|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
|Summary||Recommended Links||Samba Daemons||Troubleshooting Samba problems||Configuring samba Users|
|Samba Daemons||SMB Protocol Authentication||GUI configuration of samba on Red Hat||Connecting from Windows 7 client to to Red Hat Samba shares||Horror Stories||Humor||Etc|
SMB was Micrsoft weapon against Novell. Technical specification of SMB/CIFS is available from Microsoft ( Common Internet File System (CIFS) File Access Protocol)
Samba is a Unix-based re-implementation of SMB prototol. At a high level, the SMB protocol suite is relatively simple. It includes typical commands for the file and print operations such as Opening and closing a file, Creating and deleting files and directories, Reading and writing a file, etc. Each of these operations can be encoded into an SMB message and transmitted to and from a server. The original name SMB comes from their data format: these are versions of the standard DOS system-call data structures, or Server Message Blocks, redesigned for transmitting to another machine across a network.
Samba is a Linux reimplementation of SMB protocol in which file and print sharing are implemented by smbd, one of the Samba daemons.
Here is a relevant quote from Sean A. Walberg tutorial published at IBM Developer Works ( Configure Samba, Apr 27, 2011 )
Microsoft file sharing used network basic input/output system (NetBIOS) over TCP when it first moved into the IP world. This method encapsulated NetBIOS content inside a TCP session using TCP port 139. The NetBIOS protocol encompasses several features. TCP port 139 is used only for the session services, which are file transfer and message passing. The name lookup services are not handled on this port.
NetBIOS over TCP works, but there is overlap between the session and reliability features provided by NetBIOS and those provided by TCP. With some subtle changes, it became possible to run SMB/CIFS right on top of TCP. This method is known as direct hosting and is used to simplify the protocol. Direct hosting occurs on TCP port 445. When NetBIOS was eliminated from the protocol suite, Microsoft needed another way to handle name lookups. Domain Name System (DNS) was a natural choice, which is why DNS forms the basis of AD DS.
By default, Samba listens on ports 139 and 445. You can change this behavior with the smb ports global parameter. For example, smb ports = 445 tells Samba to listen only on port 445. You can have Samba listen on any port you want, although any client wanting to connect would have to be told to use the nonstandard port.
If you are unsure which ports Samba is listening on, you can use the netstat command to find out.
Here are key facts from Samba An Introduction
Samba consists of two key programs, plus a bunch of other stuff that we'll get to later. The two key programs are smbd and nmbd. Their job is to implement the four basic modern-day CIFS services, which are:
File and print services are, of course, the cornerstone of the CIFS suite. These are provided by smbd, the SMB Daemon. Smbd also handles "share mode" and "user mode" authentication and authorization. That is, you can protect shared file and print services by requiring passwords. In share mode, the simplest and least recommended scheme, a password can be assigned to a shared directory or printer (simply called a "share"). This single password is then given to everyone who is allowed to use the share. With user mode authentication, each user has their own username and password and the System Administrator can grant or deny access on an individual basis.
- File & print services
- Authentication and Authorization
- Name resolution
- Service announcement (browsing)
The Windows NT Domain system provides a further level of authentication refinement for CIFS. The basic idea is that a user should only have to log in once to have access to all of the authorized services on the network. The NT Domain system handles this with an authentication server, called a Domain Controller. An NT Domain (which should not be confused with a Domain Name System (DNS) Domain) is basically a group of machines which share the same Domain Controller.
The NT Domain system deserves special mention because, until the release of Samba version 2, only Microsoft owned code to implement the NT Domain authentication protocols. With version 2, Samba introduced the first non-Microsoft-derived NT Domain authentication code. The eventual goal, of course, it to completely mimic a Windows NT Domain Controller.
The other two CIFS pieces, name resolution and browsing, are handled by nmbd. These two services basically involve the management and distribution of lists of NetBIOS names.
Name resolution takes two forms: broadcast and point-to-point. A machine may use either or both of these methods, depending upon its configuration. Broadcast resolution is the closest to the original NetBIOS mechanism. Basically, a client looking for a service named Trillian will call out "Yo! Trillian! Where are you?", and wait for the machine with that name to answer with an IP address. This can generate a bit of broadcast traffic (a lot of shouting in the streets), but it is restricted to the local LAN so it doesn't cause too much trouble.
The other type of name resolution involves the use of an NBNS (NetBIOS Name Service) server. (Microsoft called their NBNS implementation WINS, for Windows Internet Name Service, and that acronym is more commonly used today.) The NBNS works something like the wall of an old fashioned telephone booth. (Remember those?) Machines can leave their name and number (IP address) for others to see.Hi, I'm node Voomba. Call me for a good time! 192.168.100.101
It works like this: The clients send their NetBIOS names & IP addresses to the NBNS server, which keeps the information in a simple database. When a client wants to talk to another client, it sends the other client's name to the NBNS server. If the name is on the list, the NBNS hands back an IP address. You've got the name, look up the number.
Clients on different subnets can all share the same NBNS server so, unlike broadcast, the point-to-point mechanism is not limited to the local LAN. In many ways the NBNS is similar to the DNS, but the NBNS name list is almost completely dynamic and there are few controls to ensure that only authorized clients can register names. Conflicts can, and do, occur fairly easily.
