Samba quickstart – File Sharing Between Linux and Windows

Samba quickstart – File Sharing Between Linux and Windows

Windows File Sharing is Insecure

All M$ Windows clients use Server Message Block, SMB, to share
files in local network. SMB is used in most firms that have any
Windows computers, because it is easy to install to Windows.
Linux is a popular choice for an SMB server, because it can
serve more clients with the same hardware.

SMB is completely inherently insecure. It does not encrypt
traffic, so it can only be used in a LAN, relying on company
firewall. Password encryption can be bypassed with widely available
programs, such as l0pthcrack. Sharing files on a Windows box
opens it to many exploits. Even though it is a lot harder
to crack into a linux, Samba cannot make SMB secure.

If you are looking for a good way to share files, consider
some other options, such as lufs, afs or webdav.

(c) Tero Karvinen

Linux Samba Server Installation and Configuration

Install Samba server and client, start daemon, make it
start automatically


yum -y install samba-client samba
/etc/init.d/smb start
chkconfig smb on

If you don’t have yum yet, see Yum automated software
installation
or install the programs manually.

Make a hole in the firewall. Replace 10.0.0.1/255.255.255.0 with
your own ip-number and network mask. You can see your ip-number and mask with
ifconfig eth0|grep "inet addr"


iptables -I INPUT 1 -p tcp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Opening holes for these six ports in the firewall makes it possible to use
the server. It does not necessarily mean that you can browse other hosts from
your linux server.

The firewall configuration tool provided with redhat, lokkit,
overwrites your hand made rules if you run it, so don’t use it.

Test first by accessing trough loopback adapter (bypassing firewall), then
with your ip-number (trough the holes in the firewall), and finally try file
transfer. Use your own ip-number instead of 10.0.0.1.


smbclient -L localhost -U %
ifconfig eth0|grep "inet addr"
smbclient -L 10.0.0.1 -U %

If all went right, you should see something like


$ smbclient -L localhost -U %
added interface ip=10.0.0.1 bcast=10.0.0.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)

Server Comment
--------- -------
LOCALHOST Samba Server

Workgroup Master
--------- -------
MYGROUP LOCALHOST

Now you have Samba installed.

Sharing User Home Directories

Let’s give some user a permission to get to his homedir. We must add
that user to samba users and give new samba password. Don’t use your
unix passwords here, or your unix security might be lowered to Windows
level. Add users as root, replacing tero with the user you want to add.


smbadduser tero:tero

Samba 3 uses smbpasswd -a tero. Because sharing home directories is enabled by default in
/etc/samba/smb.conf, tero can access his homedir
right away.


smbclient //10.0.0.1/tero -U tero%password

smbclient works a lot like any text mode ftp client.
If you can see your files with ls, it’s working:

added interface ip=10.3.91.185 bcast=10.3.255.255 nmask=255.255.0.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]
smb: > ls
  .                                   D        0  Mon May 19 17:01:54 2003
  ..                                  D        0  Mon May 12 15:24:32 2003
  .kde                               DH        0  Fri Apr 18 14:43:03 2003
  .bash_logout                        H       24  Tue Feb 11 15:34:44 2003
  ...

Windows Client Configuration

Add your share to a Windows client. Open
Start Menu: Programs: Accessories: Command Prompt. Replace
10.0.0.1 with your linux samba server ip-number.
The star * in net use
means use first free drive letter. Type your password when asked.


net use * \10.0.0.1tero /USER:tero

You can see your mounted shares in Windows Explorer or with net use.
To unmount the directory, use /DELETE. Drives are automatically
mounted on login if they were mounted with /PERSISTENT option. For help,
try net help use. There is a graphical interface to mount
remote shares too. In Windows
Explorer, select Tools: Map Network Drive.

Todo and About this document

This howto was tested with redhat 9.0 Shrike.

Notes on browsing Windows network with Linux

Linux as a client for Windows fileshares, including iptables
configuration. Maybe this requires opening upper ports for local network, that is
1025 tcp – 65535 tcp and 1025 udp – 65535 udp.

Following configuration allows browsing (smbtree) from Linux workstation in Helia:

iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 1025:65535 -j ACCEPT

Especially, smbtree does not work without opening high unpriviledged
udp ports. Because that is a big hole, it is often smart to use –source ip/mask to
limit allowed ip-numbers.

For graphical browsing or a “Network Neighbourhood”, use konqueror. Nautilus has not worked too well
on my testing.

Todo: Explain how smb.conf and /etc/init.d/smb start affect browsing from a Linux workstation.

Firewall update 2008-04-11

Leo Tilson sent improved firewall configuration, which I have not tested yet. Leo says that opening source ports lets you avoid opening high ports.

iptables -t filter -A INPUT -j ACCEPT -p udp --dport 137
iptables -t filter -A INPUT -j ACCEPT -p udp --dport 138
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 139
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 445
iptables -t filter -A INPUT -j ACCEPT -p udp --sport 137
iptables -t filter -A INPUT -j ACCEPT -p udp --sport 138

Copyright 2003-mm-dd, 2003-09-28, 2004-05-13 (browsing notes) Tero Karvinen. All rights reserved.
XHTML Basic 1.0

Posted in Old Site | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *