Author Topic: How To - Samba Shares  (Read 1559 times)

lwfitz

  • DEFCON 1
  • Posts: 1761
  • sudo rm -rf /
    • View Profile
How To - Samba Shares
« on: May 29, 2013, 03:52:56 AM »
Many argue that there are better ways to share files/folders between Linux and Windows machines than to use Samba but it works for me so I thought Id share
here, and maybe I can answer someone questions.

We need to start by installing Samba

Code: [Select]
sudo apt-get install samba
First lets look at how smb.conf is setup

Code: [Select]
[global]
This starts the server settings section

Code: [Select]
workgroup = YOUR_WORKGROUP
The option workgroup specifies the workgroup your server will appear to be in when queried by clients. It's important to have the same workgroup name on both clients and servers.

Code: [Select]
server string = Samba Shares
The option server string specifies the string that you wish to show to your users in the printer comment box in print manager, or to the IPC connection in the net view command under Windows machines.

Code: [Select]
encrypt passwords = True
The option encrypt passwords if set to True instructs Samba to use encrypted passwords instead of plain text password when negotiating with the client. Sniffer program will not be able to detect your password when it is encrypted. This option always must be set to True for security reasons.

Code: [Select]
security = domain
The option security, when operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the domain controllers. In other words, this configuration makes the Samba server a domain member server, even when it is in fact acting as a domain controller. All machines that participate in domain security must have a machine account in the security database.

Code: [Select]
smb passwd file = /etc/smbpasswd
The option smb passwd file specifies the path to the encrypted smbpasswd file. The smbpasswd file is a copy of the /etc/passwd file of the Linux system containing valid usernames and passwords of clients allowed to connect to the Samba server. The Samba software reads this file, smbpasswd when a connection is requested.

Code: [Select]
log file = /var/log/samba/log.%m
The option log file specifies the locations and names of Samba log files. With the name extension %m, it allows you to have separate log files for each user or machine that logs on your Samba server i.e. log.machine1.

Code: [Select]
socket options = IPTOS_LOWDELAY TCP_NODELAY
The option socket options specifies parameters that you can include in your Samba configuration to tune and improve your samba server for optimal performance. By default we chose to tune the connection for a local network, and improve the performance of the Samba server for transferring files

Code: [Select]
domain master = Yes
The option domain master specifies to set nmbd, the Samba server daemon, as a domain master browser for its given workgroup. This option usually must be set to Yes only on one Samba server for all other Samba servers on the same network and workgroup.

Code: [Select]
local master = Yes
The option local master allows nmbd, the Samba server daemon, to try to become a local master browser on a subnet. Like the above, usually this option must be set to Yes only on one Samba server that acts as a local master on a subnet for all the other Samba servers on your network.

Code: [Select]
preferred master = Yes
The option preferred master specifies and controls if nmbd the Samba server daemon, is a preferred master browser for its workgroup. Once again, this must usually be set to Yes on one server for all the others on your network.

Quick note

You only want to use

Code: [Select]
domain master = Yes
local master = Yes
preferred master = Yes

on one machine, so on all other machines you will want to have

Code: [Select]
domain master = no
local master = no
preferred master = no


Code: [Select]
os level = 65
The option os level specifies by its value whether nmbd, the Samba server daemon, has a chance of becoming a local master browser for the Workgroup in the local broadcast area. The number 65 will win against any NT Server. If you have an NT Server on your network, and want to set your Linux Samba server to be a local master browser for the Workgroup in the local broadcast area then you must set the os level option to 65. Also, this option must be set only on one Linux Samba server, and must be disabled on all other Linux Samba servers you may have on your network.

Code: [Select]
dns proxy = No
 The option dns proxy if set to Yes specifies that nmbd, the Samba server daemon, when acting as a WINS server and finding that a Net BIOS name has not been registered, should treat the Net BIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. Since we have not configured the Samba server to act as a WINS server, we don't need to set this option to Yes. Also, setting this option to Yes will degrade your Samba performance.

Code: [Select]
name resolve order = lmhosts host bcast
The option name resolve order specifies what naming services to use in order to resolve host names to IP addresses, and in what order. The parameters we chose cause the local lmhosts file of samba to be examined first, followed by the rest.

