Virtualbox – samba share from linux guest

vboxsf sharing from virtualbox host to guest is way too SLOWWWWW.

Might as well get samba running in linux host and share it to the host.

To do that. Need to

1. Configure virtualbox to use NAT.

2. Add a second ethernet connection. Choose “host only”. To add the host in the dropdown. You have to create one in the virtualbox menu, not the vm menu. The guest vm should now have 2 ethernet cable.

3. Boot up the vm. the vm should have 2 eth.


eth1 Link encap:Ethernet HWaddr 08:00:27:2E:6C:AC
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe2e:6cac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10383 errors:0 dropped:0 overruns:0 frame:0
TX packets:6942 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13362425 (12.7 MiB) TX bytes:476652 (465.4 KiB)

eth2 Link encap:Ethernet HWaddr 08:00:27:FD:D4:82
inet addr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fefd:d482/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:249923 errors:0 dropped:0 overruns:0 frame:0
TX packets:162555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41877967 (39.9 MiB) TX bytes:132228351 (126.1 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2792 errors:0 dropped:0 overruns:0 frame:0
TX packets:2792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7643866 (7.2 MiB) TX bytes:7643866 (7.2 MiB)

The host can now connect to the guest samba share usingĀ 192.168.56.101

Installing SVN on a samba shared drive in mac

1. Configure the samba share in linux. It needs to have the “delete readonly = yes” line, if not, you will permission errors in .svn/entries when checking out projects in mac. so we need something like this:

[homes]
        comment = LAM IT Home Directories
        browseable = no
        writable = yes
        # creation mode depends on you really
        force create mode = 0660
        force directory mode = 0770
        # add new option to fix samba share on mac
        delete readonly = yes

restart samba server

2. download mac svn client and install it from http://scplugin.tigris.org (you might want to read the installation instruction). The is the best free mac svn client I think.

3. In mac, go->connect and type in the samba server address, ie something like smb://xxx

4. In finder, should be right click on any folder (finder->more->subversion->checkout)

That’s it.

Setting Up A Secure Linux Authentication Server Quickly (LDAP + TLS + SAMBA)

Just like microsoft active directory, having a centralised authentication server in linux is important especially when you have more than one server or service to manage. Just imagine each service (ssh, samba, httpd…etc) has its own user database… Sooner or later, you will find managing users very difficult. A simple task like deleting a user could be daunting. Ideally, we want to have a common authenticating mechanism for all services and machines in the network. Most importantly, we need to do it securely.

Unfortunately, doing it in linux is far from easy. That is why the task is usually left for the enterprise experts. Linux traditionally uses NIS but there is a strong preference of LDAP over NIS nowsadays because LDAP has better support for encryption, ie the wrong party cannot decipher or decrypt the data send over the network.

There were a few LDAP implementations available in the market but I still find good LDAP documentation lacking in general. The steep learning curve and complicated command line syntax scares people away. Very often, Sys admins have to search high and low to find the right answers. There were good attempts recently to make everything more user friendly though – checkout the Redhat Directory Server (Thank you redhat). Something worth mentioning is another integrated solution – FREEIPA. If you are using Centos, the Directory Server package (centos-ds) is available in the c5-testing repository.

The openldap project is a stable LDAP implementation that has been around for a while. I have been using it and like it very much. I know how intimidating LDAP can be for beginners and therefore, I wanted to write a tutorial on it. The recent low-key business period had given me a good chance to come up with something. The objective of this tutorial is to setup a openLDAP authentication server as quickly as possible, I will not go into detail of how LDAP works but will provide the relevant configuration parameters. If you are interested in the details, I have provided some good links at the end of the tutorial. This tutorial does assume that you know a bit of linux and is comfortable with the command line and have basic networking concepts. I am using Centos but the process should be similar across other linux distros. If you have firewall and selinux turned on, I suggest turning them off first during the setup and turn it back on later when you got everything working. If you follow the instructions correctly, you should have a secure authentication server within a short time. Enough of story, let us start.

Scenario

Imagine we have 2 servers, athena.dev and argos.dev. athena.dev is the client and is to athenticate against the LDAP server (argos.dev) via TLS for both ssh and samba (allows sharing from windows). Both machines are running on Centos 5.3. We are going to add a new LDAP user “bernard” from athena.dev. If everything is successful, we should be able to ssh into athena.dev and access bernard’s home directory from windows as well.

Before we start, make sure that athena.dev and argos.dev must resolve to unique IPs. Ideally, you should have a DNS server sitting somewhere in the network. If you find it too complicated to set one up now, just add the ip to your /etc/host file on both machines, ie something like

192.168.1.100 athena.dev
192.168.1.101 argos.dev

Ping the domain and make sure it works.

