Samba quickstart - File Sharing Between Linux and Windows

Windows File Sharing is Insecure

All M$ Windows clients use Server Message Block, SMB, to share files in local network. SMB is used in most firms that have any Windows computers, because it is easy to install to Windows. Linux is a popular choice for an SMB server, because it can serve more clients with the same hardware.

SMB is completely inherently insecure. It does not encrypt traffic, so it can only be used in a LAN, relying on company firewall. Password encryption can be bypassed with widely available programs, such as l0pthcrack. Sharing files on a Windows box opens it to many exploits. Even though it is a lot harder to crack into a linux, Samba cannot make SMB secure.

If you are looking for a good way to share files, consider some other options, such as lufs, afs or webdav.

(c) Tero Karvinen

Linux Samba Server Installation and Configuration

Install Samba server and client, start daemon, make it start automatically

yum -y install samba-client samba
/etc/init.d/smb start
chkconfig smb on

If you don't have yum yet, see Yum automated software installation or install the programs manually.

Make a hole in the firewall. Replace with your own ip-number and network mask. You can see your ip-number and mask with ifconfig eth0|grep "inet addr"

iptables -I INPUT 1 -p tcp --source --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source --dport 137:139 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Opening holes for these six ports in the firewall makes it possible to use the server. It does not necessarily mean that you can browse other hosts from your linux server.

The firewall configuration tool provided with redhat, lokkit, overwrites your hand made rules if you run it, so don't use it.

Test first by accessing trough loopback adapter (bypassing firewall), then with your ip-number (trough the holes in the firewall), and finally try file transfer. Use your own ip-number instead of

smbclient -L localhost -U %
ifconfig eth0|grep "inet addr"
smbclient -L -U %

If all went right, you should see something like

$ smbclient -L localhost -U %
added interface ip= bcast= nmask=
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)

Server Comment
--------- -------
LOCALHOST Samba Server

Workgroup Master
--------- -------

Now you have Samba installed.

Sharing User Home Directories

Let's give some user a permission to get to his homedir. We must add that user to samba users and give new samba password. Don't use your unix passwords here, or your unix security might be lowered to Windows level. Add users as root, replacing tero with the user you want to add.

smbadduser tero:tero

Samba 3 uses smbpasswd -a tero. Because sharing home directories is enabled by default in /etc/samba/smb.conf, tero can access his homedir right away.

smbclient // -U tero%password

smbclient works a lot like any text mode ftp client. If you can see your files with ls, it's working:

added interface ip= bcast= nmask=
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7a-security-rollup-fix]
smb: \> ls
. D 0 Mon May 19 17:01:54 2003
.. D 0 Mon May 12 15:24:32 2003
.kde DH 0 Fri Apr 18 14:43:03 2003
.bash_logout H 24 Tue Feb 11 15:34:44 2003

Windows Client Configuration

Add your share to a Windows client. Open Start Menu: Programs: Accessories: Command Prompt. Replace with your linux samba server ip-number. The star * in net use means use first free drive letter. Type your password when asked.

net use * \\\tero /USER:tero

You can see your mounted shares in Windows Explorer or with net use. To unmount the directory, use /DELETE. Drives are automatically mounted on login if they were mounted with /PERSISTENT option. For help, try net help use. There is a graphical interface to mount remote shares too. In Windows Explorer, select Tools: Map Network Drive.

Todo and About this document

This howto was tested with redhat 9.0 Shrike.

Notes on browsing Windows network with Linux

Linux as a client for Windows fileshares, including iptables configuration. Maybe this requires opening upper ports for local network, that is 1025 tcp - 65535 tcp and 1025 udp - 65535 udp.

Following configuration allows browsing (smbtree) from Linux workstation in Helia:

iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 1025:65535 -j ACCEPT

Especially, smbtree does not work without opening high unpriviledged udp ports. Because that is a big hole, it is often smart to use --source ip/mask to limit allowed ip-numbers.

For graphical browsing or a "Network Neighbourhood", use konqueror. Nautilus has not worked too well on my testing.

Todo: Explain how smb.conf and /etc/init.d/smb start affect browsing from a Linux workstation.

Firewall update 2008-04-11

Leo Tilson sent improved firewall configuration, which I have not tested yet. Leo says that opening source ports lets you avoid opening high ports.

iptables -t filter -A INPUT -j ACCEPT -p udp --dport 137
iptables -t filter -A INPUT -j ACCEPT -p udp --dport 138
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 139
iptables -t filter -A INPUT -j ACCEPT -p tcp --dport 445

iptables -t filter -A INPUT -j ACCEPT -p udp --sport 137
iptables -t filter -A INPUT -j ACCEPT -p udp --sport 138

Share this

Related Posts

Next Post »