The Kluge of Samba for Win2K security

Luis shows you how to make better use of Samba beyond SMB shares in your Windows 2000/AD domain.

The Kluge of Samba Samba is not just a dance of African origin, but a suite of software programs originally developed by Andrew Tridgell that implement the Server Message Block (SMB) protocol to network dissimilar operating systems (OSes) such as Red Hat Linux and Windows 2000 servers to share resources. Samba (a variant of SMB,) now managed by Mr. Tridgell and open source, provides its clients with shared file and print services. For...

example, Windows hosts can access shared directories and devices on Linux hosts, and vice versa. Although Samba was originally created for sharing resources between OS-agnostic hosts, security was not its primary objective. Find out how to make both Linux and Windows 2003 servers tango together with security steps for Samba. You'll want to read along if you have a heterogeneous environment or require harmony between Linux, Samba, and Windows 2000 security in the near future. I'll address security tips and setup instructions (GUI- and command line-based) to assist you with Samba/SMB server configuration and security. In this mini series, I'll also show you how to make better use of Samba beyond SMB shares in your Windows 2000/Active Directory (AD) domain.

When was the last time you checked your file and print sharing security?

Security steps
Over the next few weeks, I'll look at the security concerns of integrating Samba for directory and device sharing, and the non-traditional critical roles that Samba can play in a Win2k/AD domain. We begin by focusing on basic security first and then working our way through advanced security tips for Samba, SMB shares, and beyond. If you are experiencing issues trying to set up SMB shares, Medina's Quick Setup instructions (see below) will guide you through the necessary steps to set up Samba. The Native Command Reference List section will provide you with basic Samba commands (and daemons), which are also used to test SMB connectivity in the Testing Win2K and Samba (Linux) section. Now, let's examine your Samba server configuration using the Samba Web Administration Tool (SWAT) program.

For a new Samba implementation, consider creating a dedicated file system exclusively for sharing files between assigned groups in your company. Avoid using a central repository location or well-known directories, even for assigned groups, since this location will eventually become a directory with information not always qualified for sharing among peers.

Basic security and global variables:

  1. Edit the /etc/services file and add, "swat <non-default port>/tcp" (default is 901).
  2. Edit the /etc/xinetd.d/swat file and modify these fields:
    1. Port - Set to non-default port you specified in /etc/services file.
    2. Only_from - Confirm it is set to 127.0.0.1 (localhost) to restrict SWAT use to console only and avoid the use of clear text password to another host.
    3. Disable - Set to "no" so that you can start SWAT service.
  3. Create an lmhosts file in /etc/samba/ directory and enter the IP address of the hosts that are permitted to connect to Samba server; for example:
    192.168.0.2 winclient windows
    192.168.0.3 linserver samba
    192.168.0.4 winclient2 windows2
    
  4. At a minimum, use User security and avoid using Share or Server security.
  5. Encrypt passwords.
  6. Restrict hosts to SMB shares based on the global variable, "hosts allow."
  7. As always, don't use the guest account.
  8. Set the appropriate log level for your organization.

Medina's quick setup
We'll focus on setting up Samba and Samba Web Administration Tool (SWAT) using the KDE Desktop Environment. To check if your server already has samba, samba-client, and samba-swat packages installed, go to System SettingsPackages and then make sure that Windows File Server is selected (2/2) in Package Management. You'll need CD-ROM #2 of your Linux Psyche 8.0 distribution to install samba and samba-client if Windows File Server is not checked. A quick way to verify what version level of Samba packages are installed on your Red Hat Linux 8.0 Server is to:

  1. Go to Run Command…and bring up a console by running "konsole" command.
  2. Enter "rpm -q samba" and Package Manager should return "samba-2.2.5-10".
  3. Ditto for "rpm -q samba-client" and "rpm –q samba-swat".