1. Setup Server (argos.dev)
*As a root user, install from centos base

yum install openldap-servers openldap-clients nss_ldap

* Edit your /etc/openldap/slapd.conf so that it looks like this

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.pem
TLSClientVerify demand
database        bdb
suffix          "dc=argos,dc=dev"
rootdn          "cn=Manager,dc=argos,dc=dev"
rootpw  {SSHA}3+F6jATchWGLKNtxtc7SlnfVa2NetAWJ
directory       /var/lib/ldap/

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

* If you are using your own domain name, then your machine must be a FQDN
* Update the rootpw field in /etc/openldap/slapd.conf. Paste the {SSH} encrypted passwd from the command below:

slappasswd

* Use the sample ldap database

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

* The next task is to create a quick self signed certificate.

cd /etc/pki/tls/certs/
make ldap.pem
chown ldap:ldap ldap.pem

(Enter defaults for all questions except the common name/hostname. You need to use a FQDN, ie argos.dev in this case.)

* We need to get the client key from ldap.pem

grep -A 100 CERTIFICATE ldap.pem > client.pem

Setup Client (athena.dev)

* As a root user, install the required files. You will need the rpmforge repo for smbldap-tools.

yum install openldap-clients nss_ldap samba smbldap-tools --enablerepo=rpmforge

* In command line, configure the authentication settings

authconfig-tui
// check "use LDAP" and "USE LDAP AUTHENTICATION", then "NEXT"
// check "Use TLS". For server, "ldap://argos.dev/", BASE DN: dc=argos,dc=dev

(The authconfig-tui command actually does a few more things in the backend like configuring the nsswtich.conf and pam settings but we will skip them for now to avoid confusion.)

* copy the client certificate over to athena.dev

scp root@argos.dev:/etc/pki/tls/certs/client.pem /etc/openldap/cacerts

* Edit your /etc/ldap.conf file. Towards the end of file should be something like this:

uri ldap://argos.dev/
tls_cacert /etc/openldap/cacerts/client.pem
ssl start_tls

* Edit /etc/openldap/ldap.conf. Your file should be something like this:

URI ldap://argos.dev/
BASE dc=argos,dc=dev
TLS_CACERT /etc/openldap/cacerts/client.pem

* We now need to copy a the samba LDAP schema over to argos.dev

scp /usr/share/doc/sama-3.0.33/LDAP/samba.schema root@argos.dev:/etc/openldap/schema

* in argos.dev, start ldap if not already done and turn it on by default

service ldap start
chkconfig ldap on

* Back to athena.dev. Next configure /etc/smbldap-tools/smbldap_bind.conf. You can copy and paste this whole lot:

slaveDN="cn=Manager,dc=argos,dc=dev"
slavePw="your_password"
masterDN="cn=Manager,dc=argos,dc=dev"
masterPw="your_password"

* configure /etc/smbldap-tools/smbldap.conf. You can copy and paste this whole lot:

sambaDomain="PDC-SRV"
slaveLDAP="argos.dev"
slavePort="389"
masterLDAP="argos.dev"
masterPort="389"
ldapTLS="1"
ldapSSL="0"
verify="require"
cafile="/etc/openldap/cacerts/client.pem"
suffix="dc=argos,dc=dev"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="999999"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="%U.bat"
mailDomain="argos.dev"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

(tips: I modified these files from the originals. you might want to make backup first.)

* Do a quick test and check that ldap is working correctly. If it is not working, look at the troubleshoot section near the end of the tutorial.

ldapsearch -x
// You should see an empty db. It shouldn't throw any error.

* If everything looks OK, let us populate the LDAP db using the magic of samba-tools

smbldap-populate
// this command will prompt you enter the root password.

* Now let us add a user called bernard from athena.dev

// add one test user called bernard
smbldap-useradd -a -m bernard
smbldap-passwd bernard
// This is enough to get things working. If interested, you can add more user details using smbldap-userinfo

* configure /etc/samba/smb.conf to something like this. I modified the file from /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smb.conf

[global]
   workgroup = IDEALX-NT
   netbios name = PDC-SRV
   security = user
   enable privileges = yes
   server string = Samba Server %v
   encrypt passwords = Yes
   passdb backend = ldapsam:ldap://argos.dev/
   ldap admin dn = cn=Manager,dc=argos,dc=dev
   ldap ssl = start_tls
   ldap suffix = dc=argos,dc=dev
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers

[homes]
   comment = LAM IT Home Directories
   force create mode = 0660 
   force directory mode = 0770
   writable = yes

