WannaCry prevention notes

Few useful PowerShell commands:

Set-SmbServerConfiguration -EnableSMB1Protocol $false - disables smb1

Win7 and earlier: PS v2

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

or to do it via the registry:
To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

To check SMB version:

PS C:\> Get-SmbConnection

ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
smb media domain\administrator domain\Administrator 3.00 2

Microsoft source: here


Linux Samba
To disable samba 1 add the following line to the [global] section of the /etc/samba/smb.conf

min protocol = SMB2

then restart the samba service

LINUX – Samba and Windows

I often find myself connecting to shares from  Windows to Linux and vice versa and I keep forgetting the commands – so here it is:

Connecting to a Windows share from Linux:

  • install winbind, cifs-utils and smbclient packages
  • change nsswitch.conf file (add/change this line: hosts: files wins dns ), then restart network
  • to see what shares are available on Windows box:
root@server1# smbclient -L //10.0.0.243 -U username
Enter username's password:
Domain=[contoso] OS=[Windows Server 2008 R2 Datacenter 7601 Service Pack 1] Server=[Windows Server 2008 R2 Datacenter 6.1]

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
share Disk
  • Mount the Windows share from console
mount -t cifs //10.0.0.243/share test -o username=linuxacademy,password=123456,rw,nounix,file_mode=0777
  • Mount the Windows share via fstab

>pre># stuff to put in the /etc/fstab file
# remote windows file share
//10.0.0.251/share /mnt/test cifs credentials=/root/.smbcredentials,rw,nounix,file_mode=0777,dir_mode=0777 0 0

and create the .smbcredentials file under root:

username=windows_username
password=windows_password

Connecting to a Linux share from Windows (configuring samba):

  • Install samba and samba-common
  • Configure /etc/samba/smb.conf file – add or uncomment and modify this section:
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[share]
   comment = Defalt Share
   path = /share/
   force user = samba
   force group = samba
   read only = no
   hosts allow =

Restart samba: service smbd restart

  • create samba username that matches windows account password:
root@server1:/# smbpasswd -a windows_username
New SMB password:
Retype new SMB password:
Added user windows_username.

Windows 10 and problems accessing smb shares

Last night I had to do some testing under Windows 10 and to my surprise I was unable to access smb network share.

I have done some investigation and it would appear that Windows 10 will try to negotiate SMB3_11, which Samba 4.1.1  doesn’t yet support except in the current 4.3 release candidate.

To fix this I disabled SMB 3 and enabled v1:

To disable SMBv2 and SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 
sc.exe config mrxsmb20 start= disabled
To enable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= auto

After restarting Win10 instance I was back in action.
See more here

Debian – Setting up Samba Standalone Server

Installation:

open terminal and install samba package and dependencies:

$sudo apt-get install libcupsys2 samba samba-common

The config:

open: /etc/samba/smb.conf

remove the content and paste this:

[global]
workgroup = WORKGROUP
netbios name = debianserver
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

[Shared]
  comment = Shared Drive
  path = /home/shared/
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700

 

Add users:

useradd user1 -m -G users

Set a password for tom in the Linux system user database. If the user user1 should not be able to log in to the Linux system, skip this step.

passwd user1

-> Enter the password for the new user.

Now add the user to the Samba user database:

smbpasswd -a user1

-> Enter the password for the new user.

Now from Windows workstation browse the debian server, i.e.: \\10.0.0.10\ or \\10.0.0.10\user1

And restart samba service:

service samba restart

Job done.

 

Reference links:

http://www.howtoforge.com/debian-wheezy-standalone-server-with-tdbsam-backend

http://www.debianhelp.co.uk/samba.htm