Finally, there's browsing. This is a whole 'nother kettle of worms, but Samba's nmbd handles it anyway. This is not the web browsing we know and love, but a browsable list of services (file and print shares) offered by the computers on a network.
On a LAN, the participating computers hold an election to decide which of them will become the Local Master Browser (LMB). The "winner" then identifies itself by claiming a special NetBIOS name (in addition to any other names it may have). The LMBs job is to keep a list of available services, and it is this list that appears when you click on the Windows "Network Neighborhood" icon.
In addition to LMBs, there are Domain Master Browsers (DMBs). DMBs coordinate browse lists across NT Domains, even on routed networks. Using the NBNS, an LMB will locate its DMB to exchange and combine browse lists. Thus, the browse list is propagated to all hosts in the NT Domain. Unfortunately, the synchronization times are spread apart a bit. It can take more than an hour for a change on a remote subnet to appear in the Network Neighborhood.
Samba comes with a variety of utilities. The most commonly used are:
There are more, of course, but describing them would require explaining even more bits and pieces of CIFS, SMB, and Samba. That's where things really get tedious, so we'll leave it alone for now.
- A simple SMB client, with an interface similar to that of the FTP utility. It can be used from a Unix system to connect to a remote SMB share, transfer files, and send files to remote print shares (printers).
- A NetBIOS name service client. Nmblookup can be used to find NetBIOS names on a network, lookup their IP addresses, and query a remote machine for the list of names the machine believes it ownes.
- The Samba Web Administration Tool. Swat allows you to configure Samba remotely, using a web browser.
SMB Filesystems for LinuxOne of the cool things that you can do with a Windows box is use an SMB file share as if it were a hard disk on your own machine. The N: drive can look, smell, feel, and act like your own disk space, but it's really disk space on some other computer somewhere else on the network.
Linux systems can do this too, using the smbfs filesystem. Built from Samba code, smbfs (which stands for SMB Filesystem) allows Linux to map a remote SMB share into its directory structure. So, for example, the /mnt/zarquon directory might actually be an SMB share, yet you can read, write, edit, delete, and copy the files in that directory just as you would local files.
The smbfs is nifty, but it only works with Linux. In fact, it's not even part of the Samba suite. It is distributed with Samba as a courtesy and convenience. A more general solution is the new smbsh (SMB shell, which is still under development at the time of this writing). This is a cool gadget. It is run like a Unix shell, but it does some funky fiddling with calls to Unix libraries. By intercepting these calls, smbsh can make it look as though SMB shares are mounted. All of the read, write, etc. operations are available to the smbsh user. Another feature of smbsh is that it works on a per-user, per shell basis, while mounting a filesystem is a system-wide operation. This allows for much finer-grained access controls.
Setup and ManagementSamba is configured using the smb.conf file. This is a simple text file designed to look a lot like those *.ini files used in Windows. The goal, of course, is to give network administrators familiar with Windows something comfortable to play with. Over time, though, the number of things that can be configured in Samba has grown, and the percentage of Network Admins willing to edit a Windows *.ini file has shrunk. For some people, that makes managing the smb.conf file a bit daunting.
Still, learning the ins and outs of smb.conf is a worth-while penance. Each of the smb.conf variables has a purpose, and a lot of fine tuning can be accomplished. The file structure contents are fully documented, so as to give administrators a running head start, and smb.conf can be manipulated using swat, which at least makes it nicer to look at.
The PresentSamba 2.0 was released in January 1999. One of the most significant and cool features of the 2.0 release was improved speed. Ziff-Davis Publishing used their Netbench software to benchmark Samba 2.0 on Linux against Windows NT4. They ran all of their tests on the same PC hardware, and their results showed Samba's throughput under load to be at least twice that of NT. Samba is shipped with all major Linux distributions, and Ziff-Davis tested three of those.
Another milestone was reached when Silicon Graphics (SGI) became the first commercial Unix vendor to support Samba. In their December 1998 press release, they claimed that their Origin series servers running Samba 2.0 were the most powerful line of file servers for Windows clients available. SGI now offers commercial support for Samba as do several other providers, many of which are listed on the Samba web site (see http://samba.org/). Traditional Internet support is, of course, still available via the comp.protocols.smb newsgroup and the email@example.com mailing list.
The Samba Team continues to work on new goodies. Current interests include NT ACLs (Access Control Lists), support for LDAP (the Lightweight Directory Access Protocol), NT Domain Control, and Microsoft's DFS (Distributed File System).
The SMB protocol over TCP/IP uses three ports:
In order to start Sessions or distribute Datagrams, an application must register its NetBIOS name using the Name service. NetBIOS names are 16 bytes in length and vary based on the particular implementation. Frequently, the 16th byte is used to designate a "type" similar to the use of ports in TCP/IP. In NBT, the name service operates on UDP port 137 (TCP port 137 can also be used, but it is rarely if ever used).
The name service primitives offered by NetBIOS are:
The datagram service primitives offered by NetBIOS are:
The session service primitives offered by NetBIOS are:
In the original protocol used to implement NetBIOS services on PC-Network, to establish a session, the computer establishing the session sends an Open request which is responded to by an Open acknowledgment. The computer that started the session will then send a Session Request packet which will prompt either a Session Accept or Session Reject packet. Data is transmitted during an established session by data packets which are responded to with either acknowledgment packets (ACK) or negative acknowledgment packets (NACK). Since NetBIOS is handling the error recovery, NACK packets will prompt retransmission of the data packet. Sessions are closed by the non-initiating computer by sending a close request. The computer that started the session will reply with a close response which prompts the final session closed packet.
