|
Samba
Status
As of 28 Nov 2004, samba works fine on clitunno but spello
fails as a client (works as a server) -- it can't change the timestamp
on a samba shared file.
The whole samba setup is not done properly, although Spello works for Clit, which is what matters.
Summary
- Samba is used to connect Win boxes to Linux, or the Linux
boxes to Nicco.
- It is also a backup for the default NFS
connections between the Linux boxes.
- I'm not sure if Samba is quite as fast as NFS -- I'm
getting close to a gig/sec transfer rates on NFS.
- Nicco can be mounted from the desktop of both Gubbio and
Cyberspace, in both steen and root.
- Nicco can also be mounted from the command line, with
"mount nicco" and "umount nicco"
- This can also be done remotely through ssh as user steen (!)
- Gubbio has been defined as a samba server, and I can
connect to it from Spello and cyberspace, giving me access for instance
to the giant drive and the Windows D drive.
- Note that Gubbio's smb.conf can easily be expanded to allow
a couple of other hosts, simply by creating a user for someone else and
then defining the appropriate resources for that person in the mnt
directory.
- Once I got it working on gubbio, I duplicated the solution
on Cyberspace.
- Looks good! The gory details below
- See the log in /var/log/samba/log.smbd
Commands
- just restart samba (or /etc/init.d/samba restart)
- just stop samba
- just start samba
- smbpasswd -a steen (create a new samba user and set his password
- smbclient -L <host>
- ps auxww | grep mbd (Is samba running?)
- pico /etc/samba/smb.conf
- http://localhost:901 (or give system
name for remote systems -- SWAT)
- testparm (verifies that your smb.conf files are ok)
- smbstatus (finds locked files)
- /usr/bin/smbclient
\\\\cyberspace\\steen (Mount a share on gubbio)
- nmblookup -B SPELLO __SAMBA__ (check server)
- nmblookup -d 2 '*' (available servers)
- nmblookup -M sunrise (master browser)
- mount /mnt/gubbio -o debug=10 (debug mode)
- smbtree
- tail -f /var/log/samba/log.smbd (watch shares being mounted on host)
- rpcclient
- smbcacls
To accomplish
- Reconcile vmware samba and spello samba -- cf.
/etc/vmware/vmnet1/smb/smb.conf
- Samba is working fine -- the only thing I can't do is mount
WinGubbio on Spello!
- Tighten up security -- possibly with ipfilters -- samba is
insecure (but see below!)
- On 13 August 2002, I commented out the following services
from /etc/inetd.conf:
* Samba smbd
* Samba nmbd
* Samba swat
It's started by /etc/rc.config and having it in inetd just
generates lots of error messages in xconsole. Note that you should
leave it in /etc/rc.config and leave it commented out in inetd.conf to
avoid these error messages.
If you want to use SWAT again, uncomment it from inetd -- I wasn't
using it, so no point is exposing the port. (Note that I enabled SWAT
on Spello with the adminmenu -- cf Debian.)
Guides
Intruders
- See all incoming requests at file:/var/log/samba/log.nmbd
(user root)
- Gustavo at 218.66.146.70 (November 2002) is the Asia
Pacific Network Information Centre
- Alevrius at 212.171.59.58 (November 2002) is Telecom Italia
<ripe-staff@telecomitalia.it>
- file:/var/log/samba/log.localhost (browse as root) contains
loads of intruders
Tweaks
In the boot log up to 30 June 2002, I got the error message
"smbfs: Unrecognized mount option noexec." In fstab, I have
"noauto,username=xxx,password=xxx,user,uid=500 0 0" -- nothing about
noexec. Someone suggested that "user" implies noexec, and smbmount
doesn't understand "user" either. I try removing it, but get "only root
can mount" and reinstate it.
Proposed default configuration: http://www.tldp.org/HOWTO/SMB-HOWTO-6.html
9 January 2006 update
Connecting from XP in VMware to spello works -- just use the
IP number and not the name. The connecting machine's IP number is that
of clitunno, not the IP address shown within VMware! The connection log is in /var/log/samba/log.smbd:
[2006/01/10 00:17:51, 1] smbd/service.c:make_connection_snum(642)
xp-pro (128.97.221.35) connect to service spello initially as user xxxx (uid=xxx, gid=xxx) (pid 32247)
14 February 2004 update
On clitunno (AMD64), running SuSE 9.0, the parameter "noauto"
is not permitted. Otherwise no problems.
