ext3+gnu_linux+samba = fast and reliable fileserver.
WARNING! Security problems Versions from Version 3.5.0 to 4.6.4 (recent in May 2017 ) are affected and need to be patched!
patches are available from: https://www.samba.org/samba/patches/
Unfortunately EVEN Debian9 (!!!! GUYS FIX THAT FAST !!!!) is shipping an affected version?: 4.5.8-Debian https://packages.debian.org/en/stretch/samba
prior to running an debian8 fileserver a small and medium sized company was running ubuntu server with smb as virtualbox VM (1GB RAM is more than enough) on windows 7 professional.
both work flawlessly fast, reliable and we haven’t lost a single file (except when some ransomeware decided to encrypt all network shares…. but that is a different story and is not samba to blame) – while at the same time circumvent the maximum of 20 simultaneous connections that windows 7 comes with.
unfortunately – some software vendors explicitly demand a windows-share for their software to work properly. (i guess they do not want to do the double-testing)
With samba you can have as many connections as your server can handle.
Plus: it is pretty easy to get started.
setup and install
this is rather easy.
hostnamectl; # tested with (but probably works the same accross distros) Static hostname: debian Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-3-amd64 Architecture: x86-64 # client version C:\Users>ver Microsoft Windows [Version 6.3.9600] su; # become root apt update; apt install -y samba; # debian/ubuntu yum install -y samba; # centos/redhat samba -b; # show build/version Samba version: 4.5.8-Debian Build environment: Paths: BINDIR: /usr/bin SBINDIR: /usr/sbin CONFIGFILE: /etc/samba/smb.conf NCALRPCDIR: /var/run/samba/ncalrpc LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts DATADIR: /usr/share MODULESDIR: /usr/lib/x86_64-linux-gnu/samba LOCKDIR: /var/run/samba STATEDIR: /var/lib/samba CACHEDIR: /var/cache/samba PIDDIR: /var/run/samba PRIVATE_DIR: /var/lib/samba/private CODEPAGEDIR: /usr/share/samba/codepages SETUPDIR: /usr/share/samba/setup WINBINDD_SOCKET_DIR: /var/run/samba/winbindd WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd # follow samba logs tail -f /var/log/samba/log.* &
creating a free for all shared folder: sharing files with everybody
You like to have a share where all users in your network can upload but also delete files – you can do it like this:
BE AWARE: this means – angry users might upload a virus.doc or delete the whole directory.
Aalways make daily backups and keep them a week or two!!!
(even if this share is meant for “temporary” files.)
HAHA! Yes for sure and in the end your life depends on those “temporary” files… “great”..
# prepare storage dirs mkdir -p /home/shares/public chown -R root:users /home/shares/public/ chmod -R ug+rwx,o+rx-w /home/shares/public/ vim /etc/samba/smb.conf; # edit main config file and add those lines at the very end [public] path = /media/storage/ force group = users create mask = 0660 directory mask = 0771 browsable = yes writable = yes guest ok = yes :wq # save and quit
test the config for errors:
testparm testparm -v; # show all settings
example output: testparm.verbose.all.settings.txt
if everything is fine restart samba service like this:
systemctl restart smbd.service; # activate config
accessing the share from windows
on your windows client hit Win+R -> RUN -> test to access the share:
with a config like this new folders and files are created (from a windows client) with those users and permissions:
ll /home/shares/public/ total 20K drwxrwxr-x 3 root users 4.0K Aug 2 15:04 . drwxr-xr-x 4 root root 4.0K Aug 2 15:01 .. drwxrwx--x 2 nobody users 4.0K Aug 2 15:04 test -rw-rw---- 1 nobody users 6 Aug 2 15:04 test2.txt -rw-rw---- 1 nobody users 4 Aug 2 15:03 test.txt
accessing the share from linux
is also doable.
