Samba server для windows xp

ntlm auth = yes
server min protocol = NT1

( 6 оценок, среднее 4.83 из 5 )

С выходом самбы 4.2 поменялись настройки безопасности, которые идут по умолчанию из коробки. В частности, в дефолтной версии отключена поддержка старого протокола аутентификации для защиты от MTM-атак (человек по середине).
В результате этого старые ОС (Windows XP и похожего срока древности) не могут аутентифицироваться и работать с windows-шарами под samba. Тем не менее, кое-где ещё используются такие динозавры, поэтому нужно включить в самбе старый протокол и не бояться MTM.

Вот что пишут в apt-listchanges к пакету:

Suggested further improvements after patching:

It is recommended that administrators set these additional options,
if compatible with their network environment:

server signing = mandatory
ntlm auth = no

Without «server signing = mandatory», Man in the Middle attacks
are still possible against our file server and
classic/NT4-like/Samba3 Domain controller. (It is now enforced on
Samba’s AD DC.) Note that this has heavy impact on the file server
performance, so you need to decide between performance and
security. These Man in the Middle attacks for smb file servers are
well known for decades.

Without «ntlm auth = no», there may still be clients not using
NTLMv2, and these observed passwords may be brute-forced easily using
cloud-computing resources or rainbow tables.

Из некоторого анализа новых фич и изменённых настроек становится ясно, что включается поддержка нужного протокола одной строчкой global-секции:

        ntlm auth = no

которая позволяет аутентифицироваться и работать старым ОС, при этом понижая общую безопасность.

Samba Server Configuration — Simple

Note: There is another Network Share via Samba Tutorial at the following community wiki page: How to Create a Network Share Via Samba Via CLI (Command-line interface/Linux Terminal) — A Differing Procedure. That tutorial focuses on using the CLI and its procedure differs from the procedure documented in this wiki page.

Note: For Ubuntu 8.04 (Hardy) and later, shared directories are created directly from the directory. Browse to the location of the directory you would like to share, right-click the directory, and choose Sharing Options. Click the «Share this folder«.

The shares are defined in the background using the «net usershare» command and the definitions are saved in /var/lib/samba/usershares/ . Therefore, shares defined with this method are not visible in smb.conf.

This section should allow you to «quick start» SMB shares between Ubuntu and either Ubuntu or Windows servers. The GUI method is easier to work with because:

1. Shares are Public (browsable in Network Places)
2. A password is not set for shares (they can be mounted by anyone).

However, remember that this is less secure.

Be warned you are installing a service (server) and you may wish to install a Firewall management utility to help prevent undesired access. See also the manual configuration sections below to learn how to «hide» your shares from browsing and set a password for access.

Ubuntu Server

This section enables Ubuntu as a samba file server.

Sharing a directory

To share a directory you must have permission to access the directory. Go to your home directory ( Places → Home directory). Right click on the «Documents» directory and in the pop up menu select «Share Folder».

If samba is not installed, you will get a pop-up menu «Sharing services are not installed». Select «Install Windows networks support (SMB)» and deselect «Install Unix networks support (NFS)» → then click «Install services».

If you get an error message that the samba .deb could not be found, open a terminal and update apt-get.

sudo apt-get update

Try again and Ubuntu will download and install samba. Right click on the «Documents» directory and in the pop-up menu select «Share Folder». You will get a pop up menu «Share Folder». Select «Windows networks (SMB)» in the pull down menu and give your share a name in the «Name» box. Unselect the «Read only» check box if you want read/write access to the share. Click the «Share» button.

Windows XP Server

This section enables Windows XP as a samba file server.

Sharing a directory

1. On the Windows server, browse in explorer («My Computer») to the location of the directory you wish to share (C:\Documents and Settings for example). Next right click on the directory to share and select «Sharing and Security…». In the pop-up dialog box click the «Sharing» tab. Click the «Network Setup Wizard» to configure your network to allow shares. Work your way through the wizard. Note the default workgroup is MSHOME. You may change this value if you like but all your computers should be in the same workgroup. Eventually you will be given the option to «Turn on file and printer sharing». This is the option you want, continue with the network wizard. You will have to restart your computer for the settings to take effect -> Restart Windows.