24 October 2003 update
After the update to samba 3.0.0final-1, I set gubbio up as a
server. I started by copying spello:/etc/samba to gubbio, and
then adding a new section -- let's say it's called rain, like this:
[rain]
path = /mnt/vj
read only = No
create mask = 0750
hosts allow =
128.97.184.151, 128.97.184.97
browseable = Yes
Now, to mount this "share", you have to do this in /etc/fstab:
//gubbio/other /mntpnt smbfs
auto
0 0
and it mount gubbio:/mnt/vj. It's not allowing trucated ip addresses,
which in this case is fine. I set this up so that Tim and I have a way
to
13 March 2003 update
After switching gubbio, spello, and sigillo to Debian, and
installing Debian from scratch on derekito, I could still run samba
from cyberspace.
I copied over the /etc/samba/smb.conf file from cyberspace,
which is a working samba server, tested against XP. I also copied over
the smbpasswd file -- to use smbpasswd (the executable), you need a
file by this name in /etc/samba. I then issued
smbpasswd kfa
and gave the pw; this worked fine. I then issued
adduser steen
so that my current setup can be used to test this. For the moment, I
even kept the steen password from the old smbpasswd file on
cyberspace; this turned out to work fine. I then issued
md /home/kfa/mnt
since this is the share that is current exported (see
/etc/samba/smb.conf). This may already work -- just issue
just restart samba
and try it out. Success -- this works. There's obviously lots of room
for tweaking, but samba is working great on Debian. This is the
unstable release of samba, close to 3.0.
23 November 2002 troubleshooting
At this point, the VMware samba server is working fine for the
guest OS. The Spello samba server gets started with the following
messages (from file:/var/log/samba/log.smbd
-- access as root):
[2002/11/23 14:00:28, 0] smbd/server.c:main(698)
smbd version 2.2.3a-6 for Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2002
[2002/11/23 14:00:28, 1] lib/debug.c:debug_message(250)
INFO: Debug class all level = 3 (pid 3551 from pid 3551)
[2002/11/23 14:00:28.887866, 2, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:do_section(2965)
Processing section "[homes]"
[2002/11/23 14:00:28.888055, 2, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:do_section(2965)
Processing section "[printers]"
[2002/11/23 14:00:28.888194, 2, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:do_section(2965)
Processing section "[print$]"
[2002/11/23 14:00:28.888343, 3, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:lp_add_ipc(1945)
adding IPC service IPC$
[2002/11/23 14:00:28.888412, 3, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:lp_add_ipc(1945)
adding IPC service ADMIN$
[2002/11/23 14:00:28.897308, 3, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:lp_add_printer(1979)
adding printer service Brother_HL-1450
[2002/11/23 14:00:28.897465, 3, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:lp_add_printer(1979)
adding printer service MFC_8300
[2002/11/23 14:00:28.897544, 3, pid=3551, effective(0, 0), real(0, 0)]
param/loadparm.c:lp_add_printer(1979)
adding printer service S9000
[2002/11/23 14:00:28.898066, 2, pid=3551, effective(0, 0), real(0, 0)]
lib/interface.c:add_interface(81)
added interface ip=128.97.184.152 bcast=128.97.184.255
nmask=255.255.255.0
[2002/11/23 14:00:28.898162, 2, pid=3551, effective(0, 0), real(0, 0)]
lib/interface.c:add_interface(81)
added interface ip=192.168.120.1 bcast=192.168.120.255
nmask=255.255.255.0
[2002/11/23 14:00:28.898201, 2, pid=3551, effective(0, 0), real(0, 0)]
lib/interface.c:add_interface(81)
added interface ip=192.168.222.1 bcast=192.168.222.255
nmask=255.255.255.0
[2002/11/23 14:00:28.898238, 2, pid=3551, effective(0, 0), real(0, 0)]
lib/interface.c:add_interface(81)
added interface ip=172.16.61.1 bcast=172.16.61.255
nmask=255.255.255.0
[2002/11/23 14:00:28.913209, 3, pid=3551, effective(0, 0), real(0, 0)]
smbd/server.c:main(740)
loaded services
[2002/11/23 14:00:28.913310, 3, pid=3551, effective(0, 0), real(0, 0)]
smbd/server.c:main(755)
Becoming a daemon.