There are two main authentication models available.
The SMB model defines two levels of security:
Jun 01, 2017 | www.linuxandubuntu.com
If you are setting this on a Ubuntu server you can use vim or nano to edit smb.conf file, for Ubuntu desktop just use the default text editor file. Note that all commands (Server or Desktop) must be run as a root. $ sudo nano /etc/samba/smb.conf Then add the information below to the very end of the file -[share] comment = Ubuntu File Server Share path = /srv/samba/share browsable = yes guest ok = yes read only = no create mask = 0755
Comment : is a short description of the share.
Path : the path of the directory to be shared.
This example uses /srv/ samba/share because, according to the Filesystem Hierarchy Standard (FHS), /srv is where site-specific data should be served. Technically Samba shares can be placed anywhere on the filesystem as long as the permissions are correct, but adhering to standards is recommended.
- browsable : enables Windows clients to browse the shared directory using Windows Explorer.
- guest ok : allows clients to connect to the share without supplying a password.
- read only : determines if the share is read only or if write privileges are granted. Write privileges are allowed only when the value is no, as is seen in this example. If the value is yes, then access to the share is read only.
create mask : determines the permissions new files will have when created.
Now that Samba is configured, the directory /srv/samba/share needs to be created and the permissions need to be set. Create the directory and change permissions from the terminal - sudo mkdir -p /srv/samba/sharesudo chown nobody:nogroup /srv/samba/share/
The -p switch tells mkdir to create the entire directory tree if it does not exist.
Finally, restart the samba services to enable the new configuration: sudo systemctl restart smbd.service nmbd.service From a Windows client, you should now be able to browse to the Ubuntu file server and see the shared directory. If your client doesn't show your share automatically, try to access your server by its IP address, e.g. \\192.168.1.1 or hostname in a Windows Explorer window. To check that everything is working try creating a directory from Windows.
To create additional shares simply create new [dir] sections in /etc/samba/smb.conf , and restart Samba. Just make sure that the directory you want to share actually exists and the permissions are correct.
February 24, 2015 | ITworld
Security researchers are urging users to install new Samba security updates in order to address a critical vulnerability that allows attackers to execute arbitrary code with root privileges.
Samba is an implementation of the SMB/CIFS networking protocol that enables Unix-like systems, including Linux, BSD, Solaris and Mac OS X to share files and printers with Windows computers. It also allows such systems to be integrated into Microsoft Active Directory environments and even act as domain controllers.
The new vulnerability is located in the smbd file server and was discovered by Richard van Eeden of Microsoft Vulnerability Research.
Apr 11, 2012 | 05:07 PM |By Kelly Jackson Higgins
A dangerous vulnerability in a pervasive tool for running Linux systems in a Windows environment leaves the door open for an attacker to access these systems without requiring any authentication.
The open-source Samba group this week released an update to the Samba program to fix a bug that could allow an attacker to remotely acquire root access to the targeted server. The bug in Samba versions 3.6.3 and previous versions is a buffer overflow flaw in Samba's remote procedure call code. "As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately," according to a newly issued advisory from Samba on the new CVE-2012-1182 vulnerability, which includes links to patches for the software.
Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, says the flaw affects anyone who has embedded Linux-based appliances that use Samba for file sharing, such as NASes, print servers, and printers. While these devices tend to run in an intranet rather than over the big Internet, the main risk would be from a sophisticated targeted attack or a malicious insider, he says.
"This is a very critical patch you should be applying ... if an attacker gets root access, it's game over from a security perspective," Percoco says. "You should not be running Samba [systems] on the Internet. That being said, it doesn't mean people aren't."
A proof-of-concept is circulating, and Percoco says the vulnerability is prime for abuse as a network worm as well as for a targeted attack. "It can also be the perfect storm for a Unix-based worm. This is something like the Nimda For Linux/Unix," he says.
Apr 27, 2011 | developerWorks
Troubleshooting Samba problems
Samba is not immune to problems. Sometimes, these problems are caused by the system administrator; sometimes they're caused by the user. Your job as the system administrator is to figure out where the problem lies, then how to solve it.
Testing the configuration file
If Samba won't start or you want to check your configuration file for correctness, then the
testparmutility will help. This utility checks smb.conf for correctness. Listing 4 shows the result of
testparmif there is an error.
Listing 4. Using testparm on an incorrect smb.conf file
# testparm Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: "hide dto files" Ignoring unknown parameter "hide dto files" Processing section "[homes]" Processing section "[printers]" Processing section "[public]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = MYGROUP server string = Samba Server Version %v passdb backend = tdbsam log file = /var/log/samba/log.%m max log size = 50 cups options = raw << rest of the output omitted >>
The output of
testparmstarts with the location of the files. If you want to specify a different file, pass the name of the file on the command line, as in this example:
testparmis complaining about an invalid parameter called
hide dto files. This parameter should really be hide dot files.
After processing the configuration file, you are given some information about the server's role and a condensed version of the configuration file. This version has the comments stripped out and is consistently formatted, so you will sometimes catch errors here that you missed while browsing smb.conf in a text editor.
