouble: visible folders – invisible files
it happened to me with the above mentioned one-share-per-project-fileserver, that it would show folders but no files!? (i was able to see the files in terminal on server, but windows 7 client could not “see” em)
# possible messy fix # this is possibly not the most elegant solution... # the problem: # all folders are empty # samba showing folders but not files # temporarily disable SELinux setenforce 0 # and restart samba systemctl restart smb.service;systemctl restart nmb.service; # restart samba # are files visible in smb client? # then it's a SELinux problem # switching SELinux back on setenforce 1 # try this fix chcon -R -t public_content_rw_t /srv/samba/ # and restart samba systemctl restart smb.service;systemctl restart nmb.service; # restart samba # are files visible in smb client? # no? continue: # either completely disable selinux vim /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing -> disabled # or setsebool -P samba_export_all_rw 1 # and restart samba systemctl restart smb.service;systemctl restart nmb.service; # restart samba # are files visible in smb client?
additional stuff:
# list currently connected clients smbstatus # delet a samba user pdbedit -x -u username # info about samba yum info samba Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.fra10.de.leaseweb.net * epel: mirror.23media.de * extras: centos.copahost.com * updates: ftp.rz.uni-frankfurt.de Installed Packages Name : samba Arch : x86_64 Version : 4.6.2 Release : 12.el7_4 Size : 1.8 M Repo : installed From repo : updates Summary : Server and Client software to interoperate with Windows machines URL : http://www.samba.org/ License : GPLv3+ and LGPLv3+ Description : Samba is the standard Windows interoperability suite of programs for Linux and : Unix. [root@privat scripts]# smbstatus --version Version 4.6.2
problems & errors after updates on: Debian 8 (Jessie)
updates are beasty. Under Windows, but also under Linux.
Expect things to fail, have backups/snapshots and documented test-cases if you intend to upgrade in production systems.
for example: often it is better to reinstall from scratch than to do a “dist upgrade” under Debian. Sounds stupid but that is the way it is.
Massive changes due to security problems are happening under Windows but also Linux-Samba (SMB 1.0 no more, force everything to SMB 2.0) the danger of things to fail or get slow or incompatible is even greater.
Similar to Word.doc formats, Microsoft keeps changing its SMB “standard” every few days – which even gives Windows boxes problems talking to each other (because they do not speak the same dialect of SMB?
smbstatus --version
Version 4.2.14-Debian
problems: the share with name “data” can not be accessed, all the other shares behave normal.
install lnav to colorize log output: (better overview, spot errors faster)
apt update; apt install lnav;
increase samba logging level:
# open up main samba config file vim /etc/samba/smb.conf [global] log level = 3 passdb:5 auth:5 # log level = 3 = very detailed # log level = 2, could be enough :wq # save and quit # restart samba service smbd restart
try to connect to share
what i can see is:
pdb_getsampwnam (tdb) error fetching database
“I think you will find that you are trying to create a samba user and samba cannot find a Unix user with the same name.
To prove this, create the user first as a Unix user with adduser or whatever centos (useradd -m username) uses, then try again with pdbedit.” (src: lists.samba.org)
okay… yes, i do have a share “data” defined, but not an unix user with the same name. Why would i need this?
I just added the user:
useradd -m data passwd data smbpasswd -a data service smbd restart
and the error went away.
but i still CAN NOT ACCESS the share! X-D
because there is another error:
SID "username" is not in a valid format
i had two options, either update samba only, and test if it fixes the problem, or reinstall.
optione one is faster so, powerdown, snapshot, powerup, update:
# check what is installed dpkg -l|grep samba # try only to update samba apt-get install --only-upgrade samba* # restart sync; shutdown -r now;
now the SID error message was gone, other messages appeared that were just informational.
… i still was not able to access the “data” share.
but i figured it out, the only thing that makes the data share different from all the other shares, is that it comes last in the smb.conf.
so i created another share “test” below “data”
vim /etc/samba/smb.conf [test] comment = "test" browseable = yes read only = no valid users = this, that, default, user create mask = 0755 :wq # save quit # restart service smbd restart
… now it works X-D
i guess i will not update this thing in the next billion years. rather reinstall it.
client used: Windows 7 64Bit
more links tips and tricks:
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!