Code: [Select]
bind interfaces only = True
The option bind interfaces only if set to True, allows you to limit what interfaces will serve smb requests. This is a security feature. The configuration option interfaces = eth0 192.168.1.1 below completes this option.

Code: [Select]
interfaces = eth0 192.168.0.1
The option interfaces allows you to override the default network interface list that Samba will use for browsing, name registration and other NBT traffic. By default, Samba will query the kernel for the list of all active interfaces and use any interface, except 127.0.0.1, that is broadcast capable. With this option, Samba will only listen on interface eth0 on the IP address 192.168.0.1. This is a security feature, and completes the above configuration option bind interfaces only = True.
Basically you want the interface you are connected through (eth0,eth1,wlan0,wlan1.... etc) and your router's password.

Code: [Select]
hosts deny = ALL
The option hosts deny specifies the list of hosts that are not permitted access to Samba services unless the specific services have their own lists to override this one. For simplicity, we deny access to all hosts by default, and allow specific hosts in the hosts allow = option below.

Code: [Select]
hosts allow = 192.168.1.4 127.0.0.1
The option hosts allow specifies which hosts are permitted to access a Samba service. By default, we allow hosts from IP class C 192.168.1.4 and our localhost 127.0.0.1 to access the Samba server. Note that the localhost must always be set or you will receive some error messages.

Code: [Select]
debug level = 1
The option debug level allows the logging level to be specified in the smb.conf file. If you set the debug level higher than 2 then you may suffer a large drop in performance. This is because the server flushes the log file after each operation, which can be very expensive.

Code: [Select]
create mask = 0644
The option create mask specifies and sets the necessary permissions according to the mapping from DOS modes to UNIX permissions. With this option set to 0644, all file copying or creating from a Windows system to the Unix system will have a permission of 0644 by default.

Code: [Select]
directory mask = 0755
The option directory mask specifies and set the octal modes, which are used when converting DOS modes to UNIX modes when creating UNIX directories. With this option set to 0755, all directory copying or creating from a Windows system to the Unix system will have a permission of 0755 by default.

Code: [Select]
level2 oplocks = True
The option level2 oplocks, if set to True, will increase the performance for many accesses of files that are not commonly written, such as .EXE application files.

Code: [Select]
read raw = no
The option read raw controls whether or not the server will support the raw read SMB requests when transferring data to clients. Note that memory mapping is not used by the read raw operation. Thus, you may find memory mapping is more effective if you disable read raw using read raw = no, like we do.

Code: [Select]
write cache size = 262144
The option write cache size allows Samba to improve performance on systems where the disk subsystem is a bottleneck. The value of this option is specified in bytes, and a size of 262,144 represent a 256k cache size per file.

Im not totally sure why but when I find an answer Ill update this, but the following lines are needed to keep samba shares working after a reboot

Code: [Select]
client lanman auth = yes
client ntlmv2 auth = no


Just like when editing any config file its a good idea to have a backup

so

Code: [Select]
sudo cp /etc/samba/smb.conf /etc/samba/backup_smb.conf
will create a backup of the original /etc/samba/smb.conf file

Now we need to edit /etc/samba/smb.conf

Code: [Select]
sudo medit /etc/samba/smb.conf
The default samba config is a bit complicated for what we are doing here so highlight everything and click delete  ;D

Now we create a new config.

A basic Samba configuration can be as little as

Code: [Select]
[global]
    ; General server settings
    netbios name = YOUR_HOSTNAME
    server string =Samba file server
    workgroup = YOUR_WORKGROUP

[homes]
    comment = Home Directories
    path = /home
    read only = no 
    available = yes
    browseable = yes
    writable = yes
    guest ok = no
    public = no
    printable = no
    locking = no
    strict locking = no


mine looks like this

Code: [Select]
[global]
      workgroup = HOME
      server string = Samba Shares
      encrypt passwords = True
      security = domain
      smb passwd file = /etc/smbpasswd
      log file = /var/log/samba/log.%m
      socket options = IPTOS_LOWDELAY TCP_NODELAY
      domain master = Yes
      local master = Yes
      preferred master = Yes
      os level = 65
      dns proxy = No
      name resolve order = lmhosts host bcast
      bind interfaces only = True
      interfaces = eth0 192.168.1.1
      hosts deny = ALL
      hosts allow = 192.168.1.4 127.0.0.1
      debug level = 1
      create mask = 0644
      directory mask = 0755
      level2 oplocks = True
      read raw = no
      write cache size = 262144

