Services/SMB

From popdata
Jump to: navigation, search

Back to Systems

  • Config file in /etc/samba/
  • To check syntax: testparm (add CONFIGFILENAME to test other than /etc/samba/smb.conf)
  • To reload after change: /etc/init.d/samba reload
  • To check status: /etc/init.d/samba status

smb.conf options

Some ideas about setting up Windows file sharing http://www.samba.org/samba/docs/ => Using Samba 2ed, O'Reilly  ; Official HOWTO

File permissions

  • samba uses Unix FACLs if available to better mimic Windows permissions
  • samba file creation masks override unix "default" FACLs
  • Parameters can be different for different machines: "include = /etc/samba/lib/smb.conf.%m, where %m is BIOS name (ex: srtl1). This is similar to "log file = /var/log/samba/log.%m" for a per-machine log file.
    • For example to give SRTL machines different file creation masks, create /etc/samba/lib/smb-srtl.conf, and symlink to it srtl{1,2,3,4,5,6,7}.conf
  • use unix "chattr a /data/*/.login/logins.txt" (append-only)

Creation masks http://www.samba.org/samba/docs/using_samba/ch08.html

  • create mask / directory mask: [default 0744] "and" with setting by user upon creation
  • force create mode / force directory mode:[default 0000] "or" with setting by user upon creation
  • inherit permissions: [default no] ignore mask/force, copy permission from parent.

The following two are like above, but apply to permission changes after creation

  • security mask / directory security mask:
  • force security mode / force directory security mode:

Log options

  • http://www.samba.org/samba/docs/using_samba/ch12.html recommends log level <=2 (connections, no files) for performance.
  • increase size of logfiles for auditing
    • cron job to rename and compress log files
    • consider increasing performance by fancy syslog forwarding to another machine
  • separate folders for different classes of machines (sre srtl rtl other) via "include ="
List SMB login/logout by user
    • Find all recent logfiles aboutexternal share connnections for user UUU :
      cd /var/log/samba && find . -maxdepth 1 -mtime -1 -type f \( -not -name 'log.sre*' -a -not -name 'log.fast*' -a -not -name 'log\.10\.80\.50.*' \) -print0 | xargs -0 grep -ci UUU | grep -v ":0"
    • List last 100 logins and logout records in file FFF (files are named using by self-described PC name)
      smblog.pl FFF | egrep 'Checking password|sam authentication for user|connect to service|closed connection to service' | tail -100
  • 2018-02-21 smb-grep.pl reformats the pairs of lines in ./var/log/samba, allows searching
    • Ex: search for activity by testuser1 in February 2018 from SRE23
      cd /var/log/samba; smb-grep.pl -Hn -e '^2018/02.*testuser1' /var/log/samba/log.10.80.50.123
    • Ex: search SMB access to Fraser from SRE VPN connected machines
      smb-grep.pl -Hn -e '2019/10/1.*pteckle' log.10.80.15.*

Misc options

  • "browseable = no" for SRT SRTL RTL to reduce exploration by users
  • more "hide files", e.g. .scripts .logins
  • restrict access from wrong network:
    • [sre] ... hosts allow 10.80.50.128/25 (help*=10.80.50.181-...184; fast*=10.80.50.191-...197 ; sre*=10.80.50.201-...242)
    • [rtl] ... hosts allow 10.80.52.128/25 (rtl*=10.80.52.201-...210)
    • [srtl] ... hosts allow 10.80.54.128/25 (srtl*=10.80.54.201-...208)
  • "preexec" can run a command at each connection (ex: root preexec = /bin/echo %u at %m connected to //%L/%S on %T >>/tmp/smblogin)
    • prefix "root " to run as root
    • "preexec close = yes" so that an error return from preexec script closes connection.
  • "postexec" after disconnecting

Other ways to set permissions

Logged in to srtl , in folder srtl\phda-03\SUBMIT\

  • icacls testuser1-phda-03\* (display permissions)
  • icacls testuser1-phda-03\* /grant:r Everyone(r) (replace permissions for Everyone as "read")
  • icacls testuser1-phda-03\* /remove Everyone (remove all permissions for Everyone)