Friday, February 22, 2008

Samba Security & Troubleshooting

Introduction
Configuring Samba for your office or home can provide many advantages. By encouraging users to store files on a central file server, you can simplify data backup and in some cases, software installation and maintenance.
Unfortunately, the initial configuration of Samba can be tricky. Many simple steps need to be executed in the correct order, and one small slip up can have big repercussions. This chapter explores the ways in which you can recover from those mistakes that you couldn't avoid.
Testing The smb.conf file
Samba has a test utility called testparm that alerts you to errors in the smb.conf file. If you used SWAT to edit the file, you will usually pass the test successfully, as shown: [root@bigboy tmp]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
...
...
[root@bigboy tmp]#
A successful test only means that Samba will load the configuration file. There are other causes for Samba problems.
Note: You can use testparm to test a file that's different from the default /etc/samba/smb.conf configuration file. Simply provide the filename as the first argument like this: [root@bigboy tmp]# testparm -s filename

Samba and Firewall Software
Firewall software installed both on your Windows PCs and on the Samba server itself may prevent Samba from functioning. Two popular firewall packages, iptables and ZoneAlarm offer solutions.
Linux iptables
The Fedora installation process configures the iptables firewall package by default. You two options working with it. You can ensure that it is deactivated which may be desirable on a secured network. Or, you can configure it to allow through such Microsoft protocols as NetBIOS (UDP ports 137 and 138, TCP ports 139) and TCP port 445 for SMB file sharing without NetBIOS. Here is sample script snippet: #!/bin/bash

SAMBA_SERVER="192.168.1.100 "
NETWORK="192.168.1.0/24" # Local area network
BROADCAST="192.168.255.255" # Local area network Broadcast Address

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \
-m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \
-j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \
--dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \
ESTABLISHED,RELATED -j ACCEPT
For more information, please refer to Chapter 14, "Linux Firewalls Using iptables".
Windows-based Zone Alarm
The default installation of Zone Alarm assumes that your PC is directly connected to the Internet. This means that the software will deny all inbound connections that attempt to connect with your PC. The NetBIOS traffic that Samba uses to communicate with the PCs on the network therefore is considered as hostile traffic.
The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too. To do so click on the firewall tab and edit the settings for your home network; it will most likely have a 192.168.x.x/255.255.255.0 type entry. Make this network a trusted network, instead of an Internet network, and ZoneAlarm should cease to interfere with Samba.
The Windows XP Built In Firewall
You may also need to disable the firewall feature of Windows XP. Follow these steps:
Bring up the Control Panel
Double-click on the Network Connections icon.
Right-click your on your LAN connection icon and select Properties
Click on the Advanced tab and then on the Windows Firewall Settings button.
Turn off the Internet Connection Firewall by clearing its check box. You may also leave the firewall on, but allow Windows file sharing traffic through this connection. This can be done by clicking on the Exceptions tab of the Windows Firewall dialog box and clicking on the File and Printer Sharing check box.
After you get SAMBA to work, you may want to experiment with the firewall software settings to optimize your security, keeping in mind the need to maintain a valid relationship with the Samba server.
Testing Basic Client / Server Network Connectivity
You can perform several tests to ensure that the Samba server and all its workstations can do basic communication with each other.
From the Samba Server
Ping the server's IP address and loopback address (127.0.0.1)
Ping the client's IP address
Ping the client using its DNS name
Telnet to all the IP addresses on the server on port 139
Next, from the Samba Client
Ping the client's IP address and loopback address (127.0.0.1)
Ping the server's IP address
Ping the server using its DNS name
Telnet to all the IP addresses on the server on port 139
If either of these fail, check your cabling, routing or the presence of a firewall running on either the server or client.
Testing Samba Client / Server Connectivity
After configuring basic network connectivity, you need to go through a variety tests to determine whether Samba has been configured correctly both on the server and client. As part of a thorough troubleshooting procedure:
1. Make sure your Samba server can see all the shares available on the network with the smbclient -l samba_server command. Press the Enter key when prompted for a password. Check your SWAT configuration for invalid hosts allow, hosts deny and invalid users entries.
Failure of this test may mean that Samba isn't running on the server at all and may need to be started. [root@bigboy tmp]# smbclient -L bigboy
Password:
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]