* restart samba

service smb restart

Time to check your work

If you have been following everything correctly so far, you should have implemented a secure authenticated system in your network. Congratulations! Time to do some checking:

* In athena.dev, try to login

ssh bernard@localhost

* bernard doesnt exists in athena.dev and it should authenticate against argos.dev – the ldap server. You can check this using tcpdump. Open up a new terminal and run

tcpdump -i eth0 port ldap -v -X

* You should see the data packets exchange between athena.dev and argos.dev. You shouldn’t be able to decipher anything because it has been encrypted with TLS.
* In windows, try mapping it to the samba share, ie \\athena.dev\homes. You should be in bernard’s home directory after logging in.
* In athena.dev, see the user information using

smbldap-usershow bernard

Troubleshooting and Tips

* Use “tcpdump” to check if your passwd is truly encrypted.
* In argos.dev, you can call the ldap daemon directly to provide more debugging information.

service ldap stop
/usr/sbin/slapd -h ldap:/// -u ldap -d9

* “testparm” is good to debug samba config
* To check samba connection using command line. In athena.dev,

smbclient -L localhost -U user

* Finally, don’t forget to look at the logs, ie /var/log/secure, /var/log/messages, /var/log/samba

* ldap uses port 389 and ldaps uses 636. I used TLS over port 389. You can choose to use ldaps, in which case you need to add “ssl on” in /etc/ldap.conf. You can also use firewall to disable port 389 or 636. “netstat” is a good command to check if the correct ports are opened or not.

* Other than smbldap-populate, you can use openldap built in migration scripts to populate the ldap database quickly , ie the scripts in /usr/share/openldap/migration. Personally, I don’t really like it because it brings in many junks (you can configure it of course).

* TLS encrypts the passwd via the network. If you are like, you can install kerberos as well. There are other benefits of using kerberos.

* If you are using firewall, remember to turned it back on and enable port 389. Port 22 should be enabled by default.

What’s Next

* You might have noticed that smbldap-useradd tries to create a user dir, ie /home/bernard on the local machine. This directory will not be accessible from other machine. If this is not something desirable, what we need here is a global user directory accessible from any machine. To do that, we can change the userHome directive in /etc/smbldap-tools/smbldap.conf to “/home/data/%U”, then NFS share /home/data in the network. If you have selinux or firewall turned on, you need to make changes to the booleans and ports.

* There are many good ldap management console out there. Something with a GUI is a good start. I tried phpldapadmin before, not bad.

* If you are using a web-based management console, add ssl to apache so that we encrypt the console as well.

* If you have password protection for certain web dirs, try to get apache authenticate against ldap as well. It is not hard. You just need to install the apache ldap module.

Good LDAP + Samba Resource:

I might have left out some details in this tutorial. These resources might help.

* http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
* http://www.openldap.org/doc/admin24/index.html
* http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
* http://download.gna.org/smbldap-tools/docs/smbldap-tools/
* http://www.nomis52.net/?section=docs&page=samldap

Conclusion

It is definitely confidence boosting to be able to setup a secure ldap server. As a caution, the settings I use here is very generic and suits just for this tutorial. If you are doing a live deployment, you will have to tweak the parameters for your own needs. I recommend doing more readings even after getting this work for the first time.

I spend quite abit of time to write this tutorial. If you do find it useful, please leave a comment and tell the whole world about it!!!

Peace out,

Bernard Peh
18 Sept 2009

mounting samba share and finding samba ip in linux

following the samba/nfs post – https://www.azhowto.com/2009/08/07/mounting-file-systems-and-autofs-tips/ earlier, what if we do not know the ip address of the samba server?

if you just have the samba server name say ri-fnp, smbclient can find it easily for you, just do

smbclient //ri-fnp/backup -U user -W MYDOMAIN

If you want to mount it, you will need to know the ip address. “findsmb” is useful

findsmb

If the hostname does not appear, need to do a nmblookup, ie

nmblookup ri-fnp

This usually works. Say it resolves to 10.2.115.11, now mount it as you would in fstab

//10.2.115.11/backup /mnt cifsĀ  domain=MYDOMAIN,user=xxx,password=xxx 0 0

or if you don’t require it to be persistent, just mount it once in command line

mount -t cifs -o domain=MYDOMAIN,user=xxx,password=xxx //10.2.115.11/backup /mnt

—-
As a side note, you don’t need to connect to the samba server via ip. If in your samba.conf, you have

netbios name = MY-UBUNTU

under the [global] tag, you can connect via smb://MY-UBUNTU

one quick way to configure share dir for personal use is to

[projects]
        comment = harley-ubuntu
        path = /home/spdev/projects
        writeable = yes
;       browseable = yes
        valid users = myuser