CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

Samba was developed by a team by using “network analysis” or “protocol analysis” to create file and print services to Microsoft Windows clients and servers. Samba is free open source software. Samba makes possible interoperability between Linux/Unix servers and Windows-based clients and servers. Samba originally worked with SMB (Server Message Block) to communicate with Windows machines. Today CIFS (Common Internet File System) is used instead. As a footnote, Samba dates back to 1992!

Server Message Block (SMB) protocol, also called the Session Message Block, NetBIOS or LanManager protocol.

Contents

• 1 What are the differences between CIFS and SAMBA?
• 2 The cifs utils Package
• 3 Mounting Windows shares on your Linux system
  • 3.1 command line mount
  • 3.2 fstab persistent mount
  • 3.3 Slightly improved security with credentials=filename
  • 3.4 SMB protocol versions
  • 3.5 No dialect specified on mount
  • 3.6 all mounted files and directories owned by root
  • 3.7 gvfs
• 4 Share a Linux drive with Windows over the network
• 5 Samba Command Line Utilities
  • 5.1 smbclient
• 6 Accessing Windows Shares: Discussion
  • 6.1 Gigolo
  • 6.2 GVFS / SMB Paths
  • 6.3 AutoFS can be used to replace Gigolo
  • 6.4 mount via a shell script
• 7 resources

What are the differences between CIFS and SAMBA?

Today Samba implements the CIFS network protocol to work with changes Microsoft has made in their Windows networking platform. CIFS is the extension of the SMB protocol. The in-kernel CIFS filesystem is generally the preferred method for mounting SMB/CIFS shares on Linux.

The original protocol for sharing files, disks, directories, and printers across a network of Microsoft machines was by use of Server Message Block. There are underlying protocols involved with SMB with some examples being: “NetBIOS over NetBEUI” and “NetBIOS over TCP/IP” Samba traditionally required “NetBIOS over TCP/IP” and didn’t support “NetBIOS over NetBEUI.” This is fine as NetBEUI is not Internet routable and is not a currently support protocol, even by Microsoft. WINS is for resolving a NetBIOS name to an IP address, however, modern implementations avoid NetBIOS usage though Internal DNS.

CIFS pretty much takes care of all connectivity on a network for your *nix machines and Microsoft Windows. However, Samba does still support SMB and an example where this is useful may be if sharing with older Windows operating systems still using NetBIOS that will want to connect to the Samba server via port 137, 138, 139. The modern CIFS protocol is strictly port 445. This is ‘smbfs’ versus the modern ‘cifs’ in Linux.

Microsoft is the industry bully, trying to lay claim to protocols and technologies developed by others. Microsoft tried to claim SMB as their own by calling it Microsoft Networking. The company was a force behind the renaming of SMB (Server Message Block) to CIFS (Common Internet File System.)

Irony and Confusion:

Samba is a result of reverse engineering the proprietary SMB protocol created at IBM and adopted by Microsoft. CIFS (Common Internet File Share or System) is an offspring rebranded version of SMB protocol created by Microsoft and although Microsoft proposed it and marketed it as a standard it never made it. Today, truthfully CIFS is not the network storage protocol used by Microsoft Windows, and many other clients. The protocol used to share files over a LAN by the majority of personal computers is called SMB.

Then there is SMB2 which is not CIFS. Microsoft has released details about implementation that enables third party servers and clients. Now in Windows 10 and Windows Server 2016 there is the SMB3 (3.1) protocol.

CIFS is OUT:

The CIFS implementation of SMB is rarely used these days. Most modern storage systems no longer use CIFS, they use SMB 2 or SMB 3. In the Windows world, SMB 2 has been the standard as of Windows Vista (2006) and SMB 3 is part of Windows 8 and Windows Server 2012. Like CIFS, Samba implements the SMB protocol which is what allows Windows clients to transparently access Linux directories. Samba allows for a Linux server to act as a Domain Controller. By doing so, user credentials on the Windows domain can be used instead of needing to be recreated and then manually kept in sync on the Linux server.

