Lindqvist -- a blog about Linux and Science. Mostly.

Not much to say about this one -- samba/SMB is only one among several linux solutions for sharing files, and probably the easiest one for sharing directories with windows computers. Samba has also been around for about as long as linux, so it has a long and interesting history.

New major versions are always exciting though. Information about Samba 4 can be found here: http://wiki.samba.org/index.php/Samba4

I won't cover configuration here -- partly because I don't know much about it -- so see the link above. To get started you might want to look at this post though: http://verahill.blogspot.com.au/2012/12/300-briefly-sharing-folder-using-samba.html

I also wrote this a long time ago, but haven't checked it for accuracy:
http://verahill.blogspot.com.au/2012/03/building-and-installing-samba-from.html

These instructions will build Samba 4.0.0 with LDAP and Cluster support.
Compilation:

sudo apt-get install build-essential libacl1-dev libattr1-dev libaio-dev libpam0g-dev kfreebsd-headers-9.0-2 libtalloc-dev python-talloc-dev libtevent-dev valgrind libsasl2-dev python2.7-dev libgnutls-dev xsltproc libctdb-dev libldap2-dev libcups2-dev python-ldb-dev ldb-tools libldb-dev checkinstall
mkdir ~/tmp 
cd ~/tmp
wget http://www.samba.org/samba/ftp/stable/samba-4.0.0.tar.gz
tar xvf samba-4.0.0.tar.gz
cd samba-4.0.0/
./configure --prefix=$HOME/.smb4
time make
sudo checkinstall
dpkg -i samba_4.0.0-1_amd64.deb

And you're done.

Takes about 14 minutes to compile. When you run checkinstall and you're asked


Some of the files created by the installation are inside the home directory: /home

You probably don't want them to be included in the package.
Do you want me to list them?  [n]: n
Should I exclude them from the package? (Saying yes is a good idea)  [n]: n

Answer no, you DO want to include them. You're getting this warning because we set a --prefix and the files aren't going to the / structure like normal programs.

The samba daemon, smbd, is in ~/.smb4/sbin/ and the configuration files are in /etc/samba/.

Here's the structure of ~/.smb4:

