The interwebz is thundering with doomsday predictions about the Samba CVE-2017-7494 exploit, and here I am, deciding that now is the best time to make a post on setting up Samba shares! xD
On a related note, if for some reason you can’t patch the vulnerability yet, there is a workaround (with some drawbacks). Edit the global section in smb.conf and add the line nt pipe support = no
.
Back to the matter at hand. First, let’s verify if Samba is installed on the CentOS system:
1 2 |
|
Since it’s not installed on my machine, I installed it with yum install samba
, and then ran the previous command again, to check the version:
1 2 |
|
Now, let’s start Samba and see it running:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
Samba daemons
The Samba functionality is contained within 3 daemons:
smbd – file sharing, printing services, authentication. Default ports are 139 and 445
nmbd – NetBIOS name service requests and browsing protocols
winbindd – used for Windows domains membership
Samba configuration
The Samba configuration file is /etc/samba/smb.conf
. Here is how a fresh config file looks after installation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
|
For much more detailed information and examples, see the smb.conf.example file
Create Samba share
In this example, let’s create a share that users can also write to. First, create the directory that you will share: mkdir -p /srv/samba/myshare
. I placed a text file with some random stuff inside. Then I gave full access to the path and its subfolders with chmod -R 777 /srv/samba
Next, we need to create a Samba user, but this account is not the same as a user account on the system. We have to make a user account on the system before assigning it to Samba:
1
|
|
Here I created a user just for Samba, with no login shell. Attempting to login will give the user a message that they are not allowed to login. If you prefer that the user is disconnected with no message, you can specify /bin/false
instead.
Then, I gave the user account a description, which you can find inside /etc/passwd:
1 2 3 |
|
Have to give the user account a password:
1 2 3 4 5 |
|
Next, we create a Samba user, by using the previously created account:
1 2 3 4 |
|
To be safe, check that the Samba user was created:
1 2 |
|
We have the share location and the user, now we need to edit the smb.conf file with the relevant information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
I used comments for easier understanding, but for performance reasons, you might want to keep your file to minimum size, by removing all those comment lines. You can do that by keeping a configuration file with all the additional remarks, while using a smb.conf with only the required configuration. All the comments will be stripped from the config file:
1 2 3 4 5 6 |
|
We checked that our config file is valid, so now it’s time to test it. Restart Samba for the configurations to take effect with service smb restart
. And now let’s access the share! From another machine, I used smbclient to list the available services on the Samba server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
There is one last step that you need to accomplish if you have SELinux enabled. You have to label the directory you’re sharing with the samba_share_t label:
1
|
|
Now the /srv/samba directory and everything it contains is labeled correctly, and SELinux won’t interfere. View the security context of the path with:
1 2 |
|
Changes made with chcon are temporary. To survive a relabel or running restorerecon, make the changes permanent with:
1
|
|
Then apply them with restorecon -R -v /path
.
Finally, to connect to a share, use the syntax: smbclient //host/sharename -U username
(in the below examle, the name of my share is sharename, because laziness):
1 2 3 4 5 6 7 8 9 10 |
|
List available commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
Download file:
1 2 |
|
Delete file:
1
|
|
Upload file:
1 2 3 4 5 6 7 8 |
|
From a Windows system, you can run \192.168.217.131\sharename
to connect to the share, or use the net use command.
View shares:
1 2 3 4 5 6 7 8 9 10 |
|
Connect to shares:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Other useful options
You can drill down into the smb.conf file and customize it to your liking. Here are a few options:
read list = user1, user2 – set read only users on a writable share
write list = user1, user2 – set write access for users on a read only share
deny hosts = ip – deny access to the specified IPs
hide unreadable = yes – don’t let users see files they don’t have access to
browseable = no – hide shares from Windows network
Key takeaways:
server and share security levels are deprecated, so best to avoid them
specifying a share in the smb.conf file is not enough. Ensure that you have created the path and gave it sufficient permissins
Samba users need to already exist on the system
you can have both a well documented config file and a minimal size one for performance, by using
testparm -s
if you use SELinux, don’t forget to label your share with
samba_share_t
Learn more:
smb.conf manpage – The configuration file for the Samba suite
smbpasswd man page – The Samba encrypted password file
pdbedit manpage – manage the SAM database (Database of Samba Users)
testparm manpage – check an smb.conf configuration file for internal correctness
smbclient manpage – ftp-like client to access SMB/CIFS resources on servers
1 2 3 4 5 6 7 8 9 10 |
|