The cifs utils Package

The cifs-utils package is available for modern Linux kernels as the protocol is supported directly in the kernel. The cifs-utils package is not part of Samba, although they were originally included with it. Today you do not need to install Samba to have cifs-utils. Install the cifs-utils package for connectivity to Microsoft Networks. Samba is not deprecated. Samba provides both cifs and smb support, and comes with many additional tools. For basic connectivity to a modern Microsoft Windows Network, Samba is simply no longer necessary.

This documentation is largely Linux centric and cifs-utils is a package for Linux systems. Under distributions such as Debian and Ubuntu you can check to see if you have cifs-utils installed and what version it is by typing the command: (as root or sudo)

apt-cache policy cifs-utils

To install cifs-utils on a modern debian or ubuntu system

apt-get install cifs-utils

To install cifs-utils on an old legacy system

apt-get install smbfs

To install cifs-utils on Redhat / Fedora / CentOS

yum install cifs-utils

Or to install everything, for cifs / smb on RH

yum install samba-client samba-common cifs-utils

Mounting Windows shares on your Linux system

You can mount a share with a console command to make a temporary mount until the next reboot, or you can add an entry into fstab to make a persistent mount.

You have to create an empty directory for the mount point. This should be done in /mnt for all mount points you create.

command line mount

Quick basic examples of command line mounts

mount -t cifs -o username=USERNAME,password=PASSWD //192.168.1.88/shares /mnt/share mount -t cifs //192.168.1.102/share_name /media/my_share -o username=theuser,password=thepass,iocharset=utf8,file_mode=0777,dir_mode=0777

Another example for a modern NAS

sudo mount -t cifs -o user=nicolep,uid=1001 //apollo/documents /mnt/documents

She will be prompted for a password when she executes this command for sudo, and again for the SMB account password for her account nicolep. Also, the uid is set matching her local account in /etc/passwd so that the mounted share does not appear with all files and directories as owner root, thus they would have not been writable to her.

error: mount.cifs: bad UNC (/apollo/documents) <- if you are getting this error make sure you have two forward slashes on the path //apollo

Unmount when done

sudo umount //apollo/nicolep

fstab persistent mount

Quick basic example of a cfis mount entry in fstab to connect to shares on a Windows file server or NAS device. A discussion of windows network share integration for linux points out the flaws in this approach.

There are more than one ways to do this. This example uses cifs to permanently mount the shares so that they will be available after reboot. If the system complains add the ‘noauto’ parameter.

• First edit your /etc/hosts file and add the hostname and IP address of the windows share or file server
• Next create mount points in /mnt for each windows share
• Make sure you have cifs installed
• Edit /etc/fstab and add a line for each windows share, see examples:

//apollo/public/ /mnt/public cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0 //apollo/media/ /mnt/media cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0 //apollo/video/ /mnt/video cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0

• mount the shares

mount -a

• This provides read-only access to the network shares.

KERNEL CHANGE BREAKS CIFS.

Somewhere between kernel 4.10.0-38 4.15.0-20 a change was made that COULD PREVENT your cifs shares from mounting. Kernels at and before 4.10 used SMB (Server Message Block) version 1.0 as the default if not specified. Most folks did not specify it so it defaulted to 1.0 and worked. Microsoft ditched 1.0 in Windows 10 and dropped support. Linux kernel developers decided to change the kernel code to no longer default to SMB 1.0 and now default to a newer version. For people that are using legacy networks or NAS devices, it breaks the mounting example from above.

Solution: Specify the SMB version.

The solution is to tell mount.cifs to use the SMB2, SMB2.1 or SMB3.0 protocol using the “vers” parameter. in Linux CIFS Utils and Samba Specify 1.0, 2.0, 2.1, or 3.0.