2. After rebooting, again open explorer («My Computer») and navigate to the directory you wish to share. Again right click on the directory and select «Sharing and Security…». In the pop-up dialog box click the «Sharing» tab. In the «Network sharing and security» box, tic (select with the mouse) the «Share this folder on the network» box. Give the directory a share name. This will give read only access to Ubuntu computers via samba. To allow read/write access tic (select with the mouse) the «Allow network users to change my files» box. Click the «Apply» button and close the dialog box.

Samba Server Configuration by GUI

There are a few graphical tools available that offer more flexibility than the «Sharing Options» in the Nautilus context menu.

A fairly comprehensive graphical Samba configuration tool is available for KDE, by installing the «kdenetwork-filesharing» package. After install, you can find it by launching the KDE Control Center. (Alt-F2 and then type kcontrol). Browse to Internet & Network > Samba.

For Gnome, the package system-config-samba is convenient. Once installed, launch System — Administration — Samba. (Shares created using the «Sharing options» context menu will not be visible in this tool.)

A less friendly but also graphical tool is Swat, a web-based interface.

Samba Server Configuration in terminal

Configuration is performed by reading and editing /etc/samba/smb.conf, the configuration file for the samba server.

The following tips show how to do some basic things without installing additional software, using the command line. It is not difficult, just be careful with typos.

First open a terminal: Applications > System Tools > Terminal and open the file smb.conf

sudo nano -w /etc/samba/smb.conf

How to Save: To save in nano use «CTRL-O», then «CTRL-X».

Tip: Replacing sudo nano with gksudo gedit gives you a nice graphical editor.

The file *smb.conf* is divided in several sections:

Global Settings
Debugging/Accounting
Authentication
Printing
File sharing
Misc
Share Definitions

Comments may start with either a # or a ;

Global Settings

Let’s start with Global Settings. Here you will see several lines, which you can also see in the graphical networktool like workgroup and wins server. If you changed everything to your liking already then you can skip this section, if not change to what you need. If you do not know what items mean, leave them be and read the relevant part in the real Samba-howto instead of randomly changing them. It will save you trouble-shooting later.

File Sharing (Basics)

The important part for us is File sharing. Samba shares are named in brackets, [ ], and configured by adding options in the lines that follow. Most options are boolean (yes / no).

We need to change:

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
  writable = no

This describes your /home directory. Usually you want to share this directory in a home environment, because these are the files you want to share. To do so, make the following changes:

[homes]
comment = Home Directories
browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = no

This finishes sharing your /home directory. The last thing we need to do is fixing a user.

Add users who can access your shares with the ‘smbpasswd’ command.

sudo  smbpasswd -a username

New SMB password:
Retype new SMB password:
Added user username.

sudo smbpasswd -e username
Enabled user username.

NOTE: the username used here should be a real user setup on your PC/Server. Reload Samba for every change to users/passwords or ‘smb.conf’

sudo /etc/init.d/samba reload

NOTE: If the above command doesn’t work for you, try:

sudo smbd reload

That’s the basis of Samba file-sharing. Please leave your comments about what else is needed here.

• — Can/should the SMB password be different from the user’s system password? MartinSpacek — 2007-11-19

File Sharing (Advanced)

We started with the base of Samba file-sharing. The above-mentioned items should be enough to get you started. Next we will add details that you might or might not need.

If you have more than one network card

If you have more than one network card (or interface) then you have to define where you want Samba to run. In smb.conf under the [global] section, add:

interfaces = 127.0.0.1, 192.168.0.31/24
bind interfaces only = yes

The first address (127.0.0.1), is a loopback network connection (it’s your own machine). The second address (192.168.0.31), is the address of the card you want Samba to run on, the second number (24) is the subnet default for a CLASS-C network. It may vary depending on your network.

With «bind interfaces only» you limit which interfaces on a machine will serve SMB requests.

You can limit which IP address can connect to your Samba server adding these lines:

hosts allow = 127.0.0.1, 192.168.0.31, 192.168.0.32
hosts deny = 0.0.0.0/0

The loopback address must be present in the first line. The second line deny access from all IP address not in the first line.

