{{tag>FS Windows Réseau}}
= Client Samba SMB CIFS
Voir aussi
* [[Serveur Samba SMB CIFS]]
* CIFS Unix Extensions / Services for Unix (SFU)
Voir :
* rclone
* curl smb / smbs
== Install
apt-get install cifs-utils smbclient
== Exemple
''auth.cfg''
username=jean
password=P@ssw0rd
domain=D$
smbclient -A auth.cfg //192.168.1.12/D$/ -c ls
=== Lister les partages
Anonymement
smbclient -N -L 127.0.0.1
Avec un compte
smbclient -U utilisateur%mdp -L 127.0.0.1
Ou (debug)
smbtree -N -d3
=== Se connecter
==== smbclient
smbclient -U utilisateur%mdp '\\127.0.0.1\partage'
==== gvfs-mount
gvfs-mount smb://server/share
==== libpam-mount
apt-get install libpam-mount
''/etc/security/pam_mount.conf.xml''
== Sécurité / Hardening / pentest
Voir nmap, smbmap, rpcclient, nbtscan, enum4linux
* https://www.infosecademy.com/nmap-smb-scripts-enumeration/
Pour tester
nmap -A 127.0.0.1
nmap --script smb-os-discovery.nse -p445 127.0.0.1
sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
nmap --script smb-enum-shares.nse -p445
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 127.0.0.1
nmap --script smb-enum-users.nse -p445
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 127.0.0.1
Disable less secure legacy dialects
''/etc/modprobe.d/cifs.conf''
options cifs disable_legacy_dialects=1
echo 1 > /sys/module/cifs/parameters/disable_legacy_dialects
# Y or 1 stands for enabled
# N or 0 stands for disabled
== Autres clients
Display CIFS statics with Mega bytes per a 1 second 3 times (sysstat)
cifsiostat -m 1 3
=== Userland
Equiv :
mount.cifs -o credentials=/home/share/.auth.cfg,uid=1000,forceuid,gid=1000,forcegid,file_mode=0777,dir_mode=0777,noperm,port=1446,vers=2.0 //127.0.0.1/share /mnt/share/
#sudo apt-get install fusesmb
sudo apt-get install smbnetfs
mkdir .smb
cp /etc/smbnetfs.conf ~/.smb/
chmod 600 ~/.smb/smbnetfs.conf
cp /etc/samba/smb.conf ~/.smb/
mkdir -p Network
smbnetfs Network
cd Network/127.0.0.1:1446/
cd Network/share:'domain\user1':'P@ssw0rd'@127.0.0.1:1446/Install
''~/.smb/smbnetfs.conf''
log_file "/tmp/smbnetfs.log"
show_$_shares "true"
show_hidden_hosts "true"
auth "guest" ""
include "smbnetfs.auth"
''~/.smb/smbnetfs.auth''
auth "smb-sh" "DOMAIN/user1" "P@ssw0rd"
auth "127.0.0.1" "DOMAIN/user1" "P@ssw0rd"
auth "127.0.0.1:1446" "DOMAIN/user1" "P@ssw0rd"
chmod 600 ~/.smb/smbnetfs.auth
== Cache avec cachefilesd / FS-Cache
Voir :
* https://lars.timmann.de/wiki/index.php?title=Cachefilesd
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_file_systems/getting-started-with-fs-cache_managing-file-systems
* https://www.kernel.org/doc/html/latest/filesystems/caching/cachefiles.html
* https://serverfault.com/questions/602203/cachefilesd-cachefiles-everything-seems-to-be-set-up-still-not-working
== Autres
findmnt -n -s -t cifs
mkdir /mnt/nompartage
''/etc/fstab''
//ouindoze/nompartage /mnt/nompartage cifs credentials=/home/jean/.smbcredentials,rw,auto,user,nounix,noserverino,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0
//public/plop /mnt/espace_build_ovs/ cifs _netdev,rw,uid=15041,forceuid,gid=15141,forcegid,file_mode=0777,dir_mode=0777,noperm,credentials=/etc/.cifs_public_plop 0 0
mount -t cifs //mystorage/data2 -o username=user1,password=myPassword,rw,bg,vers=3,proto=tcp,hard,intr,rsize=32768,wsize=32768,forcedirectio,llock /data2
''/etc/modprobe.d/cifs.conf''
# Disable caching and the CIFS oplog for stable NTFS network shares
options cifs enable_oplocks=0
install cifs /sbin/modprobe --ignore-install cifs $CMDLINE_OPTS && echo 0 > /proc/fs/cifs/LinuxExtensionsEnabled && echo 0 > /proc/fs/cifs/LookupCacheEnabled
remove cifs /sbin/modprobe -r cifs
Fichiers contenant les identifiants en clair (pour ne pas les mettre dans le fstab)
''/etc/.cifs_public_plop''
#domain=domain
username=utilisateur
password=motdepasse
''/home/jean/.smbcredentials''
username=utilisateur
password=motdepasse
Vous pouvez éventuellement ajouter : \\
''domain=MONDOMAINE''
Ou encore le mettre après le "username" comme : \\
''username=utilisateur@MONDOMAINE''
ou bien \\
''username=MONDOMAINE\utilisateur''
