Samba

Last modified by Sebastian Marsching on 2022/03/27 15:23

Kerberos Authentication

See Kerberos.

Using Samba in a Windows Environment

This section was originally written on 2014-04-11 and has not been updated since, so the information presented here might be outdated.

This is a preliminary document on how to integrate Samba into a Windows environment. It is designed in a way, that the file shares provided by Samba are not access through different channels: This means that no users can log into the Linux box and the files are not shared through other channels (NFS, AFP, etc.). In the configuration examples, my.windows.domain is the Active Directory domain Samba is joined to, MYWINDOWS is the short domain name and MY.WINDOWS.DOMAIN is the corresponding Kerberos realm.

smb.conf

[global]
# Enable owning group to change permissions.
# Unfortunately, it is unclear, whether this applies to all files, or only
# those specifically set to be owned by a group in the Windows ACL editor.
#acl group control = yes
# Map "rwx" to "Full Control" in Windows ACL editor.
# We do not want this, if we are using the extended ACL support, because
# "Full Control" in windows means more than "rwx" in Linux.
acl map full control = no
# Configure the client to require NTMLv2.
# This might cause problems with older servers, however for security reasons
# it should be activated, if possible.
client ntlmv2 auth = yes
# Mark file whose names start with a dot as hidden.
# In Windows, hidden is a separate attribute, thus to be more like Windows,
# we disable this feature. Such files can still be hidden by setting the
# corresponding attribute.
hide dot files = no
# UID and GID ranges winbind uses for mapping ADS users and groups.
# The specific numbers are not really important. However, we have to ensure
# that these ranges do not collide with any local users or groups.
idmap gid = 10000 - 20000
idmap uid = 10000 - 20000
# Copy the ACLs from parent directories to newly created sub-directories.
# This option also used 0777 permissions for newly created directories, to
# ensure, that the ACLs are effective. When using the advanced ACL support
# (using xattr), this option probably should not be activated, because for
# Windows ACLs, the specific ACLs determine, which ACLs should be applied to
# newly created sub-directories.
#inherit acls = yes
# Enable kernel oplocks.
# We want to diable this option, because it will automatically set
# level2 oplocks = no. However, if file access is only performed through
# SMB, it is safe to let Samba handle the locking and thus profit from
# level 2 oplocks.
kernel oplocks = no
# Allow nmbd to become a local master browser on the subnet.
# If working in a Windows environment, we want to disable this, because
# the Active Directory domain controllers should act as master browsers.
local master = no
# Path to the log file.
# We just copied that from the default configuration for Ubuntu.
log file = /var/log/samba/log.%m
# Store Windows ACL inherit flag in extended attribute.
# We want to enable this, in order to have full Windows ACL support.
map acl inherit = yes
# Map Windows archive flag to permission bit.
# We want to deactivate this feature, because we are using xattr for this.
map archive = no
# Map Windows hidden flag to permission bit.
# Same as for map archive.
map hidden = no
# Map Windows read only flag to inverse write permission bits.
# Same as for map archive.
map read only = no
# Map Windows system file flag to permission bit.
# Same as for map archive.
map system = no
# Require a minimum SMB protocol version.
# As we do not support old auth mechanisms for security reasons,
# we can also deactivate support for old protocol versions altogether.
min protocol = NT1
# Active Directory domain.
# This should be set to the FQDN of the Active Directory domain, and - at the
# same time - is used as the Kerberos realm.
realm = my.windows.domain
# Kill old sessions when request for new session is received from the same IP.
# By activating this option, we ensure that all locks associated with an old
# session will be released when a new session is established. However, this
# has undesirable effects, if multiple clients share the same IP address
# (e.g. because NAT is in use). However, in the LAN it is usually safe to
# assume that every client will contact the server with its own IP address.
reset on zero vc = yes
# Control level of anonymous access.
# We want to set this the most restrictive (do not accept any anonymous
# connections) for security considerations.
restrict anonymous = 2
# Security mode.
# For Active Directory integration, we set this to "ads".
security = ads
# Configure signing support in the SMB client.
# We want to use signing for servers, which support it, but still be able to
# access old servers not supporting it. For enhanced security, it should be
# set to "mandatory".
server signing = auto
# Descriptive server name.
# If this option is empty, Windows clients will just display the hostname,
# which is okay for most purposes.
server string =
# Store Windows attributes (hidden, archive, system, read-only) using xattr.
# We want to activate this option, because it is much better than the old
# options, which tried to map these attributes to permissions.
store dos attributes = yes
# Enforce locks.
# By default, this option is set to auto, which means Samba will only
# check for locks in files, which are not oplocked by the client. For
# oplocked files, it will omit these checks for performance reasons.
# However, if you do not want to rely on a correct client implementation,
# you should set this option to "yes".
#strict locking = yes
# Do a sync to disk, each time it is requested by a client.
# By default, Samba does not perform a sync on a file, when it is requested
# to do so, because there are a lot of badly written clients, which request
# a sync, when they really just want to flush the buffer. Therefore, doing
# a sync each time requested, will slow down SMB access considerably.
# The problem with this option is, that - if no sync is performed - and the
# Linux system, Samba is running on, crashes before the data has been written
# to the disk, it is lost. This is very bad, if a client relied on the data
# having been written to disk, because it sent the sync request (e.g. it could
# corrupt database files stored on a SMB share).
# Therefore, if we want to be really save, we have to enable this option.
strict sync = yes
# Control which messages are written to syslog.
# We set this to 0, so that messages will only be written to the Samba
# logfiles. We copied that from the default configuration for Ubuntu.
syslog = 0
# Configure the homedir set for users added by winbind.
# As we do not allow login of Windows users, except through Samba, this
# option does not really matter. However, it is still nice, to have this
# set to something sensible.
template homedir = /home/winbind/%D/%U
# Configure the shell set for users added by winbind.
# Users added by winbind should not be able to log into the Linux machine,
# thus we set the shell to "/bin/false".
template shell = /bin/false
# Enable the CIFS UNIX extensions.
# This option enables features interesting for UNIX clients, like support
# for symlinks, etc. However, it might be problematic, if the UNIX permissions
# are supplied in a way, that is not consistent with the permissions Windows
# clients see with the extended ACL support. By default, the UNIX extensions
# are enabled.
#unix extensions = no
# Use sendfile() system call under specific circumstances.
# If this option is enabled, Samba can speedup things by using a special
# system calls to sent data from files, which are oplocked. However, we
# should be sure about the implication this option has, before enabling it,
# as it is disabled by default.
#use sendfile = yes
# Configure VFS modules which should be enabled.
# We want to add the "acl_xattr" option, which brings full support for
# Windows ACLs to Samba. The ACLs which cannot be mapped to POSIX ACLs are
# stored in an extended file attribute.
# We also might want to enable one of streams_depot and streams_xattr.
# This modules enable the use of alternate data streams, a feature of NTFS,
# which allows to save different, independent data streams for a single file.
# The streams_xattr module is easier to use, because it just saves the
# alternate data streams in extended attributes. However, this might not
# work for large data streams, because xattr is not designed to keep huge
# amounts of data. In this case, streams_depot might be preferred, which
# stores the alternate data streams in separate files in a directory
# configured using the streams_depot:directory option.
vfs objects = acl_xattr streams_xattr
# Enable user / group enumeration for winbind.
# This options should not be activated if a large number of users or groups
# exist in Active Directory, because they will cause performance issues.
winbind enum groups = yes
winbind enum users = yes
# Set number of levels to resolve for nested groups.
# In contrast to UNIX, in Windows groups can be member of groups. In order
# to map these kind of groups to UNIX groups, winbind has to resolve them
# to the actual users being part of the group. This option set the number
# of steps, winbind will use at maximum to resolve groups. Setting this
# number to large, will cause bad performance. However, setting it to low,
# will cause groups nested in multiple levels not to be resolved correctly.
winbind expand groups = 2
# List of WINS servers.
# This option should be set refer to the WINS servers run for the Active
# Directory. Most likely, the domain controllers will also act as WINS
# servers.
wins server = 192.168.0.32 192.168.0.36
# Workgroup / domain name.
# This should be set to the short name of the Active Directory domain
# (the same you see as a prefix to full usernames, preceding the backslash).
workgroup = MYWINDOWS