You should run
testparmon your configuration file after making changes. Samba ignores most typographical errors in the configuration files and doesn't always write messages to the console when starting up. It's likely that you won't catch these types of mistakes until something isn't working properly.
Testparmalerts you to any typos in smb.conf.
testparmonly shows you the configuration as entered in smb.conf. If you suspect that you are using a default value somewhere, you can use the
-voption to force
testparmalso to show default values.
Another use of
testparmis to limit the output to a single section or parameter. Listing 5 shows how to use
testparmto see the value of the
Listing 5. Limiting testparm to a single parameter
# testparm -s --parameter-name "security mask" Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[public]" Loaded services file OK. 0777
In Listing 5, the
testparmfrom waiting for user input in between parsing smb.conf and displaying it to the screen. Using
--parameter name "security mask"asks for the value of
security mask. The result is
0777, which is the default value. In this mode, it is not necessary to specify
-vto show default values.
Connecting as a client
In lieu of going to a user's desktop and trying things out yourself, you can do a great deal of testing from the command line at your own desk. The first and easiest test is to make sure that you can connect to the Samba port. The easiest way to do this is with the
telnetcommand, which is shown in Listing 6.
Listing 6. Testing connectivity with telnet
# telnet bob 139 Trying 192.168.1.134... telnet: connect to address 192.168.1.134: Connection refused
In Listing 6, the root user is connecting to the server bob on port 139. You could also use port 445 to test for the direct-hosted SMB port. The result is
Connection refused, which indicates either that the daemon isn't listening on that address or that a firewall is blocking the connection. Other results, such as
No route to hostor
Connection timed out, can mean the same thing.
Clients generally connect to a server with a name, not an IP address. If you use
telnetto connect to the server by name rather than IP address, pay special attention to the IP address returned. In the example above, the server (bob) was resolved to 192.168.1.134. Sometimes, you can have errors in your DNS records that result in the clients connecting to the wrong address.
If you are not using DNS for Windows name resolution, you can use the
nmblookupcommand to perform a NetBIOS name lookup. Listing 7 shows a query for the bob server.
Listing 7. Performing a NetBIOS name query for bob
# nmblookup bob querying bob on 192.168.1.255 192.168.1.138 bob<00>
According to Listing 7, the server bob is at 192.168.1.138, not 192.168.1.134, as you saw in Listing 6. This result points to a problem with DNS, especially if ports 139 and 445 are responsive on 192.168.1.138.
Another test is to see whether the configuration file denies access to a particular host.
Testparmis used again in Listing 8.
Listing 8. Checking access with testparm
# testparm /etc/samba/smb.conf seanspc 192.168.1.147 Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[public]" Loaded services file OK. Server role: ROLE_STANDALONE Deny connection from seanspc (192.168.1.147) to homes Deny connection from seanspc (192.168.1.147) to printers Deny connection from seanspc (192.168.1.147) to public
Firewalls or application?
There are many ways to block a connection to a host, but all the options can be grouped into two categories: network and application. By blocking at the network layer, either on a firewall or using a host-based firewall like iptables, you will see that the
telnetconnection shown in Listing 6 is refused or times out. This is because the packet never makes it to the Samba application.
If Samba is configured not to allow connections from a particular host, you will see that the
telnetconnection succeeds, but any client access is greeted with an error. This is because the packet is read by the application but doesn't like the IP address or hostname and sends an application-level error. Without accepting the packet at the application layer, Samba can't know whether the IP address is acceptable.
In Listing 8, three items are passed to
- The path to the Samba configuration file
- The NetBIOS name of the machine to test
- The IP address of the machine to test
The output from Listing 8 shows that the machine in question is denied access to all shares. When using
testparmin this mode, the utility does not actually connect as that machine. Instead,
testparmprocesses the configuration file to see whether the access would be allowed.
If all the tests up to now succeed, you can attempt to make a client connection using the
smbclientutility. The first test is to attempt to browse the share list, which is shown in Listing 9.
Listing 9. Showing a machine's shares
[sean@bob source3]$ smbclient -L '\\bob' Enter sean's password: Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.6-69.fc13] Sharename Type Comment --------- ---- ------- extdrive Disk Sean Walberg's iMac Disk timemachine Disk IPC$ IPC IPC Service (Samba Server Version 3.5.6-69.fc13) test Printer test Downstairs_Laser Printer HP 6L Cups-PDF Printer Cups-PDF Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.6-69.fc13] Server Comment --------- ------- BOB Samba Server Version 3.5.6-69.fc13 Workgroup Master --------- ------- MYGROUP BOB WORK SWALBERG-XPLT WORKGROUP IMAC-1FC525
In Listing 9, the user is requesting a list of shares with the
-Lparameter on the server called bob. The server name is prefixed with two backslashes (
\\), because it is a Universal Naming Convention (UNC) path. Be careful about your choice of single versus double quotation marks, as well. Single quotation marks interpolate and see the backslashes as escape characters.
If your server has more security set up, you may need to pass the name of the user or the domain with the
Finally, you can try to connect to a share by omitting the
-Lparameter and specifying a full UNC path to the share. Listing 10 shows the client connecting to a server using a different workgroup and user name.