chmod 600 /home/jean/.smbcredentials /etc/.cifs_public_plop
Puis
mount /mnt/nompartage
== Pb
=== Démonter / libérer les partitions CIFS en erreur (ou non)
# mount |grep /mnt/shared
systemd-1 on /mnt/shared type autofs (rw,relatime,fd=28,pgrp=1,timeout=10,minproto=5,maxproto=5,direct,pipe_ino=38828)
sudo umount -a -t cifs -l
sudo umount -a -t autofs -l
=== Err NT_STATUS_LOGON_FAILURE (with authfile only)
Voir https://bugzilla.redhat.com/show_bug.cgi?id=78846
# smbclient -A /etc/.creds //server-smb/partage1/
session setup failed: NT_STATUS_LOGON_FAILURE
# rpcclient vmx-gspl -d 1 -A /etc/.creds -c "getdriverdir \"Windows NT x86\""
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
# smbclient -U jean -W DOMAIN //server-smb/partage1/
Enter jean's password:
Domain=[ACME] OS=[Unix] Server=[Samba 3.6.6]
smb: \>
=== Err NT_STATUS_CONNECTION_DISCONNECTED
$ smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/E
WARNING: The "syslog" option is deprecated
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
==== Solution
Ajouter l'option ''-m SMB3''
smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/E -m SMB3
=== Pb temps de connexion long - NTLMSSP
plop@portable:~$ smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/D -m SMB3 -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
WARNING: The "syslog" option is deprecated
added interface wlan0 ip=2a01:cb04:bae:2600:9aea:4ae:b4b3:15a2 bcast= netmask=ffff:ffff:ffff:ffff::
added interface docker0 ip=172.17.42.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface wlan0 ip=192.168.1.12 bcast=192.168.1.255 netmask=255.255.255.0
Client started (version 4.5.16-Debian).
Connecting to 127.0.0.1 at port 1445
Doing spnego session setup (blob length=398)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[PLOP] OS=[] Server=[]
smb: \>
Où il y a trois lignes vides, ça a mis plusieurs secondes. \\
Dans le cas présent le contrôleur de domaine n'est pas joignable et nous utilisons un compte local.
==== Solution
Spécifier le domaine "." \\
Le point indique un compte local (hors du domaine) \\
Vous pouvez utiliser l'option ''-W''
smbclient -U user%'P@ssw0rd' -p 1445 //127.0.0.1/D -m SMB3 -W .
==== Solution
Mettre à jour smbclient et ses dépendances
# apt-get install smbclient
The following extra packages will be installed:
libldb1 libsmbclient samba-common samba-libs
=== Pb CIFS VFS: cifs_mount failed w/return code = -61 - NT_STATUS_PATH_NOT_COVERED
Erreur
# dmesg
[1231082.766925] CIFS VFS: cifs_mount failed w/return code = -61
Diag
# smbclient -U jean -W ACME \\partages\images
smb: \> cd REP\
Connection to pc1111 failed (Error NT_STATUS_BAD_NETWORK_NAME)
Unable to follow dfs referral [\pc1111\REP$]
cd \REP\: NT_STATUS_PATH_NOT_COVERED
# ping pc1111
ping: unknown host pc1111
===== Solution
Modifier le ''/etc/hosts'' ou ''/etc/resolv.conf'' afin de résoudre pc1111
=== Pb error(22): Invalid argument
# mount -t cifs -o rw,uid=1000,forceuid,gid=1000,forceuid,file_mode=0777,dir_mode=0777,noperm,credentials=/root/.fichier_mdp //server/partage /mnt/nompartage
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# dmesg -T |tail
[Wed Dec 23 11:31:16 2020] CIFS: Attempting to mount //server/partage
[Wed Dec 23 11:31:16 2020] CIFS: VFS: cifs_mount failed w/return code = -22
==== Solution
Spécifier la version souhaitée
Exemple : ''vers=2.0''
mount -t cifs -o rw,uid=1000,forceuid,gid=1000,forcegid,file_mode=0777,dir_mode=0777,noperm,vers=2.0,credentials=/root/.fichier_mdp //server/partage /mnt/nompartage
=== Err NT_STATUS_LOGON_FAILURE
$ smbclient -U user1%'BasP@ssw0rd' '\\localhost\shared'
session setup failed: NT_STATUS_LOGON_FAILURE
$ smbclient -U user1%'P@ssw0rd' '\\localhost\shared'
Domain=[localhost] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
==== Solution
Le partage pointait vers un dossier non existant.
== Notes
Exemple options de montage
on /data/users_homedirs type cifs (rw,relatime,sec=ntlm,unc=\\serveur\Home$,username=utilisateur,domain=ACME,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.1.20,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1)