Paranoid Penguin - Samba Security, Part II
The last task we've got space for this month is setting up our user accounts, and there are four steps:
Create the accounts under Linux.
Assign those accounts Linux passwords.
Create Samba password database entries for each.
Have the users change their Samba passwords.
Step one is to use whatever method you usually use to create user accounts on your system—either by using your system administration GUI of choice (such as GNOME's Users and Groups applet) or via the commands useradd, userdel and so forth.
For example, to create Pepe's account, I could use the following command. Note the sudo, necessary for Ubuntu. On other distributions, su to root before executing these commands, and omit the sudo that each begins with here:
bash-$ sudo useradd -c "Pepe" -m -g users pepe
This creates the user account pepe with the comment Pepe, automatically creates a home directory (/home/pepe) and assigns it to the group users. To be extra paranoid, you could insert the string -s /bin/false after -g users, which will disable normal Linux logins for Pepe's account, making it useless for anything other than Samba access.
Step two is to set each user's Linux password, like this:
bash-$ sudo passwd pepe
Obviously, you need to communicate whatever password you set here to Pepe in a secure fashion, and Pepe will need to change this password to something you don't know. (But that part happens in step four.)
Step three is to use the smbpasswd command to create each user's Samba password database entry, like so:
bash-$ sudo smbpasswd -a pepe
You'll be prompted to set and confirm Pepe's Samba password, after which the new account will be added. It's probably a good idea to use the same initial password here that you used in step two.
Finally, you'll want Pepe to log in to the system (assuming you didn't set his shell to /bin/false) and issue the following command:
Pepe will be prompted for his old password, his new password and confirmation of his new password. Assuming all three of those are good, Samba will change both Pepe's Samba password and his Linux password accordingly. Note that this synchronization does not occur when you create a new Samba password entry as root, using the -a flag.
If Pepe has an invalid shell, such as /bin/false, you'll have to let him sit at your console while you type the command sudo smbpasswd pepe, and then turn your back while he changes his password. You'll then need to do the same thing with the command sudo passwd pepe, because Samba does not synchronize Linux/UNIX passwords if you execute smbpasswd as root.
Regenerating smb.conf in Debian/Ubuntu
What if, in the process of tinkering with your Samba configuration, you so completely lose track of what you've changed versus what you started with that you want to begin again with the default /etc/samba/smb.conf file? And, what if you failed to create a backup copy of smb.conf before you changed it?
You might think Swat could do this. Swat has default buttons next to each configuration option. Clicking a default button is supposed to replace your custom value with the value from the default smb.conf file included with Samba. However, in my own experience, the behavior of these buttons is erratic. Sometimes null values are (incorrectly) returned, and clicking the default button for every option is time consuming anyhow.
My advice is that if you're using Debian or one of its derivatives, such as Ubuntu, and you need a fresh smb.conf file, you should completely un-install the package samba-common, and then re-install it. (This also will result in things that depend on samba-common to be un-installed, so note which packages you'll need to re-install after you've restored samba-common.)
In between removing and re-installing samba-common, you may want to check /etc/samba to make sure smb.conf is truly gone, and delete it if it isn't.
We've specified our usage scenario, set up some basic global settings using Swat and started adding users. Next month, we'll create the actual shares, but if you can't wait until then, you'll have no problem figuring out how using Swat's ample documentation. The “Official Samba 3.2.x HOWTO and Reference Guide” (see Resources) also may help. Have fun, and be safe!
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Stunnel Security for Oracle
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SourceClear Open
- SUSE LLC's SUSE Manager
- Managing Linux Using Puppet
- My +1 Sword of Productivity
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released