For the following full line example a linux desktop is connecting to an older NAS device. It is necessary to specify SMB version 1.0. Example:

//apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0

To quickly unmount all your cifs mounts (if the network file server goes down or NAS is offline your system can hang unless you release the mounts)

sudo umount -a -t cifs -l

Slightly improved security with credentials=filename

You can now Substitute your Windows username and password in the fstab command by specifying “credentials.” Then file permissions can be used to restrict read access to the still plain text passwords in the credentials file. using credentials=filename specifies a file that contains a username and/or password. This is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials by saving the file (as root) to /root/, and chmod 600.

cd echo username=mywindowsusername > /root/.smbpasswd echo password=mywindowspassword >> /root/.smbpasswd chmod 600 /root/.smbpasswd

Then in fstab

credentials=/root/.smbpasswd

An example of the fstab entry:

//apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,credentials=/root/.smbpasswd,iocharset=utf8,sec=ntlm 0 0

This is only the basic level of security that standard file ownership and permissions provide. It is not possible to encrypt the username or password. smbclient needs access to the plaintext password in order to mount the share. Although the SMB/CIFS session is typically negotiated without sending the unencrypted password across the network, the client still needs access to the plaintext password in order to properly encrypt it during the authentication phase.

SMB protocol versions

• updated info for 2019

According to the Samba Official Wiki the Linux cifs kernel client has been included in the kernel since kernel version 2.5.42. SMB3 is the now the default dialect (SMB3.02/SMB3/SMB2.1 dialects are requested by default). CIFS protocol (and other old dialects) can be selected (by specifying “vers=1.0” or “vers=2.02” in the mount options. The newest, most secure dialect, SMB3.11 can also be requested (vers=3.1.1). If you want to try current SMB3 support on an older kernel, full backports of all SMB3/CIFS fixes to earlier kernel versions.

SMB versions:

• 1.0 - The classic CIFS/SMBv1 protocol.
• 2.0 - The SMBv2.002 protocol. This was initially introduced in Windows Vista Service Pack 1, and Windows Server 2008. Note that the initial release version of Windows Vista spoke a slightly different dialect (2.000) that is not supported.
• 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2.
• 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012.
• 3.11 - latest

Specify with “vers=” and consider that the Linux kernel does not fully support all of the features in these new SMB versions.

No dialect specified on mount

When attempting to ‘mount -a’ against your /etc/fstab you see a system generated error

mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Further analysis by looking at kern.log

tail -f /var/log/kern.log

Reveals the following error message

kernel: [86079.045389] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. kernel: [86079.065167] CIFS VFS: Unable to select appropriate authentication method! kernel: [86079.065176] CIFS VFS: Send error in SessSetup = -22 kernel: [86079.065219] CIFS VFS: cifs_mount failed w/return code = -22

You can always specify a version of SMB

//apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0

In this example it is specified that the oldest version, SMB 1.0, is specified because the file server is old and runs 1.0.

Most NAS devices as of 2020 support SMB 1 through SMB 3.

• SMB 1, SMB 2, SMB 2.1, SMB 3

We can use a more simplified format that avoids certain parameters being incompatible with the kernel’s preferred SMB version.

//apollo/home /mnt/nicolep cifs defaults,domain=workgroup,username=nicolep,password=mythtv,uid=1002

Note that we specified the uid of the user, which is the uid in /etc/passwd. Without specification of the uid the file system will seem “read only” to the user as owner and group on the mount point will be root when the uid is not specified.

Another note: we put the username and password in fstab in an insecure way. An evolution offering slightly better security is available using a so-called credentials file.

all mounted files and directories owned by root

Yes by default all the files and directories will be owned by the uid of the process or by root. You can force it otherwise.

sudo id user_name

If, for example, the user id is 1000 then you can use the following…

uid=1000(user_name) gid=1000(user_name) groups=…

Make the following entry in your /etc/fstab file :

//server_name/share_name /mount_path cifs defaults,uid=1000,gid=1000 0 0

Now when the share is mounted all files and folders will appear as the user with uid 1000. This is fine if you are the only user of the system. On a multiuser system this is problematic as other users will still be denied. Another option is to use dir_mode / file_mode to give everyone access:

dir_mode=0777,file_mode=0666

which will look like:

//server_name/share_name /mount_path cifs defaults,dir_mode=0777,file_mode=0666 0 0

gvfs

GVFS is discussed in Windows network share integration for linux as well as being compared to creating static mounts in fstab.