[homes]
comment = Home Directories
path = /home/luke
read only = no
available = yes
browseable = yes
writable = yes
guest ok = yes
public = yes
printable = no
locking = no
strict locking = no

[backup]
comment = Backup Directories
path = /media/storage
read only = no
available = yes
browseable = yes
writable = yes
guest ok = yes
public = yes
printable = no
locking = no
strict locking = no


Now we have to create a samba password for all users who will login

For example, to create mine in a terminal I ran

Code: [Select]
sudo smbpasswd -a luke
I then entered my password and was then asked for the samba password I wanted to use for myself

Code: [Select]
luke@VSIDO-FX:~$ sudo smbpasswd -a luke
[sudo] password for luke:
New SMB password:
Retype new SMB password:

To test whether your samba shares are working correctly you can run

Code: [Select]
smbtree
and if everything is working correctly you should get an output similar to this

Code: [Select]
luke@VSIDO-FX:~$ smbtree
Enter luke's password:
HOME
\\VSIDO-FX        Samba Shares
\\VSIDO-FX\IPC$            IPC Service (Samba Shares)
\\VSIDO-FX\backup          backup Directories
\\VSIDO-FX\home            Home Directories
\\LUKE-PHENOM-PC
\\LUKE-PHENOM-PC\Users         
\\LUKE-PHENOM-PC\Storage       
\\LUKE-PHENOM-PC\J$              Default share
\\LUKE-PHENOM-PC\IPC$            Remote IPC
\\LUKE-PHENOM-PC\F$              Default share
\\LUKE-PHENOM-PC\D$              Default share
\\LUKE-PHENOM-PC\crystal       
\\LUKE-PHENOM-PC\C$              Default share
\\LUKE-PHENOM-PC\ADMIN$          Remote Admin
luke@VSIDO-FX:~$


If there is an issue with your configuration you will get a warning when you run smbtree, but I will note that this command doesnt always work as it should. Its nice to know it but I have
had times where I ran it on a known working network and didnt get any output so if theres no output dont get discouraged.

Also, to make any changes you have made to your smb.conf active you will need to restart samba by running

Code: [Select]
sudo smbd restart
Code: [Select]
sudo nmbd restart

Now accessing your samba shares in Windows is easy, if using Vista/7/8 just open Explorer and on the left side click on network. Find the machine you want to access and click on it. Enter your login info and your good to go.
If using XP open the start menu and select My Network Places. Any shared folders available on the network will be visible in the My Network Places window.

When accessing shared files with Linux there are many different ways but personally I prefer using Thunar

Code: [Select]
sudo apt-get install thunar  gvfs-backends libbluetooth3
Once done open just run thunar and click  browse-network over on the left side

















Please feel free to correct me if you find a mistake or make a suggestions.

Parts of this HowTo were pulled from http://www.tldp.org and if you want to read more then check it out [urlhttp://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/soft-fileshrng.html]here[/url]

VastOne

  •      v-ger
  • Posts: 4129
    • View Profile
    • VSIDO Community
Re: How To - Samba Shares
« Reply #1 on: May 29, 2013, 03:57:25 AM »
Wow!  EPIC How To

That it really impressive lwfitz... the community is grateful!

One question, are you sure samba is there in VSIDO by default?  I was never aware of implementing it
VSIDO      VSIDO Twitter     VSIDO FB     VSIDO Google+   

I dev VSIDO

lwfitz

  • DEFCON 1
  • Posts: 1761
  • sudo rm -rf /
    • View Profile
Re: How To - Samba Shares
« Reply #2 on: May 29, 2013, 04:12:34 AM »
Thanks VastOne, I figured it was time to actually give back  ;D
Im pretty sure. If memory serves me correctly all I had to do was install gvfs-backends and libbluetooth3 for shares to work in Thunar but just to be sure I will update my laptop
with the newest ISO and then I will update as necessary.

Edit:

Yep your right...... Guess I did install Samba. Thanks for pointing that out