Table des matières

Serveur Samba SMB CIFS

Serveur Samba SMB CIFS

Voir aussi

Samba-client SMB CIFS
https://github.com/cisagov/samba-packer
ksmbd: un nouveau serveur SMB intégré au noyau (mais problématique de sécurité)

Notes

RHEL6 ne supporte pas le protocole SMB2 et +

Configuration

rlimit_max (1024) below minimum Windows limit (16384)

/etc/security/limits.d/30-samba.conf

root               -       nofile          16385

Défaut est max open files = 16385

Voir https://www.tecmint.com/install-samba-on-rhel-8-for-file-sharing-on-windows/

/etc/samba/smb.conf

[global]
        workgroup = WORKGROUP
        server string = Samba
        netbios name = SAMBA
        client ipc min protocol = SMB3
        client min protocol = SMB3
        server min protocol = SMB2
        disable netbios = Yes
        disable spoolss = Yes
        domain master = No      
        load printers = No
        local master = No
        log file = /var/log/samba/log.%m
 
        # Size in KB
        max log size = 200000
 
        name resolve order = host
        printcap name = /dev/null
        security = USER
        smb ports = 445
        idmap config * : backend = tdb
        passdb backend = tdbsam
        cups options = raw
        printing = bsd
        #log level = 3
        #restrict anonymous = 2
        #nt pipe support = no
        #interfaces = eth* lo
        #bind interfaces only = yes
        #fstype = Samba
        host msdfs = no
        server services = -s3fs, -rpc, -nbt, -wrepl, -ldap, -cldap, -kdc, -drepl, -winbindd, -ntp_signd, -kcc, -dnsupdate, -dns
 
[public]
        comment = Public
        read only = Yes
        path = /data/shared/public
 
[shared]
        #guest ok = Yes
        #browseable = No
        comment = Shared
        path = /mnt/shared
        read only = No
        #force user = jean
        valid users = jean
        write list = jean
 
#[IPC$]
#        hosts allow = 192.168.115.0/24 127.0.0.1
#        hosts deny = 0.0.0.0/0

Nul besoin de redémarrer le service, les modifications sont automatiquement prises en compte. Pour vérifier

testparm

Pour tester la connexion

smbclient -N -L 127.0.0.1
smbclient -N //127.0.0.1/shared
smbclient -U user%password //127.0.0.1/shared

Si besion modifier /etc/sysconfig/iptables ou firewalld

#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

Exemple :

/etc/samba/smb.conf

[partage]
   comment = Commentaires...
   path = /var/www
   force user = web
   #valid users = web
   browseable = yes
   writable = yes

Valider la configuration

testparm

Reload de la conf sans redémarrer

smbcontrol all reload-config

Redémarrer le service

systemctl restart smb

Faire un include d'un fichier de config.

C'est une fausse bonne idée car pas de reload automatique

/etc/samba/smb.conf

[global]
        path = /dev/null
 
[includes]
        available = No
        include = /etc/samba/smb.d/shared.conf

/etc/samba/smb.d/shared.conf

[shared]
        comment = Shared
        path = /mnt/shared
        read only = No

Authentification / comptes

Comment c'est configuré

testparm -sv /dev/null | grep auth

Autoriser un utilisateur / définition du MDP

#pdbedit -a utilisateur
smbpasswd -a utilisateur

Suppression d'un compte (retour arrière à précédent)

smbpasswd -x supervision

Liste tous les comptes

pdbedit -L

Vérif l’existence de l'utilisateur pirate

pdbedit -u pirate

Désactiver l'impression

/etc/samba/smb.conf

[global]
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

Source : http://mugurel.sumanariu.ro/linux/linux-how-to-disable-printing-in-samba/

Debug

/etc/samba/smb.conf

[global]
   log level = 3

Pas besoin de redémarrer le service, le reload est auto

Notes

smbstatus

Pb

Receiving SMB: Server stopped responding - Call returned zero bytes (EOF) opening remote

smb: \> get plop
Receiving SMB: Server stopped responding
Call returned zero bytes (EOF) opening remote file \plop

Solution

Le pb venait du fait que la partition /var était pleine.

Pb de connection depuis windows err NT_STATUS_WRONG_PASSWORD

Voir https://bgstack15.wordpress.com/2017/10/01/samba-and-ntlm-for-windows-clients/

Solution 1 (insecure)

/etc/samba/smb.conf

[global]
ntlm auth = yes
#client ntlmv2 auth = yes

Exemple de conf

Install sous RedHat / CentOS

cp -p /etc/samba/smb.conf /etc/samba/smb.conf.bak
egrep -v '^$|^#|^;' /etc/samba/smb.conf.bak > /etc/samba/smb.conf

/etc/samba/smb.conf

[global]
   workgroup = WORKGROUP
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
 
[tmp]
   path = /tmp
   comment = TEMP
   browseable = yes
   read only = no
   create mask = 0660
   directory mask = 0770
   guest ok = yes
 
[partage]
   comment = Partage
   path = /data/
   force user = utilisateur1
   #public = yes
   valid users = @groupe1, jean
   write list = @groupe1, jean
   browseable = yes
   writable = yes
   read only = no

Autres

Pour conteneurs

/usr/sbin/smbd -F -S