Server Comment
--------- -------
SILENT Samba Server

Workgroup Master
--------- -------
HOMENET BIGBOY
OTHERNET SILENT
[root@bigboy tmp]#
2. Use the nmblookup -B samba-server-IP-address _SAMBA_ command on the server to determine if the samba software is running correctly. This should return the server's IP address if is running correctly. [root@bigboy tmp]# nmblookup -B 192.168.1.100 __SAMBA__
querying __SAMBA__ on 192.168.1.100
192.168.1.100 __SAMBA__<00>
[root@bigboy tmp]#
3. Use the nmblookup -B client-IP-address "*"command on the server to determine whether the client is accepting Samba queries. This should return the client's IP address if is running correctly. If the test fails, check to see whether the client is running firewall software that could prevent communication. Another source of the problem could be that the "Client for Microsoft Windows" or "File and Printer Sharing for Microsoft Networks" settings on the client's NIC card haven't been selected. You also could have entered an incorrect IP address. [root@bigboy tmp]# nmblookup -B 192.168.1.103 "*"
querying * on 192.168.1.103
192.168.1.103 *<00>
[root@bigboy tmp]#
4. Use the nmblookup -d 2 "*" command on the server to tell it to broadcast a query message to the network. This should return answers from all locally connected clients and servers. This test actually sends out a broadcasted request for information, it usually fails if either your client or server has an incorrect subnet mask configured on their NIC cards. [root@bigboy tmp]# nmblookup -d 2 '*'
added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0
querying * on 192.168.1.255
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
Got a positive name query response from 192.168.1.103 ( 192.168.1.103 )
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
192.168.1.100 *<00>
192.168.1.103 *<00>
192.168.1.100 *<00>
[root@bigboy tmp]#
5. Use the smbclient //samba-server/tmp command to attempt a command-line login to the Samba server. When prompted for a password, use the Linux password of the account with which you logged in. You can test other accounts can be achieved by adding the -U accountname option at the end of the command line. This should return message that the login was login successful. If you are doing this as user root, press the key when prompted for a password. [root@bigboy tmp]# smbclient //bigboy/TMP
Password:
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
[root@bigboy tmp]#
A message that warns of an invalid or bad network name could mean that the tmp service on the Samba server isn't correctly configured.
Messages related to bad passwords could mean that the user's account doesn't exist, that their smbpasswd wasn't created, or that the password entered is incorrect.
6. Log into the Windows workstation as a Samba user. (In the example below, the username is peter). Use the net view \\samba-server command to log into the Samba server from the command line and get a listing of your shares.
If it fails, then make sure your hosts allow, hosts deny and invalid users parameters are set correctly in your smb.conf file.
This test attempts to login using the username and password with which you logged into the PC. Make sure the corresponding Samba user has been created.
A "Network name not found" message usually points to an incorrect NetBIOS configuration on the client. Add the IP address of the Samba server to the WINS server settings, and enable Windows name resolution via DNS using the advanced TCP/IP settings menu on the PC. You can get to this menu using this method:
Click on the Network Connections icon in the Windows Control Panel.
Right-click on the network connection, and select Properties.
Click on the Internet Properties (TCP/IP) menu option and then click on the Properties button.
Click on the Advanced button and then on the WINS tab.
You may also need to add the name of the samba server to the PC's C:\WINDOWS\system32\drivers\etclmhosts file.
If you're successful you should see C:\>net view \\bigboy
Shared resources at \\bigboy
Samba Server
Share name Type Used as Comment

------------------------------------------------
peter Disk Home Directories
The command completed successfully.
C:\>
If there is no user account, the test will fail and you will see C:\> net view \\bigboy
System error 5 has occurred.

Access is denied.
C:\>
7. Log into the Windows workstation as a Samba user. Try to map a drive letter to the user's default login directory on the Samba server. This is done with the net use x: \\samba-server\share command. Here we want user peter to have a DOS drive X: map to Peter's Linux home directory on the Samba server. C:\>net use x: \\bigboy\peter
The command completed successfully.
C:\>
Make sure your password encryption is set correctly in the smb.conf file. As stated in Chapter 10, "Windows, Linux, and Samba", newer versions of Windows send encrypted passwords only. Make sure you have correctly configured the "encrypt passwords" option in the [global] section of smb.conf.
Failure could also mean that the server's smb.conf file hasn't been configured to automatically use the PC user's user name as the Samba login name. You can do this by setting the user=username option in the [tmp] section of the smb.conf file.
8. From the Samba server issue the nmblookup -M domain command to ensure that there is a master browser for the domain. Successful attempts should list the IP address of the master browser server. If not, you'll need to make sure that the preferred master parameter is set to yes in the [global] section of smb.conf. [root@bigboy home]# nmblookup -M homenet
querying fedora on 192.168.1.255
192.168.1.100 homenet<1d>
[root@bigboy home]#
This may fail with some Windows NT clients if the Samba server has been configured not to use encrypted passwords. You will need to set the encrypt passwords option in the [global] section of the smb.conf file to yes. Remember that doing so may make logins from Windows 95/98/ME clients fail. As you can see, it is sometimes best to make all your clients run similar versions of the Windows operating system.
Once all this has tested positively, you should be able to see your domain under Windows' "My Network Places" located in file manager or in the Start Menu. You should also be able to browse through the shares as well.
Checking the Samba Logs
Samba stores all its log files in the /var/log/samba directory. If you find yourself having difficulties, try searching the nmbd.log and smbd.log files for clues.
Samba Network Troubleshooting
It is always a good idea to use such network troubleshooting tools as tcpdump to do detailed troubleshooting, especially if you're not sure whether there is any bidirectional connectivity between the Samba server and the workstation.
Basic Samba Security
You can restrict connections to your server on both a per-interface and a per-network basis in the [global] section of the smb.conf file. Always remember to include your loopback interface lo and the loopback interface's network 127.0.0.0/8 in your configuration.
This type of security is activated by:
Setting the bind interfaces only parameter to yes.
Configuring Samba to deny all connections by default and then allowing specified hosts through with the hosts allow and hosts deny settings. In this case the 192.168.1.0/24 has been included as a valid network. You also can include the IP addresses of individual hosts in this list.
Specifying the interfaces on which Samba will be active. Interface eth0 is on the 192.168.1.0/24 network, so we have included it here. [global]
...
bind interfaces only = Yes
hosts deny = ALL
hosts allow = 192.168.1.0/24 127.
interfaces = eth0 lo
...

Conclusion
By now you should have a fully functional Samba-based network that is suitable for the small office or home. If the network is located in the home, you may want to hide your server where it is less intrusive due its physical presence or to the noise of its power supply fan or hard drive. A wireless network in some cases would be ideal. Chapter 13, "Linux Wireless Networking", discusses how to configure wireless NICs in Linux servers for this very reason.