[2002/11/23 14:00:28.915410, 3, pid=3552, effective(0, 0), real(0, 0)]
lib/util_sock.c:open_socket_in(798)
bind succeeded on port 139
[2002/11/23 14:00:28.915668, 2, pid=3552, effective(0, 0), real(0, 0)]
smbd/server.c:open_sockets(198)
waiting for a connection
All I want to do is export the printer, but when I issue
cupsaddsmb -a, I can't get past the prompt that a password is needed to
access localhost. I decided to upgrade to Samba 2.999+3.0.alpha20-3 for
Debian, but this made no difference for mounting the printer. I have no
idea where this password is set.
22 November 2002 troubleshooting
I started http://steen1.sscnet.ucla.edu:901 on gubbio and
http://cyberspace.ucla.edu:901 and set OS level to 20 instead of 2 --
this was some lingering mistake, but I suspect it didn't matter. What
did matter was that the Samba server was said to be running, but really
needed to be restarted in the Status panel. When I clicked restart
samba I saw a connection establish itself -- in the case of cyberspace,
"25288 smbd 0.0.0.0 Fri Nov 22 02:06:00 2002." If I then clicked
restart nmba, the connection vanished! Even though Samba was still
listed as running. So it seems nmbd must be started first and smbd last
for the system to work. I then got a response on gubbio to the request
smbclient -L cyberspace (after entering the steen password):
gubbio:~ # smbclient -L cyberspace
INFO: Debug class all level = 3 (pid 25281 from pid 25281)
added interface ip=128.97.184.97 bcast=128.97.184.255 nmask=255.255.255.0
Password:
Domain=[SUNRISE] OS=[Unix] Server=[Samba 2.2.1a]
Sharename Type Comment
--------- ---- -------
homes Disk
dvd Disk Linux DVD
IPC$ IPC IPC Service (Samba 2.2.1a)
ADMIN$ Disk IPC Service (Samba 2.2.1a)
MFC_8300 Printer
S9000 Printer
Server Comment
--------- -------
CYBERSPACE Samba 2.2.1a
MUTT Samba 2.2.1a
Workgroup Master
--------- -------
SUNRISE MUTT
Note that for the first time, you're seeing two printers! This
may well mean that you would see the local printer if it was plugged in
-- and if Spello was running. On cyberspace, I got this:
cyberspace:~ # smbclient -L gubbio
INFO: Debug class all level = 3 (pid 7065 from pid 7065)
added interface ip=128.97.184.95 bcast=128.97.184.255 nmask=255.255.255.0
Password:
session setup failed: ERRSRV - ERRbadpw (Bad password - name/password pair
in a Tree Connect or Session Setup are invalid.)
No idea why the password fails. I added a line to cyberspace's
fstab and tried to mount gubbio, but got this:
7075: tree connect failed: ERRSRV - ERRaccess (The requester
does not have the necessary access rights within the specified context
for the requested function. The context is defined by the TID or the
UID.)
So even though both gubbio and cyberspace are now running
servers, some obscure security system is twarting me. As usual... You
might want to just figure this out -- see Samba
instructions. The good news: printers are starting to show up.
Notably, they're showing up as available from the cyberspace samba
server.
I followed the instructions -- extremely elegant! Everything
worked. And I finally discovered what had messed up my previous
arrangement: the name change from christine to spello. I now set
passwords with smbpasswd -a steen -- you should actually change the
samba name here, but for the moment this is fine. I deleted the field
that allows non-encrypted passwords in Win98 (see below), and changed
the Netname from christine to spello. I also renamed it spello under
the Control Panel | Network | Identification.
I created identical files on gubbio and cyberspace, building
up from the simple lessons in the Samba
instructions, and I'm now comfortable and happy with Samba -- or
should I say, confident that it's well designed! Wow, what a help that
explanation was. I walked through the simple instructions and scales
fell from my eyes. I'll now reboot and see if I can make the printers
available to Spellowin.
21 November 2002 attempt to fix Samba
After trying to make smb work on Spello, I messed up the
configuration on cyberspace and gubbio too, so now nothing is working
-- except (strangely) the Samba client on Spello, which hooks up fine
to merton (the clients on cyberspace and gubbio may also be working,
but the servers aren't).
I turned on SWAT, the samba manager, on gubbio, and it's
already running on Spello and cyberspace. The one on spello doesn't
seem to actually be finding the samba server -- it says it's not
running, but it is. Anyway, I did this on gubbio:.