Listing 10. Connecting to a share with a different user name and domain
[sean@bob source3]$ smbclient '\\swalberg-xplt\photos' -U swalberg -W WORK Enter swalberg's password: Domain=[WORK] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] smb: \> dir . D 0 Thu Jan 6 11:39:50 2011 .. D 0 Thu Jan 6 11:39:50 2011 << files omitted >> 38156 blocks of size 4194304. 2938 blocks available smb: \>>
If these tests pass, you can be reasonably certain that the problem is not with the Samba configuration but somewhere between the client and the server or something on the client itself. You look at the logs in the next section, which offer some clues as to where the problem lies.
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 04/0/2011
This tutorial explains the installation of a Samba fileserver on OpenSUSE 11.4 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using an OpenSUSE 11.4 system here with the hostname server1.example.com and the IP address 192.168.0.100.
2 Installing Samba
We need to install Samba in this chapter, but it conflicts with the package patterns-openSUSE-minimal_base. Therefore we must uninstall that package first. To do so, start YaST:
In YaST, go to Software > Software Management:
Type patterns-openSUSE-minimal_base in the Search field and press ENTER. The package should be listed as installed (i) in the main window. Mark the package and press the ENTER key until there's a minus (-) sign in front of the package (the minus stands for uninstall), then hit [Accept]:
As a replacment for the package, some other packages need to be installed. Accept the selection by hitting [OK]:
Leave YaST afterwards.
Now install the Samba packages:
yast -i cups-libs samba
Edit the smb.conf file:
Make sure you have the following lines in the [global] section:
security = user
passdb backend = tdbsam
This enables Linux system users to log in to the Samba server.
(If you get the message You do not have a valid vim binary package installed. Please install either "vim", "vim-enhanced" or "gvim"., please run
yast2 -i vim
to install vi and try again. )
Then create the system startup links for Samba and start it:
chkconfig -f --add smb
3 Adding Samba Shares
Now I will add a share that is accessible by all users.
Create the directory for sharing the files and change the group to the users group:
mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/
At the end of the file /etc/samba/smb.conf add the following lines:
comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes
If you want all users to be able to read and write to their home directories via Samba, add the following lines to /etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):
comment = Home Directories
browseable = no
valid users = %S
writable = yes
create mask = 0700
directory mask = 0700
Now we restart Samba:
4 Adding And Managing Users
In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.
useradd tom -m -G users
Set a password for tom in the Linux system user database. If the user tom should not be able to log in to the Linux system, skip this step.
-> Enter the password for the new user.
Now add the user to the Samba user database:
smbpasswd -a tom
-> Enter the password for the new user.
Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or \\192.168.0.100\tom for tom's home directory) using the username tom and the chosen password and store files on the Linux server either in tom's home directory or in the public shared directory.
smbtad is the data receiver of the SMB Traffic Analyzer project. With SMB Traffic Analyzer, statistics about the data flow on a Samba network can be created.
It's important to validate the contents of the smb.conf file using the testparm program. If testparm runs correctly, it will list the loaded services. If not, it will give an error message. Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command:root# testparm /etc/samba/smb.conf
July 13, 2004
paperdieselI set up a samba share on my fc2 laptop, and I can't seem to connect to it from Windows XP or another fc2 laptop. Here's my samba server config. Keep in mind that I want it simple, no hassle, guest access where anyone can read/write/delete, etc.
workgroup = boxes
netbios name = arsenal
hosts allow = 192.168.1. 192.168.2. 127.
security = share
[ paperarsenal ]
comment = whatever
path = /public
read only = no
writable = yes
guests ok = yes
browseable = yes
public = yes
May 1, 2001
elena s ackley elenas at unm.edu
- Previous message: ZDNet reviews Samba 2.2
- Next message: Same error once again.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hi, i upgraded from 2.0.7 to 2.2 last night hoping to lose these getpeername errors that show up in my log.smbd.0.0.0.0 file (and now also /var/log/messages YIKES!). grepping on the time in my samba log files, i come up with at least three different cases for when this error occurs: a denied connection because the ip is not allowed; a bad user map (when 2.2 upgrade didn't restore smbuser); and a successful connection. the first kind happens ALOT, though i don't know why? perhaps the election process or some other such windows magic? i also include my smb.conf (which i did restore with path corrections), perhaps with your experience you'll see something right away that escapes me. how can i get rid of these getpeername errors? thanks!! elena [2001/05/01 02:08:25, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 02:08:25, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 02:08:25, 0] lib/access.c:check_access(324) Denied connection from (18.104.22.168) [2001/05/01 02:08:25, 1] smbd/process.c:process_smb(824) Connection denied from 22.214.171.124 ----------- [2001/05/01 08:09:48, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 08:09:48, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 08:09:48, 1] smbd/password.c:pass_check_smb(526) Couldn't find user 'pboyd' in UNIX password database. [2001/05/01 08:09:48, 1] smbd/reply.c:reply_sesssetup_and_X(975) Rejecting user 'pboyd': authentication failed ---------- [2001/05/01 07:32:17, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 07:32:17, 0] lib/util_sock.c:get_socket_addr(1084) getpeername failed. Error was Bad file descriptor [2001/05/01 07:32:17, 1] smbd/service.c:make_connection(638) conf2 (126.96.36.199) connect to service conf as user slullie (uid=526, gid=2\ 40) (pid 30230) /etc/samba/smb.conf: # Samba config file created using SWAT # from localhost.localdomain (127.0.0.1) # Date: 2000/10/23 14:00:49 # Global parameters [global] workgroup = bsvcs-grp netbios name = WhateverItTakes server string = UNM Business Services encrypt passwords = Yes update encrypted = Yes unix password sync = Yes passwd program = /usr/bin/passwd username map = /etc/samba/smbusers log file = /var/log/samba/log.%m.%I log level = 1 max log size = 15 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No domain logons = Yes preferred master = No domain master = No dns proxy = No name resolve order = lmhosts hosts bcast invalid users = root bin daemon adm sync shutdown \ halt mail news uucp operator gopher \ nobody games ftp lp xfs named gdm \ piranha postgres pvm squid default \ autobot hosts allow = 129.24.176. 127.0.0.1 EXCEPT 129.24.180. 129.24.178. 129\ .24.177. 129.24.179. 129.24.181. 129.24.182 129.24.183 directory mask = 0770 create mask = 0770 force create mode = 0770 force directory mode = 0770 [homes] comment = Home Directories read only = No browseable = No directory mask = 0700 create mask = 0700 force create mode = 0700 force directory mode = 0700 [support] path = /home/support comment = Tech Support writeable = yes valid users = @support force group = support [business] path = /home/business comment = Business Services writeable = yes valid users = @business @support force group = business [root at wit /etc]# testparm Load smb config files from /etc/samba/smb.conf INFO: Debug class all level = 1 (pid 30978 from pid 30978) Loaded services file OK.