If CD-ROM #2 is not available, ftp to either ftp.redhat.com or ftp.findrpm.net and navigate your way (using case-sensitive name) to download the above RPMS using this directory path: "cd /linux/redhat/8.0/en/os/i386/RedHat/RPMS/". To install the downloaded packages, simply right-click on each package and then select Install Packages or in a "konsole" window, enter "rpm –install <package name>*":

For example: rpm -install samba* rpm -install samba-client* rpm -install samba-swat*
Once you have verified the (above) packages exist, follow these 12 steps to 1) set up Samba, 2) set up a basic SMB share, and 3) test connectivity between Samba (Linux) and Win2K servers - the objective here is to establish security subsequent to SMB connectivity in a staging environment.

  1. Edit the /etc/services file and add, "swat /tcp" (default is 901).
  2. Edit the /etc/xinetd.d/swat file and modify these fields:
    1. Port – Set to non-default port you specified in /etc/services file.
    2. Only_from - Confirm it is set to 127.0.0.1 (localhost) to restrict SWAT use to console only and avoid the use of clear text password to another host.
    3. Disable - Set to "no" so that you can start SWAT service.
  3. Create an lmhosts file in /etc/samba/ directory and enter the appropriate IP address and hostname of the Samba server and Win2K hosts; for example:
    192.168.0.5 winclient windows
    192.168.0.6 linserver samba
    
  4. Run "service xinetd restart" to reload /etc/services file and refresh xinetd. Or, if you prefer, do a "ps -ef | grep xinetd" and then "kill -1 <Process ID of xinetd>".
  5. Launch the Konqueror browser locally to http://localhost: <non-defaultport> ; for example: http://localhost:1000.
  6. Enter Username and Password to connect to "SWAT at localhost" site.
  7. Congratulations! You should now see a "Welcome to SWAT!" message.
  8. Click on GLOBALS icon and define the following fields and then commit changes:
    In Base Options:
    • Workgroup - Enter exact syntax for your workgroup, i.e., netgroup.
    • NetBIOS - Enter exact syntax for your Samba host, i.e., linserver.
      In Security Options:
    • Encrypt Password - Select Yes. If not selected, you will get a message to the effect "account not authorized…" on Win2K host.
      In WINS Options:
    • WINS Server - Leave blank (do not enter an IP address).
    • WINS Support - Select Yes. (Remember to commit changes.)
  9. Click on the SHARES icon and type a name in the Create Share field, i.e., "tmp" which we'll use as a temporary share.
  10. Click on Create Share to define Share Parameters (i.e., /tmp).
  11. Click on Commit Changes to create basic "tmp" share.
  12. Click on STATUS icon and start "smbd" and "nmbd" services.
      If nmbd does not want to start, run "testparm" in a konsole window to test the parameter values set in smb.conf file.
    1. Check that your lmhosts file is located in the /etc/samba directory.
    2. Verify the correct IP address is associated with hostname in lmhosts file.
    3. Verify that the hostname of the Samba server reflects lmhosts entry.

Now you are ready to begin testing connectivity between your Samba server and SMB clients. Read the section "Testing Win2K and Samba (Linux)" to find out how to test SMB from Windows 2000 hosts beginning with Linux Samba server.

Native Command/Service reference list

Native Command List
  • Smbpasswd
  • command allows SMB clients such as Linux or Windows 2000 hosts to modify the Samba password used for SMB shares
  • Smbstatus
  • shows session information for connected clients
  • Nmblookup
  • allows Linux to perform queries using NetBIOS
  • Testparm
  • checks the smb.conf file for proper flag/parameter syntax
  • Testprns
  • checks printer names used by Samba
  • Smbclient
  • allows Linux users to access SMB shares on Windows 2000 servers
  • Smbd
  • is the daemon (or service in the Microsoft world) that provides SMB clients access to shared directories and devices on a Linux server, such as Red Hat 8.0
  • Nmbd
  • is the daemon that provides browsing through NetBIOS

    These are just some of the commands and tools that make up the Samba suite.

    Testing Win2K and Samba (Linux)
    Okay, if you have made it this far, you are definitely on a role and on the way to establishing SMB connectivity - your Windows 2000 hosts and Linux server are either already communicating via NetBIOS protocol, or will be by the time you are done with this section.