- Edited /etc/inetd.conf, uncommenting this line: swat stream
tcp nowait.400 root /usr/sbin/swat swat
- Issued /etc/init.d/inetd reload
- nmap localhost shows it's running: 901/tcp open samba-swat
- Access it with http://localhost:901
- I had no luck configuring this on Spello, and even the
gubbio and cyberspace samba links have stopped working after I started
messing with them again -- I don't know what I did that changed the
working setup.
19 November 2002 attempt to add Spello to gubbio
(unsuccessful)
To make sure that Spello's Samba server is really providing
access, I
tried to set up a client on gubbio. I added this line to /etc/fstab:
//spello/steen /home/steen/mnt/Spello smbfs
noauto,username=steen,password=xxxx,user,uid=500 0 0
I did mount -a and then mount /home/steen/mnt/Spello but got
permission
errors. I then ran smbclient -L like this:
steen@gubbio:/mnt> smbclient -L spello
added interface ip=128.97.184.97 bcast=128.97.184.255 nmask=255.255.255.0
Got a positive name query response from 128.97.184.152 ( 128.97.184.152 )
Password:
Domain=[SUNRISE] OS=[Unix] Server=[Samba 2.2.3a-6 for Debian]
Sharename Type Comment
--------- ---- -------
homes Disk
IPC$ IPC IPC Service (Samba 2.2.3a-6 for Debian)
ADMIN$ Disk IPC Service (Samba 2.2.3a-6 for Debian)
steen Disk Home directory of steen
Server Comment
--------- -------
CYBERSPACE Samba 2.2.1a
SPELLO Samba 2.2.3a-6 for Debian
Workgroup Master
--------- -------
SUNRISE CYBERSPACE
So -- useful information, but I didn't make spello mount on gubbio, and
didn't pursue it as it really has no functional significance. What
would matter is mounting spello on spellowin -- mounting spello on
gubbio was just an exercise to prepare for that. Unfortunately, it
failed.
September 2002 attempt to add merton (successful)
On 9 September I tried to add merton as a samba server to
gubbio.
I added 128.97.42.11 merton to /etc/samba/lmhosts and to
/etc/hosts -- both of these are just for ease of reference I believe.
I'm not sure what the different machines do:
nicco.sscnet.ucla.edu : 128.97.42.4
weber.sscnet.ucla.edu : 128.97.42.3
merton.sscnet.ucla.edu : 128.97.42.11
Merton is my web server and nicco is storage. Weber may be a
backup to Merton -- I don't know.
I added this line to /etc/fstab:
//merton/steen /home/steen/mnt/merton smbfs
noauto,username=steen,password=x,user,uid=500 0 0
I then issued mount -a
I created the directory ~/mnt/merton (as user steen)
I tried mount merton but got a password error, so I wrote
Julie Chen.
Network
Entries in gubbio and cyberspace /etc/samba/lmhosts (more or
less)
127.0.0.1 localhost
128.97.42.4 nicco
128.97.184.152 gubbio
128.97.184.96 blue
128.97.184.150 bighoss
128.97.184.151 tibook
Entries in /etc/hosts
127.0.0.1 localhost
128.97.184.95 cyberspace.ucla.edu cyberspace
128.97.184.96 blue
128.97.184.97 gubbio
128.97.184.150 bighoss
128.97.184.151 tibook
128.97.184.152 spello
128.97.183.169 mojave
Entries in /etc/samba/smb.conf
path = /home/%u/mnt/
read only = No
create mask = 0755
hosts allow = Spello, gubbio, blue, tibook, bighoss
Problems?
On 5 May, when I ran /etc/Suseconfig, I got this result:
setting /usr/bin/ncpmount to root.root 4755
setting /usr/bin/ncpumount to root.root 4755
Did this reset the suids I had created for Samba, or just
repeat what I had done below? Mounting nicco still works fine from
steen. Or is ncpmount Novell?
Win98
Printer
- The printer in 334 Kinsey is IP# 128.97.183.177. Protocol:
raw. Raw setting port #9100. SNMP Community name "public". Device index
"1" Name HPLaserJet5M_copy_1.
Installing the client on Linux
- The mount command is simple:
mount -t smbfs -o username=steen,password=x
//nicco/steen /home/steen/nicco
- I tried it on 12 Mar 02 from gubbio at 128.97.184.97
and it couldn't find nicco -- but neither could Windows. I told Julie
Chen, who couldn't help.
- On 16 March 2002, I made some progress, mainly getting the
verbose output:
- I checked the files on Cyberspace under /etc/samba/ --
- one file is called lmhosts. It appears to serve the
function of allowing IP numbers to be mapped to names -- a samba
equivalent of a domain name server. There's an equivalent file in
Windows, called c:\windows\lmhosts, which "contains the mappings of IP
addresses to NT computernames # (NetBIOS) names" (from the file itself).
