Standard Reference Material

Mounting UVA's Home Directory Service

Quick Start Instructions for installing a SAMBA server

• Select any PC with 128Meg RAM or more and at least a 5 GB harddrive.
• Perform an installation of RH Linux and when asked to pick between
  • KDE Workstation
  • Gnome Workstation
  • Server
  • Custom
  Pick "Server". Then pick all the default settings. Use a swap partition twice as big as RAM memory. Let the disk be all one partition. Don't add any users during installation. Do not set up X-windows.
• Reboot
• Log in as root. Run ntsysv. Turn off sendmail, ipchains, iptables, ftp rsh, telnet. Turn on sshd and smb and swat. Exit.
• Type
  /etc/rc.d/init.d/xinetd restart
  to put the ntsysv changes into effect.
• Edit the file

  /etc/samba/smb.conf

  Find these lines and change them to suit your needs

     workgroup = mygroup
     netbios  name = myserver
  
     hosts allow = 128.143.XX.   
  ## where XX is your UVA subnet
  
     security = user
  
     encrypt passwords = yes
     smb passwd file = /etc/samba/smbpasswd
  
  [homes]
     comment = Home Directories
     browseable = no
     writable = yes
  
  [netlogon]
     comment = Network Logon Service
     path = /home/netlogon
     guest ok = no
     writable = no
  
  

• Add users
  • Add local users with useradd program
    
    For Example:

    useradd -g 100 -u 1378 -d /home2/rtg2t rtg2t
              
       -g 1-- is group users
       -u 1378 is my uid assigned me by UVA - this is useful so I can mount
          any data on any other UVA unix machines.  Validation is by uid.
          All my unix accounts at UVA have the same uid.
       -d is my home directory
    
       By default, I cannot login to a shell.  My password is undefined.
       If I was granted login access, type:
    
       passwd rtg2t
    
       to assign a password.
    
    

  • Add users as samba users and change their password with the single smbpasswd program. For Example:
    
    smbpasswd -a rtg2t

Windows XP Workstation Setup

• In the [netlogon] share (/home/netlogon) on the Samba server put a file called mapper.bat. It is a DOS file (not a unix file) and will contain commands to map drive letters for Windows machines like:

  net use h: \\myserver\homes 
  net use g: \\myserver\group
  net use f: \\myserver\apps
  

• When the Windows XP pc is set up, copy mapper.bat to c:\winnt.
• Put the Windows XP pc into the same workgroup as the Samba server and turn off the "Computer Browser" service so the Windows XP PC will not try to be the master browser for the workgroup.
• The first time a user logs into a Win XP PC, get them to reset their Windows password to match their samba password. Get them to click on start->run and type "\\myserver\netlogon\mapper" into the command window. It will map their drives and these drive letters will reattach when they login again. Also they can use "My Network Places" to view all the shares on "myserver". Click on the netlogon share and double click on the mapper.bat batch file.
• Complex User Setup
  
  Linux does not have access control lists (ACL's) on the default ext3 file system. H is a SAMBA scheme for mapping the same drive space to three different groups of users.

  
  1. create three different groups in unix (dev, doc, admin)
  
  2. add people to these groups on unix using the groupadd command
  
  3. create shares in /etc/samba/smb.conf
  
  [dev-G]
          comment = G Drive
          path = /group
          read only = no
          create mask = 0770
          directory mask = 0770
          status = No
          volume = G_drive
          browseable = no
          user = @dev
  
  [admin-G]
          comment = G Drive
          path = /group
          read only = yes
          create mask = 0550
          directory mask = 0550
          status = No
          volume = G_drive
          browseable = no
          user = @admin
  
  [doc-G]
          comment = G Drive
          path = /group/doc
          read only = yes
  
  In the netlogon share put this batch file:
  
  if exist admin/admin.bat do admin.bat
  if exist dev/dev.bat do dev.bat
  if exist doc/doc.bat do doc.bat
  
  

  The three directories dev, doc and admin have permission 550 and group ownship by the group. By default, a user is only in one of these groups and therefore only one of the batch files is detected by "if exist" and executed.

  dev.bat has one line
  
  net use g: \\server\dev-g
  
  doc.bat has one line
  
  net use g: \\server\doc-g
  
  admin.bat has one line
  
  net use g: \\server\admin-g
  
  

Adding Samba to IPTABLES

-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A FW-IN -s 128.143.0.0/16 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT

Using Nagios to detect and report login failures

1. use level 2 debugging in the samba.conf file.  This turns on the log entry like

check_ntlm_password: Authentication for user [rtg2t] -> [rtg2t] FAILED with error
NT_STATUS_WRONG_PASSWORD

2. Write a crontab daemon that runs every 5-10 minutes that captures these entries to a log
file.  Nagios plugins are limited to how much grepping they can do in a shell
script.

#!/bin/bash
#
# look for large number of failed username attempts
#
#
grep FAILED /var/log/samba/user.log \ 
    grep _STATUS_WRONG_PASSWORD   > /var/log/samba/failed.log

3. Write your Nagios plugin to process this error file
Below are the shell script and a C program that can be compiled
to do the same thing

#!/bin/bash
#
count=`wc  /var/log/samba/failed.log  | cut -c 6-9`
who=`cut -f2 -d[  /var/log/samba/failed.log|sort|cut -f1 -d] | uniq
echo OK - ${count} login errors by ${who} ${whendate}

if [ $count -gt 10 ]
then
   retcode=1
fi

if [ $count -gt  29 ]
then
   date=`date +%Y.%m.%d.%H.%M`
   cp /var/log/samba/user.log /var/log/samba/failed.${date}.txt
   retcode=2
fi
exit ${retcode}
#
#Eof

======================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>

#define MAXLINELEN (int)400

int  main( int argc, char *argv[])
{

char instr[MAXLINELEN], *pos1, *pos2, outstr[2000];
int i = 0, retcode=0, warnLevel, critLevel;
FILE *fp;

if (argc < 3)
{
   puts("usage: check_samba_log filename warnLevel CritLevel");
   exit( 3);
}

 warnLevel=atoi( argv[2]);
 critLevel=atoi( argv[3]);


fp = fopen( argv[1],"r");
if (fp == NULL)
{
    printf( "%s %s\n", argv[1], "file not found");
    exit( 1);
}
fgets( instr, 400, fp);


do
{
   if( strlen( instr) > 0)
   {
     pos1 = strstr( instr, "[");
     pos2 = strstr( instr, "]");
   }
   if( pos1 == NULL || pos2 == NULL)
   {
      i = i - 1;
   }
   else
   {
      *pos2 =  '\0';
      strcat( outstr, " ");
      strcat( outstr, pos1+1);
      fgets( instr, 400, fp);
   }
   i++;
} while (feof(fp)== 0);


printf( "OK %s %d\n", outstr, i);
fclose( fp);


if ( i >  warnLevel)
{
  retcode=1;
}

if ( i >  critLevel)
{
 retcode=2;
}

exit( retcode);

}  // main

4. Configure Nagios to email you when it flags a warning (retcode=1).  It
   would be nice if the samba error message included the IP address and the
   MAC address of the miscreant user.

Other Samba info