    If you recall, in Medina's Quick Setup section, we created a temporary share called "tmp" with the path of /tmp. Let's begin testing SMB on the Linux server and work our way to the Windows 2000 hosts:

    Testing from Red Hat Linux 8.0 Server (in konsole mode) running Samba 2.2.5 version:

    1. To test the configuration values defined in your /etc/samba/smb.conf file, use the command:
      testparm (if there are no configuration issues, you will see "Loaded services file OK".)
    2. To verify that your Samba server is available and hosting a list of SMB shares, type the command (using case-sensitive parameter):
      smbclient -L <Samba hostname/IP address> i.e., linserver or 192.168.0.3.
      (Confirm that the Sharename, Server, and Workgroup reflect your setup.)
    3. To check that your Samba server is doing proper WINS resolution, type the command:
      nmblookup <hostname/NetBIOS name> i.e., nmblookup linserver. You should see output similar to this: "Querying linclient on 192.168.0.255" 192.168.0.3 linclient<00> displayed on your screen.
    4. To check if SMB clients are connected, use the command: smbstat

    Testing from Windows 2000 host:

    1. To avoid "System error 51 has occurred, the remote computer is not available"; enable Client for Microsoft Network in the General tab of your Local Area Connection Properties.
    2. Enable "NetBIOS over TCP/IP" and LMHOSTS lookup.
    3. Create an lmhosts file in ../drivers/etc folder and enter the IP address and hostname of the Win2K host and Samba server; for example:
      192.168.0.2     winclient windows
      192.168.0.3     linserver samba
    4. Purge and reload updates to lmhosts by using the command (case-sensitive):
      nbtstat –R
    5. To check if NetBIOS is properly registering the Samba server, enter the command:
      nbtstat –a <hostname//NetBIOS name> For example:
      Node IpAddress: [192.168.0.2] Scope Id: []
      
                 NetBIOS Remote Machine Name Table
      
             Name                      Type              Status
          ----------------------------------------------------------
          LINSERVER                  <00> UNIQUE       Registered
          LINSERVER                  <03> UNIQUE       Registered
          LINSERVER                  <20> UNIQUE       Registered
          _MSBROWSE__.               <01>  GROUP       Registered
          NETGROUP                   <00> GROUP        Registered
          NETGROUP                   <1D> UNIQUE       Registered
          NETGROUP                   <1E> GROUP        Registered
      
    6. Verify that your host is resolving names using NetBIOS (139) and not just broadcasts by using the command:
      nbtstat –r
    7. Check active connections by using the command:
      netstat -na

    Basic sample SMB.CONF

    # Samba config file created using SWAT
    # from localhost (127.0.0.1)
    # Date:  <original date>
    
    # Global parameters
    [global]
     workgroup = NETGROUP
     netbios name = LINSERVER
     wins support = Yes
    
    [tmp]
     path = /tmp
     username = <unique account>
     guest ok = no
    

    Medina's network diagram


    Samba software links

    1. Samba GUI Manager Page: http://us2.samba.org/samba/GUI/.
    2. SMB/ CIFS Clients: http://us2.samba.org/samba/Linux_CIFS_client.html.
    3. Samba Web Administration Tool (SWAT): http://rpmfind.net/linux/rpm2html/search.php?query=swat.

      For more information

      Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in our Ask-the-Expert section. Submit a security question to Luis here or view his previously answered Ask-the-Expert questions.

      You can find over 100 security tips to protect your enterprise network today in my new security book titled, "The Weakest Security Link Series," 1st edition 2003 by Luis F. Medina, available now at Barnes and Noble (www.bn.com) and at www.amazon.com; or visit my Web site for more information at www.medinasystems.com.
      Copyright 2003 Luis F. Medina.

    This was first published in March 2003

    Dig deeper on Network Security Best Practices and Products

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchSDN

    SearchEnterpriseWAN

    SearchUnifiedCommunications

    SearchMobileComputing

    SearchDataCenter

    SearchITChannel

    Close