Gigolo is a popular front-end to easily manage connections to local and remote filesystems using GIO/GVfs. GVfs is a Virtual File System. GVFS is the virtual filesystem for the GNOME desktop, which allows users easy access to remote data such as accessing windows network shares on demand from your linux workstation. A cause of confusion is the fact that the file system abstraction used by the Linux kernel is also called the virtual file system (VFS) layer. The GVfs model differs from GnomeVFS, which it replaces, in that file systems must be mounted before they are used. There is a master daemon (gvfsd) that handles coordinating mounts, and then each mount is (typically) in its own daemon process (although mounts can share daemon process). GVfs comes with a set of back-ends, including trash support, SFTP, FTP, WebDAV, SMB, and local data via Udev integration, OBEX, MTP and others.

GVfs also contains modules for GIO that implement volume monitors and the GNOME URI scheme handler configuration.

The question, “how do I do a share a Linux drive with Windows over the network?” is answered with CIFS/SMB.

You can use Samba Utils (debian/ubuntu)

sudo apt-get install system-config-samba

Or you can manually edit the samba config files

vi /etc/samba/smb.conf

See: Example Mythbuntu SMB Shares

Restart samba after modifying workgroup and shares

service smbd restart service nmbd restart

If an error indicates smbd does not exist then you may need to install samba, even though a config file exists ( /etc/samba/smb.conf ) the samba package can be absent on Ubuntu / Mint.

apt install samba

Samba Command Line Utilities

Command that returns IP addresses of all Samba servers in one’s own broadcast domain:

nmblookup __SAMBA__

Command that returns a list of all NetBIOS names and their aliases of all Samba servers in the neighbourhood (it does a ‘node status query’):

nmblookup -S __SAMBA__

List of all IP adresses of SMB servers (that is, Linux+Unix/Samba or Windows) in the neighbourhood:

nmblookup ‘*’

List all NetBIOS names and their aliases of all SMB servers (Linux+Unix/Samba or Windows):

nmblookup -S ‘*’

For a specific workgroup, get a list of Netbios names

nmblookup -S WORKGROUP

smbclient

To connect to a Windows computer from Unix

smbclient //nicolep/C$ -U username -W workgroup

or

smbclient //nicolep/C -U Administrator -W workgroup

Windows Instant Messaging Pop-Up (like net send in windows)

smbclient -I ip-address -M netbios-name-of-recipient

Accessing Windows Shares: Discussion

What are the various methods you can access these kinds of network shares? As of 2019: most people use the nemo file manager or something like it that can make temporary mounts to network shares. There are disadvantages. Not all file managers do this. Not all software is compatible. The mapping is not persistent.

Lets look at the three ways we can gain access to a shared folder or NAS resource.

1. Using the Nemo File Manager a network resource is browsed and a share temporarily mounted: nemo /run/user/$USER/gvfs
2. Using the traditional (old fashioned) persistent network mount with mount and fstab
3. Using Gigolo to Mount Remote shares.
4. Using the mount command in a script (which prompts user for password when executed)

****Gigolo****

RECOMMENDED - As a means to mount NAS and network shares without having to edit fstab or hard coding passwords. More reliable than file manager tools like the one in Nautilus.

Gigolo is a facilitator to access and mount remote shares. It uses the same base samba client packages as other methods. “It mounts what it is told to."

sudo apt-get install gigolo sudo apt-get install gvfs-fuse

When you open up gigolo click on the Network tab on the side panel and it will eventually show you all your workgroups and all the hosts.

The remote share should be displayed in the right panel of gigolo and double clicking the share will open a file manager.

You can Set gigolo to start at login

mkdir /home/user-name/.config/autostart

• Menu > System Tools > System Settings > Startup Programs > Add > Command = gigolo

See more info at: https://forums.linuxmint.com/viewtopic.php?f=42&t=52144

Gigolo is a graphical frontend for the userspace virtual filesystem GIO/GVfs, which handles remote files. Gnome is not required however it requires GTK2 (2.12 or newer), DBus, and GLib (2.16 or newer).