# Directory for streams_depot VFS module.
# If the streams_depot modules is activated in the vfs objects option,
# you have to configure the directory, which stores the files with the
# alternate data streams.
#streams_depot:directory = /home/samba/.streams_depot

# This is a sample share configuration, which might be used to store
# roaming profiles.
[Profile]
# Configure offline caching policy.
# For a share storing roaming profiles, you have diable this explicitly,
# otherwise you might experience data-loss for the profiles.
# Believe me, I learned the hard way. :-)
csc policy = disable
# Path to the directory that is shared
path = /home/samba/Profile
# Users which might connect to this share.
# Use a plus sign followed by group name to allow access for all members
# of a group. File permissions are still checked, thus a user, who does not
# have permission to access a specific file or directory, will still be
# denied access.
valid users = "+MYWINDOWS\\Domain Users"
# Enable write access.
# By default, only read access is allowed.
writeable = yes

Setup

Aside from adjusting the Samba configuration file, a few more steps must be taken care of:

  1. Kerberos support has to be installed and the default Kerberos realm should be set to match the ADS realm. Usually, the Kerberos realm is the ADS domain name in capital letters (e.g. MY.WINDOWS.DOMAIN).WARNING: The "syslog" option is deprecated
  2. The Linux box has to be joined to the ADS domain: net ads join -U Administrator
  3. /etc/nsswitch.conf has to be changed to include the winbind service for user and group resolution.

smbclient timeout for IPv6 enabled servers

When using smbclient with Windows Server 2012 R2, I came across a funny problem. If the Windows server has both an IPv4 and an IPv6 address registered in DNS smbclient -L connects to this server successfully, but then gets stuck for a very long time. After enabling debugging, it becomse clear that the first connection on port 445 is successful, but later smbclient tries to connect to port 139. This is the port used for NetBIOS and NetBIOS over IPv6 clearly is not supported by the Windows server. This actually makes sense, because NetBIOS should only be used by old clients which certainly do not support IPv6.

Unfortunately, working around this issue is not that simple: For quite some time, using the -I option with smbclient and explicitly specifying the IPv4 address of the server worked, but with recent versions of smbclient that results in an NT_STATUS_LOGON_FAILURE error. Setting disable netbios = yes in smb.conf unfortunately does not help either.

The only solution I found was blocking outgoing connections to TCP port 139 over IPv6 using ip6tables:

ip6tables -A OUTPUT -p tcp --destination-port 139 -j REJECT

With this workaround, smbclient will still report an error (after first connecting successfully), but at least it will report this error quickly instead of waiting for a long time.

Fixing the smbclient syslog warning

If the syslog option is present in smb.conf, recent versions of smbclient will issue the following warning:

WARNING: The "syslog" option is deprecated

Unfortunately, the default configuration in Ubuntu 14.04 LTS still uses this option. This can easily be fixed by removing the syslog and syslog only options and adding the following option instead:

logging = syslog@0 file