This wasn't received as a question but I thought I might share one of my favorite little tricks (if I can call it that) when using Linux. In my work, I commonly need to transfer files from one home computer to another and I've found the quickest and easiest way to do this is to use Samba, or more specifically smbclient (which is sometimes a link to smbclient3). For me, typing a bit in a terminal is much easier than most other methods of transferring files locally.
In the past it could take a bit of effort to get Samba and the Samba tools to function properly, but today many distributions set it up to function almost out-of-the-box (albeit less secure). I've found that in most distributions all I need to do is set a password on my main work computer. This is easily done using the smbpasswd tool. As root (or for Ubuntu users, prefaced with sudo):
smbpasswd <username>, then type in the new password.
From then on, I can samba into my desktop and drop files as needed. If desired, one can list the IP addresses and hostnames for each machine in their /etc/hosts so that computer names can be used, but in my work, I'm installing new releases all the time. So, I just use my desktop's local IP address. So, say for example that I needed to transfer a couple of screenshots from my testing machine to my desktop, I merely samba into my desktop and drop the files into my home directory. To log in:
smbclient --user=s //192.168.0.100/s, then give the password.
Then to move those screenshots I use a simple command:
This will transfer all files with the .png extension. Notice how Samba can use wildcards to make operations so much easier. In fact, you can even use auto-completion many times - and I do. Retrieving files is just as easy. For example:
mget opensuse-112_d <enter>, will finished the filename opensuse-112_desktop.jpg and transfer a copy to the current machine.
Using mput instead of put verifies the transfer of each file before actually doing it.
This isn't even a drop in the bucket of the things one can do with smbclient or other Samba tools. A quick peruse of the MAN pages can give you an idea. At home behind my Internet firewall, smbclient saves me lots of effort.
(Updated August 17, 2005)
I. The NULL Session Concept: The Good?
II. The Bad and The Ugly.
III. Using the Information.
IV. How to disable NetBIOS NULL Sessions.
V. Further Defenses.
VI. References and Further reading.
Note: Follow the link below to download a script to disable NULL sessions: Download Disable NULL Sessions Script
I. The NULL Session Concept: The Good?
NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:
- List of users and groups
- List of machines
- List of shares
- Users and host SID' (Security Identifiers)
NULL sessions exist in windows networking to allow:
- Trusted domains to enumerate resources
- Computers outside the domain to authenticate and enumerate users
- The SYSTEM account to authenticate and enumerate resources
NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.
II. The Bad and the Ugly
The NULL session vulnerability is fairly widespread, however the introduction of Windows XP and Windows 2003 has made it far less useful. For the most part if the appropriate ports are accessible a NULL session is possible.
Port Protocol Description
TCP Location Service (RPC endpoint mapping) 135 UDP Location Service (RPC endpoint mapping) 137 TCP NETBIOS Name Service 137 UDP NETBIOS Name Service 138 TCP NETBIOS Datagram Service 138 UDP NETBIOS Datagram Service 139 TCP NETBIOS Session Service 139 UDP NETBIOS Session Service 445 TCP SMB/CIFS
Port 139 or 445 TCP is required to be open in order for a NULL session to be successful (it needs to connect to IPC$ first). The other ports may be required, depending on the configuration, for services such as name resolution. There are many tools available to exploit NULL sessions, here are some examples:
Enum ( http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm )
enum is truly one of the best tools for exploiting the NULL session vulnerability. It is the "Swiss army knife" of NULL session hacking, allowing you to exploits every aspect of this flaw. Its true power lies in the ability to enumerate users, and then try to brute force the password using a supplied password list. Sample output is below (I usually run with the –S and –U flags as shown below):
C:\tools>enum -SU <IP Address>
server: <IP Address>
setting up session... success.
getting user list (pass 1, index 0)... success, got 5.
Administrator Guest IUSR_CHANNEL IWAM_CHANNEL victim_user
enumerating shares (pass 1)... got 4 shares, 0 left:
IPC$ c ADMIN$ C$
cleaning up... success.