Gigolo doesn’t just handle cifs sharing between a windows network and your linux desktop, it also facilitates other protocol connections or transfers from computer to computer including ssh / scp file copy without having to use the command terminal such as described Remote File Copy from the Linux Command Prompt, imagine doing it all from the GUI?

PROBLEMS - The problem with Gigolo is that it mounts shares using smb paths. Linux application support for smb paths is mostly broken. For this reason we are left with the problem of either exposing our password in the fstab file or using gigolo aka smb paths to access network shares and find a lot of applications can’t reach the files. Gigolo uses gvfs-mount as in ( gvfs-mount smb:// ) which results in unwieldy mount points. You will get a mount point that looks like ) /run/user/your-user-name/gvfs/smb-share:server=host_name,share=share_name ) and there’s not a damn thing you can do about it.

GVFS / SMB Paths

A gigolo mounted path uses the GVFS based SMB share format, like:

* smb://workgroup;[email protected]/share on 92.168.100.110

Boy is that ugly with spaces and special characters. An ugly path like that is just asking for trouble! Programs, such as USB Image Writer (a common utility available with Linux Mint / Ubuntu) will not work with smb paths. Try to read an ISO image from a network share, even after making a symlink to de-ugly the path, and the USB Image Writer application fails.

As explained elsewhere on this page, the traditional way to mount Windows (or Samba) shares involves hardcoding the credentials in fstab as plain text.

AutoFS can be used to replace Gigolo

AutoFS is a utility that allows a user to automatically connect to, mount, and use a samba share when the desired mount point is accessed and disconnects when not in use. It offers some distinct advantages over other methods. Unlike the standard fstab method there is no delay in booting the machine if the target server is not present and because of the way it designed there is no delay if the server goes down before you logoff the client.

See HowTo: Auto Mounting Samba Shares Using AutoFS for details.

The autofs filesystem module is only one part of an autofs system. There also needs to be a user-space program which looks up names and mounts filesystems. This will often be the “automount” program, though other tools including systemd can make use of autofs. Then autofs is a Linux kernel module with provides the autofs ilesystem type. Auto-mounts are mounted only as they are accessed, and are unmounted after a period of inactivity. Because of this, automounting NFS/Samba shares conserves bandwidth and offers better overall performance compared to static mounts via fstab.

1. automount is the program used to configure a mount point for autofs. When autofs is started, an automount daemon is spawned for each map.
2. Auto-mount or auto-mounting refers to the process of automatically mounting filesystems.
3. autofs is the program that controls the operation of the automount daemons.

Install the autofs package either by clicking here or entering the following in a terminal window:

sudo apt install autofs

To configure autofs you will need to edit configuration files. The master configuration file for autofs is /etc/auto.master by default.

When specifying a CIFS share in a map file, specify -fstype=cifs and precede the share location with a colon (:).

mntpoint -fstype=cifs ://example.com/shrname

Example: Mount read-write, specifying a user and group to own the files:

mntpoint -fstype=cifs,rw,uid=myuserid,gid=mygrpid ://example.com/shrname

Example: Mount read-write, specifying a username and password to use to connect to the share:

mntpoint -fstype=cifs,rw,username=myuser,password=mypass ://example.com/shrname

mount via a shell script

A method of using the mount command in a shell script which will prompt the user for passwords. Doing this in a startup script will require some method of timeout as it could hold up system loading final.

Better to have a command to launch script when shares are needed

Based on executing the mount command in this fashion

sudo mount -t cifs -o username=nicolep //servername/public /mnt/public

resources

Ubuntu users may wish to read [https://wiki.ubuntu.com/MountWindowsSharesPermanently MountWindowsSharesPermanently] on the Ubuntu Wiki. It is a guide to how to mount CIFS shares permanently.

• Smbclient notes
• Example of cfis fstab