Samba quickstart – File Sharing Between Linux and Windows
Windows File Sharing is Insecure
All M$ Windows clients use Server Message Block, SMB, to share
files in local network. SMB is used in most firms that have any
Windows computers, because it is easy to install to Windows.
Linux is a popular choice for an SMB server, because it can
serve more clients with the same hardware.
SMB is completely inherently insecure. It does not encrypt
traffic, so it can only be used in a LAN, relying on company
firewall. Password encryption can be bypassed with widely available
programs, such as l0pthcrack. Sharing files on a Windows box
opens it to many exploits. Even though it is a lot harder
to crack into a linux, Samba cannot make SMB secure.
If you are looking for a good way to share files, consider
some other options, such as lufs, afs or webdav.
(c) Tero Karvinen
Linux Samba Server Installation and Configuration
Install Samba server and client, start daemon, make it
start automatically
yum -y install samba-client samba
/etc/init.d/smb start
chkconfig smb on
If you don’t have yum yet, see Yum automated software
installation or install the programs manually.
Make a hole in the firewall. Replace 10.0.0.1/255.255.255.0
with
your own ip-number and network mask. You can see your ip-number and mask with
ifconfig eth0|grep "inet addr"
iptables -I INPUT 1 -p tcp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
Opening holes for these six ports in the firewall makes it possible to use
the server. It does not necessarily mean that you can browse other hosts from
your linux server.
The firewall configuration tool provided with redhat, lokkit
,
overwrites your hand made rules if you run it, so don’t use it.
Test first by accessing trough loopback adapter (bypassing firewall), then
with your ip-number (trough the holes in the firewall), and finally try file
transfer. Use your own ip-number instead of 10.0.0.1.
smbclient -L localhost -U %
ifconfig eth0|grep "inet addr"
smbclient -L 10.0.0.1 -U %
If all went right, you should see something like
$ smbclient -L localhost -U %
added interface ip=10.0.0.1 bcast=10.0.0.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)
Server Comment
--------- -------
LOCALHOST Samba Server
Workgroup Master
--------- -------
MYGROUP LOCALHOST
Now you have Samba installed.
Sharing User Home Directories
Let’s give some user a permission to get to his homedir. We must add
that user to samba users and give new samba password. Don’t use your
unix passwords here, or your unix security might be lowered to Windows
level. Add users as root, replacing tero with the user you want to add.
smbadduser tero:tero
Samba 3 uses smbpasswd -a tero
. Because sharing home directories is enabled by default in
/etc/samba/smb.conf
, tero can access his homedir
right away.
smbclient //10.0.0.1/tero -U tero%password
smbclient
works a lot like any text mode ftp client.
If you can see your files with ls
, it’s working:
added interface ip=10.3.91.185 bcast=10.3.255.255 nmask=255.255.0.0 Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix] smb: > ls . D 0 Mon May 19 17:01:54 2003 .. D 0 Mon May 12 15:24:32 2003 .kde DH 0 Fri Apr 18 14:43:03 2003 .bash_logout H 24 Tue Feb 11 15:34:44 2003 ...
Windows Client Configuration
Add your share to a Windows client. Open
Start Menu: Programs: Accessories: Command Prompt
. Replace
10.0.0.1 with your linux samba server ip-number.
The star *
in net use
means use first free drive letter. Type your password when asked.
net use * \10.0.0.1tero /USER:tero
You can see your mounted shares in Windows Explorer or with net use
.
To unmount the directory, use /DELETE
. Drives are automatically
mounted on login if they were mounted with /PERSISTENT
option. For help,
try net help use
. There is a graphical interface to mount
remote shares too. In Windows
Explorer, select Tools: Map Network Drive
.
Todo and About this document
This howto was tested with redhat 9.0 Shrike.
Notes on browsing Windows network with Linux
Linux as a client for Windows fileshares, including iptables
configuration. Maybe this requires opening upper ports for local network, that is
1025 tcp – 65535 tcp and 1025 udp – 65535 udp.
Following configuration allows browsing (smbtree) from Linux workstation in Helia:
iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT iptables -A INPUT -p udp --dport 137:139 -j ACCEPT iptables -A INPUT -p tcp --dport 445 -j ACCEPT iptables -A INPUT -p udp --dport 1025:65535 -j ACCEPT
Especially, smbtree
does not work without opening high unpriviledged
udp ports. Because that is a big hole, it is often smart to use –source ip/mask to
limit allowed ip-numbers.
For graphical browsing or a “Network Neighbourhood”, use konqueror. Nautilus has not worked too well
on my testing.
Todo: Explain how smb.conf and /etc/init.d/smb start affect browsing from a Linux workstation.
Firewall update 2008-04-11
Leo Tilson sent improved firewall configuration, which I have not tested yet. Leo says that opening source ports lets you avoid opening high ports.
iptables -t filter -A INPUT -j ACCEPT -p udp --dport 137 iptables -t filter -A INPUT -j ACCEPT -p udp --dport 138 iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 139 iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 445 iptables -t filter -A INPUT -j ACCEPT -p udp --sport 137 iptables -t filter -A INPUT -j ACCEPT -p udp --sport 138
Copyright 2003-mm-dd, 2003-09-28, 2004-05-13 (browsing notes) Tero Karvinen. All rights reserved.
XHTML Basic 1.0