apt-get install cifs-utils; # install samba-client software mkdir /mnt/cifs; # create mountpoint mount -t cifs //172.20.0.5/public /mnt/cifs --verbose -o user=nobody; Password for nobody@//172.20.0.5/public: # simply hit enter (no password) mount.cifs kernel mount options: ip=172.20.0.5,unc=\\172.20.0.5\public,user=nobody,pass=******** root@debian9:/home/user# ll /mnt/cifs/ total 4.0K drwxrwxr-x+ 3 root users 0 Aug 2 15:35 . drwxr-xr-x 3 root root 4.0K Aug 2 16:25 .. drwxrwx--x+ 2 nobody users 0 Aug 2 15:35 secret
if you set:
browsable = no
you can still access the share but the folder itself is not visible when accessing the host via smb.
this can be usefull to hide shares from the “normal” user – but don’t expect super-hackers to not find and encrypt-for-ransom all your hidden files….
accessing user’s home directories with password protection/auth
useradd tom -m -G users; # add new user to linux passwd tom; # define linux-login-password for user smbpasswd -a tom; # define smb-password for user you could use "tomtom" vim /etc/samba/smb.conf; # edit main config file and add those lines at the very end [homes] comment = Home Directories browseable = no valid users = %S writable = yes create mask = 0700 directory mask = 0700 :wq # save and quit vim systemctl restart smbd.service; # restart samba
works like a charm:
samba and security:
if you need to share files securely over internet or inside a LAN SFTP IS THE CHOICE!
It is basically FTP over SSH.
if you know SSH you will have a SFTP server in 10minutes.
it is funny – that if you program a linux-clone for a windows-program/protocol… you end up implementing the same security problems. X-D
(okay … NFS security is not better)
Versions from Version 3.5.0 to 4.6.4 (recent in May 2017 ) are affected.
patches are available from:
Testing for wcry
start up a second debian linux, modify the host’s IP (172.20.0.5) to that of your samba-server and go:
apt install nmap; # install nmap scanner wget https://raw.githubusercontent.com/Waffles-2/SambaCry/master/CVE-2017-7494.nse nmap -sC -p 445 --script CVE-2017-7494.nse 172.20.0.5 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-02 16:48 CEST Nmap scan report for 172.20.0.5 Host is up (0.00065s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:15:5D:00:07:13 (Microsoft) Host script results: | CVE-2017-7494: | State is: POTENTIALLY VULNERABLE | Samba-vuln-CVE-2017-7494 | Summary: Remote code execution from a writable share. | Description: A Samba vulnerability (CVE-2017-7494) enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions. | Affected Version: All versions of Samba from 3.5.0 onwards. |_ For more info: https://www.guardicore.com/2017/05/samba/ Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds # IF YOU WANT TO SCAN AN ENTIRE NETWORK! (WARNING! THIS MIGHT CRASH THE SMB-SERVER!) nmap -sC -p 445 --script CVE-2017-7494.nse 172.20.0.0/24
Im Mai 2017 wurde bekannt, dass in Anlehnung an Sicherheitsprobleme bei der Software von Microsoft, welche in Form von WannaCry ausgenutzt werden können, in ähnlicher Form auch bei Samba bestehen.
Bei diesem Fehler, welcher in Anlehnung als SambaCry bezeichnet wird, ist es möglich injizierten Schadcode am betreffenden Samba-System auszuführen.
Der Fehler betrifft alle Samba-Versionen seit der Version 3.5.0 bis zur der im Mai 2017 aktuellen Version 4.6.4.
Nowadays, the Samba Team needs a dollar instead of pizza 😉
-> Samba Team
c/o Software Freedom Conservancy, Inc.
137 Montague St Ste 380
Brooklyn, NY 11201-3548
Why do we need money?
You may be wondering why the Samba Team needs money. The main expenses that we have are travel expenses for team members to the major Samba related conferences and expenses for running the main samba.org site. We occasionally have other expenses (eg. small pieces of hardware and books) but that is less common.
A good example of our travel expenses is the CIFS conference in San Jose. We usually have between ten and fifteen team members attending each year and while most of them are covered by the company they work for, we do need to provide international travel and accomodation for some of them.