~/.smb4/
|-- bin
|   |-- cifsdd
|   |-- dbwrap_tool
|   |-- eventlogadm
|   |-- gentest
|   |-- ldbadd
|   |-- ldbdel
|   |-- ldbedit
|   |-- ldbmodify
|   |-- ldbrename
|   |-- ldbsearch
|   |-- locktest
|   |-- masktest
|   |-- ndrdump
|   |-- net
|   |-- nmblookup
|   |-- nmblookup4
|   |-- ntlm_auth
|   |-- oLschema2ldif
|   |-- pdbedit
|   |-- pidl
|   |-- profiles
|   |-- regdiff
|   |-- regpatch
|   |-- regshell
|   |-- regtree
|   |-- rpcclient
|   |-- samba-tool
|   |-- sharesec
|   |-- smbcacls
|   |-- smbclient
|   |-- smbclient4
|   |-- smbcontrol
|   |-- smbcquotas
|   |-- smbget
|   |-- smbpasswd
|   |-- smbspool
|   |-- smbstatus
|   |-- smbta-util
|   |-- smbtorture
|   |-- smbtree
|   |-- testparm
|   `-- wbinfo
|-- etc
|-- include
|   |-- charset.h
|   |-- core
|   |-- credentials.h
|   |-- dcerpc.h
|   |-- dcerpc_server.h
|   |-- dlinklist.h
|   |-- domain_credentials.h
|   |-- gen_ndr
|   |-- gensec.h
|   |-- ldap-util.h
|   |-- ldap_errors.h
|   |-- ldap_message.h
|   |-- ldap_ndr.h
|   |-- ldb_wrap.h
|   |-- libsmbclient.h
|   |-- lookup_sid.h
|   |-- machine_sid.h
|   |-- ndr
|   |-- ndr.h
|   |-- netapi.h
|   |-- param.h
|   |-- passdb.h
|   |-- policy.h
|   |-- read_smb.h
|   |-- registry.h
|   |-- roles.h
|   |-- rpc_common.h
|   |-- samba
|   |-- samba_util.h
|   |-- share.h
|   |-- smb2.h
|   |-- smb2_constants.h
|   |-- smb2_create_blob.h
|   |-- smb2_signing.h
|   |-- smb_cli.h
|   |-- smb_cliraw.h
|   |-- smb_common.h
|   |-- smb_composite.h
|   |-- smb_constants.h
|   |-- smb_ldap.h
|   |-- smb_raw.h
|   |-- smb_raw_interfaces.h
|   |-- smb_raw_signing.h
|   |-- smb_raw_trans2.h
|   |-- smb_request.h
|   |-- smb_seal.h
|   |-- smb_share_modes.h
|   |-- smb_signing.h
|   |-- smb_unix_ext.h
|   |-- smb_util.h
|   |-- smbconf.h
|   |-- smbldap.h
|   |-- tdr.h
|   |-- torture.h
|   |-- tsocket.h
|   |-- tsocket_internal.h
|   |-- util
|   |-- util_ldb.h
|   `-- wbclient.h
|-- lib
|   |-- auth
|   |-- bind9
|   |-- gensec
|   |-- idmap
|   |-- ldb
|   |-- libdcerpc-atsvc.so -> libdcerpc-atsvc.so.0.0.1
|   |-- libdcerpc-atsvc.so.0 -> libdcerpc-atsvc.so.0.0.1
|   |-- libdcerpc-atsvc.so.0.0.1
|   |-- libdcerpc-binding.so -> libdcerpc-binding.so.0.0.1
|   |-- libdcerpc-binding.so.0 -> libdcerpc-binding.so.0.0.1
|   |-- libdcerpc-binding.so.0.0.1
|   |-- libdcerpc-samr.so -> libdcerpc-samr.so.0.0.1
|   |-- libdcerpc-samr.so.0 -> libdcerpc-samr.so.0.0.1
|   |-- libdcerpc-samr.so.0.0.1
|   |-- libdcerpc-server.so -> libdcerpc-server.so.0.0.1
|   |-- libdcerpc-server.so.0 -> libdcerpc-server.so.0.0.1
|   |-- libdcerpc-server.so.0.0.1
|   |-- libdcerpc.so -> libdcerpc.so.0.0.1
|   |-- libdcerpc.so.0 -> libdcerpc.so.0.0.1
|   |-- libdcerpc.so.0.0.1
|   |-- libgensec.so -> libgensec.so.0.0.1
|   |-- libgensec.so.0 -> libgensec.so.0.0.1
|   |-- libgensec.so.0.0.1
|   |-- libndr-krb5pac.so -> libndr-krb5pac.so.0.0.1
|   |-- libndr-krb5pac.so.0 -> libndr-krb5pac.so.0.0.1
|   |-- libndr-krb5pac.so.0.0.1
|   |-- libndr-nbt.so -> libndr-nbt.so.0.0.1
|   |-- libndr-nbt.so.0 -> libndr-nbt.so.0.0.1
|   |-- libndr-nbt.so.0.0.1
|   |-- libndr-standard.so -> libndr-standard.so.0.0.1
|   |-- libndr-standard.so.0 -> libndr-standard.so.0.0.1
|   |-- libndr-standard.so.0.0.1
|   |-- libndr.so -> libndr.so.0.0.1
|   |-- libndr.so.0 -> libndr.so.0.0.1
|   |-- libndr.so.0.0.1
|   |-- libnetapi.so -> libnetapi.so.0
|   |-- libnetapi.so.0
|   |-- libnss_winbind.so -> libnss_winbind.so.2
|   |-- libnss_winbind.so.2
|   |-- libnss_wins.so -> libnss_wins.so.2
|   |-- libnss_wins.so.2
|   |-- libpdb.so -> libpdb.so.0
|   |-- libpdb.so.0
|   |-- libregistry.so -> libregistry.so.0.0.1
|   |-- libregistry.so.0 -> libregistry.so.0.0.1
|   |-- libregistry.so.0.0.1
|   |-- libsamba-credentials.so -> libsamba-credentials.so.0.0.1
|   |-- libsamba-credentials.so.0 -> libsamba-credentials.so.0.0.1
|   |-- libsamba-credentials.so.0.0.1
|   |-- libsamba-hostconfig.so -> libsamba-hostconfig.so.0.0.1
|   |-- libsamba-hostconfig.so.0 -> libsamba-hostconfig.so.0.0.1
|   |-- libsamba-hostconfig.so.0.0.1
|   |-- libsamba-policy.so -> libsamba-policy.so.0.0.1
|   |-- libsamba-policy.so.0 -> libsamba-policy.so.0.0.1
|   |-- libsamba-policy.so.0.0.1
|   |-- libsamba-util.so -> libsamba-util.so.0.0.1
|   |-- libsamba-util.so.0 -> libsamba-util.so.0.0.1
|   |-- libsamba-util.so.0.0.1
|   |-- libsamdb.so -> libsamdb.so.0.0.1
|   |-- libsamdb.so.0 -> libsamdb.so.0.0.1
|   |-- libsamdb.so.0.0.1
|   |-- libsmbclient-raw.so -> libsmbclient-raw.so.0.0.1
|   |-- libsmbclient-raw.so.0 -> libsmbclient-raw.so.0.0.1
|   |-- libsmbclient-raw.so.0.0.1
|   |-- libsmbclient.so -> libsmbclient.so.0.2.0
|   |-- libsmbclient.so.0 -> libsmbclient.so.0.2.0
|   |-- libsmbclient.so.0.2.0
|   |-- libsmbconf.so -> libsmbconf.so.0
|   |-- libsmbconf.so.0
|   |-- libsmbldap.so -> libsmbldap.so.0
|   |-- libsmbldap.so.0
|   |-- libsmbsharemodes.so -> libsmbsharemodes.so.0
|   |-- libsmbsharemodes.so.0
|   |-- libtevent-util.so -> libtevent-util.so.0.0.1
|   |-- libtevent-util.so.0 -> libtevent-util.so.0.0.1
|   |-- libtevent-util.so.0.0.1
|   |-- libtorture.so -> libtorture.so.0.0.1
|   |-- libtorture.so.0 -> libtorture.so.0.0.1
|   |-- libtorture.so.0.0.1
|   |-- libwbclient.so -> libwbclient.so.0.11
|   |-- libwbclient.so.0 -> libwbclient.so.0.11
|   |-- libwbclient.so.0.11
|   |-- mit_samba.so
|   |-- nss_info
|   |-- pkgconfig
|   |-- private
|   |-- process_model
|   |-- python2.7
|   |-- security
|   |-- service
|   |-- vfs
|   `-- winbind_krb5_locator.so
|-- private
|-- sbin
|   |-- nmbd
|   |-- samba
|   |-- samba_dnsupdate
|   |-- samba_kcc
|   |-- samba_spnupdate
|   |-- samba_upgradedns
|   |-- samba_upgradeprovision
|   |-- smbd
|   |-- swat
|   `-- winbindd
|-- share
|   |-- codepages
|   |-- man
|   |-- perl5
|   |-- setup
|   `-- swat
`-- var
    |-- cache
    |-- lib
    |-- lock
    |-- locks
    `-- run