- the other file is smb.conf -- the main samba
configuration file.
- When I try just mount //nicco/steen /mnt/nicco from
Cyberspace, I get "special device //nicco/steen does not exist"
- When I try mount -t smbfs //nicco/steen /mnt/nicco I
get "919: Connection to nicco failed"
- I then make some changes to the /etc/samba/smb.conf
file on Cyberspace (see the file) -- the most useful part is changing
the log level to 3, which is the verbose mode.
- This guides me to make changes to lmhosts
- It turns out you can give the command nslookup from the
Linux prompt!
- weber is my default server, 128.97.42.3
- nicco is its neighbor, 128.97.42.4
- I add nicco to /etc/samba/lmhosts and get a rich
message:
-
mount -t smbfs //nicco/steen/ /mnt/nicco/ -o username=steen,password=******
INFO: Debug class all level = 3 (pid 990 from pid 990)
opts: rw
opts: username=steen
opts: password=********
mount.smbfs started (version 2.2.1a)
added interface ip=128.97.184.97 bcast=128.97.184.255 nmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name nicco<0x20>
Connecting to 128.97.42.4 at port 139
990: tree connect failed: ERRSRV - ERRinvnetname (Invalid network name in
tree connect.)
SMB connection failed
- I wrote and asked Julie Chen why I'm getting "Invalid
network name in tree connect".
- On 17 March 2002 Samba works! On both Gubbio and
Cyberspace. Julie Chen may have fixed it.
- To mount from the command line, I had to start the
program by typing smbmount. Then I gave the command as above, and it
works! I added it to fstab, as below, and can mount it from the desktop!
-
Add to fstab:
//nicco/steen /home/steen/nicco smbfs
username=steen,password=x,user,uid=500 0 0
- To allow user steen to mount and unmount, smbmnt and
smbumount (notice the u) has to be made suid. To set the suid bit on
/usr/bin/smbmnt,
chmod 4755 smbmnt
chmod 4755 smbumount
- You can list all the suid binaries on your system with
for i in `find / -perm +6000 -type f`; do ls -aFl $i
>> suids; done
- However, /mnt/nicco does not have user access, only
root. I moved the mount point to /home/steen/nicco and it works fine,
though it's perhaps a tad awkward. In time you can figure out how to
allow steen to mount on /mnt/nicco.
- I turn off debugging level 3 (verbose mode) in
/etc/samba/smb.conf
- The "find / -name *smb* -mount -print | less" command on
gubbio found lots of samba related files:
/etc/samba/smb.conf
/sbin/mount.smbfs
/usr/bin/smbcacls
/usr/bin/smbclient
/usr/bin/smbcontrol
/usr/bin/smbmnt
/usr/bin/smbmount
/usr/bin/smbpasswd
/usr/bin/smbspool
/usr/bin/smbtar
/usr/bin/smbumount
/lib/modules/2.4.10-4GB/kernel/fs/smbfs
/lib/modules/2.4.10-4GB/kernel/fs/smbfs/smbfs.o
/usr/share/doc/packages/samba/README.pam_smbpass
/usr/src/linux-2.4.10.SuSE/Documentation/filesystems/smbfs.txt
/usr/src/linux-2.4.10.SuSE/Documentation/i2c/smbus-protocol
/usr/src/linux-2.4.10.SuSE/fs/smbfs
- Use the ldd command to see the dependent libraries, and
make sure they are all there:
ldd samba
<list output here>
- See if the Samba Web Administration Tool (SWAT) is present
in the /etc/services and /etc/inetd.conf configuration files. SWAT runs
as a daemon under inetd and provides a forms-based editor in your web
browser for creating and modifying SMB configuration files. Not sure
how SuSE may implement this feature.
This setup was first run on gubbio and then duplicated on
Cyberspace. Both work great!
I had to turn off encrypted passwords in /etc/samba/smb.config
Added this to /etc/samba/lmhosts:
127.0.0.1 localhost
128.97.42.4 nicco
128.97.184.95 Cyberspace
128.97.184.152 spello
I believe I also -- and perhaps more significantly -- added
this list to /etc/hosts:
127.0.0.1 localhost
128.97.184.97 gubbio
128.97.184.95 Cyberspace
128.97.184.152 spello
128.97.183.169 mojave
Note that there is a "hosts.allow" and "hosts.deny" -- see man
tcpd(8) and hosts_access(5).