From the above output we can see that the machine has one additional user aside from the default accounts, called "victim_user", and that none of the default accounts have been renamed. This is another great usage of NULL sessions, if the user has been conscientious and renamed the administrator account, we can see what it has been changed to. The guest account exists as well, which comes by default in most windows, and should be left disabled. It appears as though this machine is also running Microsoft IIS web server, from the IUSR_<machine name> account that exists. Moving on to the shares we see all of the default hidden administrative shares (denoted by the "$" character), as well as an unhidden share called "c". The ability to view hidden shares on the host is yet another great feature of NULL sessions.
Hunt ( http://www.foundstone.com/resources/freetools/hunt.zip )
Part of the NT Forensic Toolkit from Foundstone, this tool makes it very easy to enumerate users and shares from a vulnerable windows host, and is the most accurate in my experience. Some sample output is below:
C:\tools>hunt \\<IP Address>
share = IPC$ - Remote IPC
share = c -
share = ADMIN$ - Remote Admin
share = C$ - Default share
User = Administrator, , , Built-in account for administering the computer/domain
Admin is <NetBIOS Name>\Administrator
User = Guest, , , Built-in account for guest access to the computer/domain
User = IUSR_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services, Built-in account for anonymous access to Internet Information Services
User = IWAM_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services out of process applications, Built-in account for anonymous access to Internet Information Services out of process applications
User = victim_user Victim Name, ,
Above we see the same information as enum presents represented in a slightly different format.
winfo ( http://ntsecurity.nu/toolbox/winfo/ )
This command line tool queries the host for most of the information made available by a NULL session (Including any trust relationships) and displays it to the screen. Sample output is below:
C:\>winfo 188.8.131.52 –n
winfo 1.5 - copyright (c) 1999-2001, Arne Vidstrom
Trying to establish null session...
Null session established.
(This account is the built-in administrator account)
(This account is the built-in guest account)
WORKSTATION TRUST ACCOUNTS:
INTERDOMAIN TRUST ACCOUNTS:
SERVER TRUST ACCOUNTS:
The output above shows the listing of users, similar to the other tools. winfo is unique in that it will also show the trust relationships this machine may have with other machines. Finally, it will list the shares it has made available.
Dumpsec ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )
Formerly Dumpacl, This tool is similar to winfo, but has a GUI interface.
You can use built-in tools to enumerate NULL sessions by executing the following command using the "net" utility that comes with Windows. Without NULL sessions when we attempt to list the shares on a remote windows computer we get the following error:
C:\tools>net view \\MY.SUB.NET.IP
System error 5 has occurred.
Access is denied.
By default we would not have permissions to list the shares. If we map the IPC$ share (Inter Process Communications) using our NULL username and password combinations we are successful:
C:\tools>net use \\MY.SUB.NET.IP\IPC$ "" /u:""
The command completed successfully.
Now we try to list the shares again with greater success:
C:\tools>net view \\MY.SUB.NET.IP
Shared resources at \\MY.SUB.NET.IP
Share name Type Used as Comment
The command completed successfully.
III. Using the Information
An attacker will use the information gained from NULL sessions and try to logon to the system, using various tools that will try different username and password combinations. Common attacks against University computers have shown that attackers will typically gain access to the system, install FTP servers, IRC bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.
A worm called "Zotob" that takes advantage of the MS05-039 vulnerability relies on NULL sessions to propagate. Follow the instructions in the next section to protect yourself (and of course apply all operating system patches).
IV. How to Disable NetBIOS NULL Sessions
Follow the link below to download a script to disable NULL sessions: Download Disable NULL sessions Script (Authored by Brown University Software Services)
Below are instructions on how to manually disable NetBIOS NULL sessions:
Windows XP Home Edition
Note: This also works in Windows 2000 and XP Professional.
1. Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2
2. Reboot to make the changes take effect.
Windows XP Professional Edition and Windows Server 2003
1. Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
This can also be accomplished using the following registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)
2. Reboot to make the changes take effect.
1. Go to --> Administrative Tools --> Local Security Settings --> Local Policies --> Security Options
2. Select "Additional restrictions of anonymous connections" in the Policy pane on the right
3. From the pull down menu labeled "Local policy setting", select: "No access without explicit anonymous permissions"
4. Click OK
5. The registry setting equivalent is: HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=2
6. Reboot to make the changes take effect.
Windows NT 4.0 (Service Pack 3 or later)
Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1
I am not certain how this works in the latest releases of Samba. Please email me with any feedback or experiences you could provide.
V. Further Defenses
While the above describes how to disable this vulnerability on the host, there are some things you can do on the network to help defend against NULL sessions:
- Blocking NetBIOS ports on your firewall or border router
- Blocking the Windows networking ports in Figure 1 will prevent against NULL sessions (And other attacks that use NetBIOS)
- Remove the IPC$ share (net share IPC$ /delete)
Most Intrusion Detection systems come with signatures to detect NULL session activity, although when run on the "inside" of your network will generate false positives if not configured correctly. Configuring the Snort ( www.snort.org ) NULL session detection rule ( http://www.snort.org/pub-bin/sigs.cgi?sid=530 ) to look at certain traffic proves to be very effective. For example, you may only want to look at NULL session attempts from the Internet to your internal network, and IDS rules should be configured accordingly.