Private and public shares in same config

First you’ll want to set this up in the [global] section of your smb.conf

[global]
        security = user
        encrypt passwords = true
        map to guest = bad user
        guest account = nobody

security = user restricts logins to users on your server. encrypt passwords = true is necessary for most modern versions of Windows to login to your shares. map to guest = bad user will map login attempts with bad user names to the guest account you specify with guest account = nobody. That is, if you attempt to login to the share with a user name not set up with smbpasswd the you will be logged in as the user nobody.

Next the private share

[private]
        comment = Private Share
        path = /path/to/share/point
        browseable = no
        read only = no

If browseable is set to no the share will not show up on graphical browsers such a «My Network Places» on Windows or Places -> Network on Ubuntu.

path is the path to the directory that you want to share out. browseable = no will have the share not show up when users browse the network. read only = no will let you, as an authenticated user, write to the share.

Finally, the public share

[public]
        comment = Public Share
        path = /path/to/share/point
        read only = no
        guest only = yes
        guest ok = yes

Again, path is the path to the directory that you want to share out. read only = no will allow users to write to this share. guest only = yes and guest ok = yes will allow guest logins and also force users to login as guests. The user you specified with guest account in the [global] section must have write permissions on /path/to/share/point in order to write files to the share.

Note: When Windows attempts to access a SMB share it will use the current Windows user name and password. The map to guest = bad user trick above allows access to the public share only if you give Samba an incorrect user name. If you give it a valid user name, but a bad password, the login will fail and Windows will give you a password prompt when you try to access the share. If you have the same user name for your Windows machine and your Ubuntu machine, you could be unwittingly giving the Samba server a valid user name, but invalid password. To resolve this you will either have to change the Windows user name, or to remove that user name from the Samba password file with sudo smbpasswd -x [username].

Note: The above uses security = user. To access the private shares you will have to make sure the user exists in smbpasswd. These users must also already exist as normal users on your machine. You add users to smbpasswd simply by running sudo smbpasswd -a [username] and giving a password.

Setting permissions

To set permissions of newly created documents / files edit /etc/samba/smb.conf and in the [global] section add :

create mask = 0644
directory mask = 0755

---

CategoryNetworking

Okay, let’s move on with the Server management series. This time we’ll learn how to make a Windows XP server join a SAMBA domain name server.

Print these instructions out and post them on a wall or a bulletin board in your office. If you have a sizable park of Windows computers to manage, learn them by heart. They may be very useful to you in the near future.

These instructions work if you’re running a SAMBA domain server on Linux or any other UNIX, and your domain server is not using LDAP services to store SAM information, but the standard SAMBA TDB files.

Three steps are all that’s required, if you have a properly configured SAMBA server (regrettably, out of the scope of this 5-minute topic).

Add the machine account on the server

Okay, time to do this. As root, on the console, add a UNIX user account, with the following command:

[root@amauta2 ~]# /usr/sbin/useradd 'machinename$'

That should create a UNIX user account that, by default, has a disabled password. So it won’t be useable as an interactive shell or graphical login account. But, anyways, remember to replace machinename with the machine name you intend to set on the XP computer. Do note that the useradd command may be on a different directory than /usr/sbin on your computer.

Please note that the single quotes are relevant. Otherwise, they would be unprotected by the shell’s variable replacing tendency.

Now run the following command:

[root@amauta2 ~]# smbpasswd -ma 'machinename'

This command actually creates the machine account on the SAMBA server.

Disable RequireSignOrSeal

According to a contributor, you can skip this step if you’re using SAMBA 3 or higher. But if you aren’t, then it’s time to disable a setting that makes Windows XP complain when attempting to join a SAMBA domain. The famed RequireSignOrSeal.

Physically go to the Windows XP computer. Log on using an administrative account (Administrator comes to mind) on the local machine. Open the Registry editor (regedit.exe). Now open the key named:

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

You’ll see, on the right pane, a key named requiresignorseal. Double-click it and set the value data to 0. If it doesn’t exist, create a key named requiresignorseal of type REG_DWORD and set it to 0.

Now, that machine is ready to join the SAMBA domain.

Configure the machine to join the domain

Open the Properties tab of My Computer. Click the Computer Name tab, and click the Change button.

The computer name should be the same as the name of the machine account you created in the first step. On the Member of: group, click Domain, and type the domain name you’ve configured in the SAMBA server.