Added steen=steen to smbusers -- likely unnecessary.
How to start the daemons manually:
/etc/init.d/smb start
/etc/init.d/smb stop
(Has to be done by root). In SuSE, "The services can be
started manually with rcsmb start, and with rcsmb stop the services can
be stopped."
Added the samba server start command to /etc/inetd.conf
# SAMBA NetBIOS services (for PC file and print sharing)
netbios-ssn stream tcp nowait root /usr/sbin/smbd smbd
netbios-ns dgram udp wait root /usr/sbin/nmbd nmbd
(cf. http://www.tldp.org/HOWTO/SMB-HOWTO-5.html)
Restart the inetd daemon with this command:
kill -HUP `cat /var/run/inetd.pid`
Finally, all you need to do to have SuSE start samba on bootup
is to say "yes" to the last parameter in /etc/rc.config -- it used to
say "no":
# start samba? ("yes" or "no")
# Windows 95 / NT - File- and Printservices
#
START_SMB="yes"
I found that out from SuSE's help page on
Samba.
The pom.gr
guide says you can enable SWAT, the samba configuration client, in
/etc/inetd.conf
I did so, and gained access to the Samba Web Administration
Tool at http://localhost:901/ --
they ask for root and password.
I defined the shares to access as /home/<username>/mnt,
as the home directory is really cluttered and the resources are really
on the other drives. I finally made it all work, with full access to
the other drives and only from Cyberspace and Spello, with the
following /etc/samba/smb.config file:
# Samba config file created using SWAT
# from localhost (127.0.0.1)
# Date: 2002/04/28 03:00:15
# Global parameters
[global]
workgroup = SUNRISE
map to guest = Bad User
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
character set = ISO8859-1
logon home = \\%L\profiles\%U
domain logons = Yes
os level = 2
domain master = True
kernel oplocks = No
printing = lprng
[homes]
path = /home/%u/mnt/
read only = No
create mask = 0755
hosts allow = Spello, Cyberspace
Note that this configuration file can easily be expanded to
allow a couple of other hosts, simply by creating a user for someone
else and then defining the appropriate resources for that person in the
mnt directory. Looks good!
I altered /etc/fstab to reflect the new mount points, taking
care to have all the mount points owned by steen and not by root.
In /etc/inetd.conf I also disabled finger, login, talk, and
ntalk -- talk is a chat protocol, cf.
http://unixhelp.ed.ac.uk/CGI/man-cgi?talk
# Shell, login, exec and talk are BSD protocols.
# The option "-h" permits ``.rhosts'' files for the superuser. Please
look at
# man-page of rlogind and rshd to see more configuration possibilities
about
# .rhosts files.
# shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
# shell stream tcp nowait root /usr/sbin/tcpd in.rshd -aL
#
# If you want rlogind not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n". See 'man rlogind' for more details.
login stream tcp6 nowait root /usr/sbin/tcpd in.rlogind
# login stream tcp nowait root /usr/sbin/tcpd in.rlogind -a
# exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
talk dgram udp wait root /usr/sbin/tcpd in.talkd
ntalk dgram udp wait root /usr/sbin/tcpd in.talkd
So these three got commented out in the working version.
Trying to mount gubbio on cyberspace
cyberspace was unable to mount gubbio.
I added this line to cyberspace's /etc/fstab:
//gubbio/steen /home/steen/mnt/gubbio smbfs
noauto,username=steen,password=xxxxx,user,uid=500 0 0
I try mount gubbio and get this:
23147: tree connect failed: ERRSRV - ERRaccess (The
requester does not have the necessary access rights within the
specified context for the requested function. The context is defined by
the TID or the UID.)
SMB connection failed
In gubbio's error log at /var/log/samba/log.smbd I get this:
passdb/pampass.c:smb_pam_passcheck(830)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User
steen.password_xxxx !
In /etc/pam.d/samba I commented out the auth and account
requirements:
#%PAM-1.0
#auth required pam_unix.so
#account required pam_unix.so
I try mount gubbio again and get the same rejection.
In /var/log/samba/log.smbd I get this:
[2002/06/03 00:06:11, 0] lib/access.c:check_access(322)
Denied connection from cyberspace.ucla.edu (128.97.184.95)
The lib/access.c makes no sense -- the only place there is a
lib/access.c file is here:
locate lib/access.c
/home/steen/mnt/giant/cvs/lm_sensors2/lib/access.c
/home/steen/mnt/giant/src/packages/SOURCES/lm_sensors-2.6.3/lib/access.c
Somehow I've switched on a security apparatus I don't
understand and cannot get around.