EDIT:
There are plenty of reasons to use chroots, but security is not one of them.

For a practical how-to see e.g
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

For a bit of yelling, see
http://yarchive.net/comp/linux/chroot.html

chroot will improve your security by creating an obstacle which may filter out some would-be crackers, but it will not make it secure by any standard. (in spite of what I may have written elsewhere on this blog).

Original post:
I've been using chroot to compile and test stuff so much lately that I figure it was time to automate the process.

Before creating your chroot you'll need a few packages:

sudo apt-get install debootstrap coreutils x11-xserver-utils

The scripts

makechroot.sh

mkdir $HOME/tmp/jail/$1 -p
sudo debootstrap --arch amd64 testing $HOME/tmp/jail/$1 http://ftp.au.debian.org/debian/
sudo cp setupchroot.sh $HOME/tmp/jail/$1/

setupchroot.sh

rm /etc/apt/sources.list
echo 'deb  http://ftp.au.debian.org/debian/ wheezy main contrib non-free' >> /etc/apt/sources.list
apt-get update
apt-get install locales sudo vim
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'export DISPLAY=:0.0' >> /etc/bash.bashrc
echo '127.0.0.1 beryllium >> /etc/hosts'
source /etc/bash.bashrc
adduser sandbox
usermod -g sudo sandbox
echo 'Defaults !tty_tickets' >> /etc/sudoers

launchchroot.sh

xhost +
sudo mount -o bind /proc $1/proc
sudo cp /etc/resolv.conf $1/etc/resolv.conf
sudo chroot $HOME/tmp/jail/$1

How to use
To set up the chroot:

sh makechroot.sh mynewchroot
sudo chroot mynewchroot
root@beryllium:/# sh setupchroot.sh

To use the chroot:

sh launchchroot.sh mynewchroot

Once you're done with the chroot and logged out, do

sudo umount $HOME/tmp/jail/mynewchroot/proc

to unmount the /proc -- you can now delete, copy etc. the directory structure of you chroot.

Pages

12 January 2013

317. Compiling samba 4.0.0 on Debian Testing/Wheezy

11 January 2013

316. Briefly: Automated chroot/sandbox creation

315. Briefly: Compile firefox 18 on debian testing/wheezy

Contributors

Statcounter