Click OK. A password prompt will surprise you. Enter the root user name and the root password of the SAMBA server, and hit OK. In the few moments after you’ve hit OK, Windows XP and SAMBA will be negotiating the process of joining the domain.

f everything went OK, you’ll see a Welcome to the XYZ domain popup. If something went wrong, you’ll have a hard time figuring out what went wrong; the first place to go is the SAMBA log file.

Conclusions

Okay, that’s it. You’ve successfully integrated one of the most pervasive unfree software packages to your trusty SAMBA server.

These instructions are bound to change in the future, as the SAMBA team continues to move aggresively towards LDAP. But, in the meantime, for small- to medium-sized businesses, the ideal SAMBA setup won’t be needing LDAP magic anytime.

In case you want more information on the subject, there’s always the Windows XP section of the SAMBA Client configuration HOWTO. That’s all for today. Happy hacking!

Setting Up A Samba Server with Windows XP Clients

First Setting up the Samba Server:

1) For setting up samba server configure smb.conf file which is usually found under /etc/samba/ directory.

Notes: After changing smb.conf always restart the samba server

Commands to be used:
./smbd stop
./smbd start

2) Changes to be done in the smb.conf file are
Notes:
a) Whenever you modify this file you should run the command «testparm» to check that you have not made any basic syntactic errors.
b) Read the smb.conf man page to understand the various parts of the file

In the Global section [global] the significant entries are:

[global]
logon drive = p: // Here you can set the drive letter
encrypt passwords = yes

/* To allow only specific hosts who can connect to server below entry is used make sure localhost is added */

hosts allow = IP-address, 127.0.0.1/255.255.255.0

logon home = \\netbiosname\%U // home directories will be mounted as the user logs on.

passwd program = /usr/bin/passwd %u

wins support = yes //Enable the windows support
dns proxy = no

netbios name = wealhtheow //Set the netbiosname

netbios aliases = rch01 //Set the alias, this is optional

unix password sync = No //Sync the unix passwords
(Samba (actually ‘smbd’) makes use of the file ‘smb.conf’ to know about its configuration. During installation of samba, smb.conf is created in the directory ‘/etc/samba’ by default. But in FreeBSD all the system configuration files are put in the directory /usr/local/etc/. There were two smb.conf files that were existing on this system and therefore a link was created from /etc/samba/smb.conf to the actual file used by FreeBSD which is /usr/local/etc/smb.conf. This was done to make sure that the Samba server uses the correct version of the configuration file. To resolve the passwords problem, the smb.conf file was modified to remove synchronization between the Samba and Unix passwords.)

logon path = \\rch01\profiles\%U // This will tell the server where to place the home directories

workgroup = rch.uky.edu // Workgroup to be used, all clients should have the same workgroup

os level = 64 // set the OS level

// Below entries are important in order to tell that Samba server is the domain controller
domain logons = yes
pam password change = yes
preferred master = yes
domain master = yes
local master = yes

In the [homes] section the following entries are important :

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
read only = no
create mode = 0600
directory mode = 0700

logon home = \\rch01\%U // This tells where is the home directory for the user

hide files = /*.pst/

In the [profiles] section the path variable tells where the profiles are to be placed and make sure the directories are created with right names

[profiles]
create mode = 0600
directory mode = 0700
path = /home/samba/profiles/
profile acls = yes
read only = no
writable = yes

Configuring the Windows XP Client:

Notes : Only Windows XP-Professional Edition can join the Domain, it does not work for WindowsXP-Home Edition.

STEPS:

1) Make sure that the workstation belonged to the same workgroup as the server and have a fixed IP address and hostname assigned.

2) Change the registry entry, run the command regedt32 and do the below
a) RequireSignOrSeal Registry hack

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
«RequireSignOrSeal»=dword:00000000

b) Use the Registry Editor and edit the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CompatibleRUPSecurity to have the DWORD value of 1

3) Use the Group Policy Editor (gpedit.msc) and enable «Computer Configuration\Administrative Templates\System\User Profiles\Do not check for user ownership of Roaming Profile Folders».

4) Go to MyComputer right click Properties. Go to Change and click on Domain and enter the domain-name you want to join. When joining the domain for the First time enter userid as root and give the samba password. Make sure there is an entry for the root in the smbpasswd (samba password) file.

5) Reboot and then the changes will be effective.