I also tried using NFS by adding this line to cyberspace's
/etc/fstab:
gubbio:/ /home/steen/mnt/gubbio nfs noauto,user,rw 0 0
I then tried mount gubbio and got this:
mount: RPC: Unable to receive; errno = Connection refused
The security is a big hassle -- you need to learn how to
master it. There's really no hurry; this is the sort of thing you can
work on at your leisure.
Information tools:
- smbclient -L gubbio
- smbclient -L cyberspace
- testparm (verifies that your smb.conf files are ok)
- smbstatus
The Pam disaster: trying to make Samba more secure
4 June 2002
Here is the tale of a disasterous attempt to secure Samba. I
found a guide at http://www.plasma.kth.se/sambafaq/sambafaq-1.html
and detailed security
instructions for samba that I followed. In brief, I added this to
/etc/pam.d/samba
#%PAM-1.0
#auth required pam_unix.so
#account required pam_unix.so
auth required /lib/security/pam_pwdb.so nullok sh
account required /lib/security/pam_pwdb.so
I then added legal users to my /etc/passwd account, like this:
[root@gubbio] /# useradd steen
I got the message back that "user steen exists", and
/etc/passwd has this
line:
steen:x:500:100:Francis F. Steen:/home/steen:/bin/bash
Now, I could do
passwd steen
to change the unix password for this user, but I don't. It may
be better to have a different user on gubbio, but for the moment I'll
keep the same.
To generate a smbpasswd file from the /etc/passwd file, use
the following commands:
[root@gubbio] /# cat /etc/passwd | mksmbpasswd.sh >
/etc/smbpasswd
But here I got, "bash: mksmbpasswd.sh: command not found" --
these are Red Hat instructions. Or not:
gubbio:/etc # locate mksmbpasswd
/usr/share/samba/scripts/mksmbpasswd.sh
So I try again,
cat /etc/passwd | /usr/share/samba/scripts/mksmbpasswd.sh
> /etc/smbpasswd
This goes through!
Finally, the last step we must perform is to create the Samba
user account in our /etc/smbpasswd file before we are able to use it.
To create the Samba user account, use the following commands:
[root@gubbio] /# smbpasswd -a steen
I got:
gubbio:/etc # smbpasswd -a steen
New SMB password:
Retype new SMB password:
Added user steen.
I used the same password; this is also something that could be
changed.
Don't forget to change the permission of your new smbpasswd
file to be readable and writable only by the super-user root, and
nothing for group and other:
chmod 600 /etc/smbpasswd
After all that, when I do
cyberspace:/home/steen/mnt # mount gubbio
I get exactly the same error message:
9829: tree connect failed: ERRSRV - ERRaccess (The requester
does not have
the necessary access rights within the specified context for the
requested
function. The context is defined by the TID or the UID.)
SMB connection failed
In /var/log/samba/log.smbd I get this:
[2002/06/03 00:18:15, 0] lib/access.c:check_access(322)
Denied connection from cyberspace.ucla.edu (128.97.184.95)
[2002/06/03 16:59:08, 0] lib/util_sock.c:open_socket_in(820)
bind failed on port 139 socket_addr=0.0.0.0 (Address already in use)
[2002/06/03 18:02:30, 0] lib/access.c:check_access(322)
Denied connection from cyberspace.ucla.edu (128.97.184.95)
[2002/06/03 18:04:57, 0] lib/access.c:check_access(322)
Denied connection from cyberspace.ucla.edu (128.97.184.95)
[2002/06/03 18:13:20, 0] passdb/pampass.c:smb_pam_passcheck(830)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User root !
This is where I added all the PAM stuff -- I then got this:
[2002/06/03 20:07:55, 0] lib/util_sock.c:open_socket_in(820)
bind failed on port 139 socket_addr=0.0.0.0 (Address already in use)
[2002/06/03 20:08:26, 0] lib/access.c:check_access(322)
Denied connection from cyberspace.ucla.edu (128.97.184.95)
Now, the "bind failed on port 139 socket_addr=0.0.0.0 (Address
already in use)" error may be due to my starting Samba in too many
places at once -- from inetd and the command line. So I shut down the
command-line version:
gubbio:/etc # rcsamba stop
Shutting down SAMBA nmbd : done
Shutting down SAMBA smbd : Warning: smbd not running ! done
So this suggests some confusion: is it already running in the
background, through inetd, ready to spring into action when demanded?