All versions of Windows that are vulnerable to this attack provide some mechanism to set account policies. The Center for Internet Security has released benchmark standards for all Windows platforms that include recommended account policies (See http://www.cisecurity.org for more details and to download the benchmarks). They cover password expiration, password length, and account lockout policies, which should all be applied to your domain (or workstation if you are not part of a domain). These documents also outline some recommendations for audit policies, or logging of certain activity on your computer. You should enable logging of security events on your windows servers and workstations for accounting purposes. Account and auditing policies should be tailored to individual organizations needs. Having these in place will significantly decrease the risk of someone using NULL sessions to gain access to your machine.
VI. References and Further Reading
rr.sans.org/win/null.php - "NULL sessions In NT/2000" - Perhaps the best description of why NULL sessions exist, and general NULL session facts includes a complete description of how NetBIOS NULL sessions are used in a Windows networking environment. By Joe Finamore.
www.giac.org/certified_professionals/practicals/gcih/0345.php - "Weak Passwords + NULL Session = Windows 2000 Exploit" -This paper outlines the dangers of NULL sessions and gives an example of incident that uses this vulnerability. By Michael S. Kriss.
www.hsc.fr/ressources/presentations/null_sessions/msrpc_null_sessions.pdf - "MSRPC NULL sessions - exploitation and protection" – A new way to exploit NULL sessions using MSRPC and named pipes. Lets you do more than just view users and shares.
www.softheap.com/security/session-access.html - "How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?"
www.sygate.com/alerts/Netbios_Null_Attack.htm - "NetBIOS NULL Session Attack in XP"
www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp - Important differences between Windows NT 4.0 and Windows XP Professional
secinf.net/info/nt/wardoc.txt - "The Windows NT WARDOC: A Study in Remote NT Penetration"
www.sans.org/top20/#w3 - SANS/FBI Top 20 List, Windows Remote Access Services
"Hacking Exposed" or "Hacking Windows 2000 Exposed", Scambray & McClure, Chapter 4: Enumeration
Other Universities Descriptions of NetBIOS NULL Sessions:
Authored by Paul Asadoorian, Brown University, June 17, 2002
Please send any questions/comments to Paul_Asadoorian@brown.edu
Revision 1.0: November 14, 2002 – Added a significant amount of content.
Revision 1.1 January 3, 2003 – Updated for Windows XP Home Edition
Revision 1.3 August 16, 2005 – Updated for Windows 2003, MS05-039 worm, general clean-up and fixed all broken links.
NetBIOS-free SMB protocol on port 445 in Windows 2000-XP
Jay Ts jay at toltec.metran.cx
Wed Aug 29 21:52:52 GMT 2001
Chris Hertel wrote: > Yes, we know. Have known for over a year. > I think it was Tridge who convinced Microsoft to use port 445. Cool. So can I assume that it will be no problem to add support for it? And are plans for such in process? - Jay Ts ------------------------------------------ > > Hi, > > > > Yesterday a friend forwarded to me this URL at Microsoft: > > > > http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP > > > > It is about support in Windows 2000/XP for running SMB for > > file and printer sharing over port 445, with no overhead of > > NetBIOS. > > > > The question of course is, are the Samba Team aware of this, > > and can it be supported in future versions of Samba? > > > > The webpage says it is possible to set up a Win 2000/XP network to > > only use the new protocol, and shut out SMB/NetBIOS networking on > > ports 137-139 entirely. > > > > - Jay Ts
(ReallyLinux.com) This article is for all of those readers asking for a very basic overview of networking Windows and Linux PCs. You may also benefit from my article: From Windows to Linux.
Can a Windows system and a Linux system talk together harmoniously? After all, there is a lot of work and personal data left on Windows PCs that many want to keep! So this question of networking the two systems is both reasonable and vital.
Therefore, basic Windows file sharing can be done with relative ease if your Linux flavor includes the Samba tools. Of course, it also requires a little work on the Windows PC since any good communication comes from two sides!
The goal then, regardless which Linux flavor you're using, is to:
- Ensure that Samba tools are included and available
- Configure the PC network cards and settings
- Configure the Windows PC to allow workgroup sharing
- Configure Samba tools to recognize the Windows PC
I include details for each of these steps in the article. Implementing the steps above is somewhat unique across every major flavor I've used. Some flavors will require you to select Samba tools at the very beginning of the installation process. Other flavors include the full Samba suite of tools as part of the package, ready to go. It depends so much on your flavor that I can't provide specific guidance without writing another fifty pages on the subject. I plan to release an indepth SAMBA article here in the future.
However, what I can share with you now are steps needed to implement Samba using Fedora as a tutorial or guide. These steps are for making a basic WindowsXP Home Edition available to Linux.
My assumption is that before you begin, you've already familiarized yourself with the Post-Installation Configuration article, and that you have the two PCs connected properly with a network hub and cables.
|OSFaq.com: How to install a Linux File/Print Server on your Windows Network [with Samba]|
Google matched content
Samba (software) - Wikipedia, the free encyclopedia
Learn Linux, 302 (Mixed environments) Configure Samba -- a very good tutorial from IBM
NetBIOS - Wikipedia, the free encyclopedia
O'Reilly Samba Book, the second edition
SAMBA Developers Guide
Index of -samba-docs-man
Jelmer Vernooij - Publications
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: December 25, 1998