Yes, in fact no doubt, that's how inetd works!
To be on the safe side I made sure inetd is reading the most
recent values:
gubbio:/etc # ps -ax | grep inetd
659 ? S 0:00 /usr/sbin/inetd
3599 ttyp7 S 0:00 grep inetd
gubbio:/etc # kill -HUP 659
I tried to connect once more.
cyberspace:/home/steen/mnt # mount gubbio
Now I got a different error message, so something is happening!
10109: session setup failed: ERRSRV - ERRbadpw (Bad password
-
name/password pair in a Tree Connect or Session Setup are invalid.)
SMB connection failed
Mystifying, however, since I just set up exactly the password
I've also included in /etc/fstab on cyberspace.
In /var/log/samba/log.smbd I get this:
[2002/06/03 20:21:57, 0] passdb/pampass.c:smb_pam_auth(541)
smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user steen
[2002/06/03 20:21:57, 0] passdb/pampass.c:smb_pam_passcheck(830)
smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User steen !
Now, unknown error is not exactly the ideal error message.
Here is SuSE's PAM documentation. Interestingly, it was
installed in February and March of 2002, so that means PAM was not
installed with the original installation. Perhaps you should get rid of
it for now?
file://localhost/usr/share/doc/packages/pam/html/index.html
The Linux-PAM System Administrators' Guide
file://localhost/usr/share/doc/packages/pam/html/pam.html
If you running Linux as a single user system, or in an
environment where all the users are trusted, then there is no real
advantage for using PAM.
I tried to get rid of the whole thing in packager -- found
that it had indeed been built in February and installed in March of
2002 -- and got this:
Dependency Problem:
libpam.so.0 is needed by sh-utils-2.0-106
libpam.so.0 is needed by mc-4.5.54-92
libpam.so.0 is needed by kdebase-2.2.1-36
libpam.so.0 is needed by rsh-server-0.17-86
libpam.so.0 is needed by samba-client-2.2.1a-32
libpam.so.0 is needed by sendmail-8.11.6-29
libpam.so.0 is needed by xf86_3x-3.3.6-228
libpam.so.0 is needed by xlock-4.17.2-27
libpam.so.0 is needed by gdm-2.2.4.1-25
libpam.so.0 is needed by xscreensaver-3.33-31
libpam.so.0 is needed by shadow-20000902-144
libpam.so.0 is needed by cyrus-sasl-1.5.24-157
libpam.so.0 is needed by gubbio-1.3.22.1i-105
libpam.so.0 is needed by openldap2-client-2.0.12-28
libpam.so.0 is needed by ppp-2.4.1-95
libpam.so.0 is needed by ncpfs-2.2.0.18-133
libpam.so.0 is needed by openssh-2.9.9p2-98
libpam.so.0 is needed by samba-2.2.1a-75
libpam.so.0 is needed by xf86-4.2.0-64
libpam.so.0 is needed by pine-4.33-224
libpam.so.0 is needed by sudo-1.6.3p7-83
libpam_misc.so.0 is needed by rsh-server-0.17-86
libpam_misc.so.0 is needed by xf86_3x-3.3.6-228
libpam_misc.so.0 is needed by gdm-2.2.4.1-25
libpam_misc.so.0 is needed by shadow-20000902-144
I unchecked "check dependencies" and the whole rpm uninstalled
-- the little bugger! It said /lib/security and /etc/pam.d were not
empty and couldn't be deleted. I did a quick
gubbio:/etc # rm -r pam.d
gubbio:/lib # rm -r security
Whew! Well, that definitely changed things. I now tried,
cyberspace:/home/steen/mnt # mount gubbio
Invalid packet length! (90724 bytes).
10406: session request to MUTT failed (code 0)
Invalid packet length! (90724 bytes).
10406: session request to *SMBSERVER failed (code 0)
SMB connection failed
This could just be my multiple sessions problem.
I'll try going back down to init 1 and see if things get
cleaned up.
Now, this turned to a near touch with OS death: having erased
pam, I couldn't log in! I scrambled for a couple of hours with floppies
and CDs, until I suddenly realized that my /dev/hdc7 partition was sill
accessible from Lilo, and should be working fine! For the details of
this elegant solution, see crash recovery.
|
