samba 원격 코드 실행 취약점 조치 - samba 4.6.4 install

CentOS 6 samba install

1. 참고 레퍼런스 URL 

: http://www.linuxfromscratch.org/blfs/view/cvs/basicnet/samba.html

: https://folgaizer.wordpress.com/2013/12/12/samba4-on-centos-6-4/

: http://nblog.syszone.co.kr/archives/6756  (centos6 samba ad 연동)

: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html  (samba 공식)

*** 사전 설치

python-devel (centos6, python 2.6 일경우)

2. samba 4.6.4 download 경로 : https://www.samba.org/samba/history/samba-4.6.4.html

cd /usr/local/src

wget https://download.samba.org/pub/samba/stable/samba-4.6.4.tar.gz

tar xvfz samba-4.6.4.tar.gz 

cd samba-4.6.4.tar.gz 

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-piddir=/run/samba --with-pammodulesdir=/lib/security --enable-fhs --without-ad-dc --without-systemd --enable-selftest && make

* error 발생 -1차

/usr/local/src/samba-4.6.4/source3/wscript:507: error: ACL support not found. Try installing libacl1-dev or libacl-devel.  Otherwise, use --without-acl-support to build without ACL support. ACL support is required to change permissions from Windows clients.

yum install libacl1-dev or libacl-devel -y

* configure 설정 초기화

make distclean

컴파일 재실행

* error 발생 - 2차

/usr/local/src/samba-4.6.4/source3/wscript:703: error: LDAP support not found. Try installing libldap2-dev or openldap-devel. Otherwise, use --without-ldap to build without LDAP support. LDAP support is required for the LDAP passdb backend, LDAP idmap backends and ADS. ADS support improves communication with Active Directory domain controllers

yum install libldap2-dev openldap-devel

또는

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-piddir=/run/samba --with-pammodulesdir=/lib/security --enable-fhs --without-ad-dc --without-systemd --enable-selftest --without-ldap && make

* error 발생 - 3차

--enable-iprint=yes but cups support not sufficient

Active Directory support not available: LDAP support is not available.

/usr/local/src/samba-4.6.4/source3/wscript:813: error: Active Directory support not found. Use --without-ads for building without Active Directory support. ADS support improves communication with Active Directory domain controllers.

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-piddir=/run/samba --with-pammodulesdir=/lib/security --enable-fhs --without-ad-dc --without-systemd --enable-selftest --without-ldap --without-ads && make

*error 발생 - 4차

`PyCObject_Type' can not be used when making a shared object

task: cc_link pytalloc_util_4.o -> libpytalloc-util.so

-> python version 확인 2.7.5

-> 해당 서버에서 python 컴파일하여 사용중 확인

-> python 2.7.5 소스 디렉토리 이동

-> ./configure --enable-shared

-> make && make install

-> samba 재컴파일 후 정상

Waf: Leaving directory `/usr/local/src/samba-4.6.4/bin'

'build' finished successfully (6m55.321s)

다시 samba 디렉토리에서 make install 진행

'install' finished successfully (1m17.615s)

(required by /usr/lib/samba/libsmbd-base-samba4.so)

smbd: /usr/lib64/libwbclient.so.0: no version information available (required by /usr/lib/libsamba-passdb.so.0)

smbd: /usr/lib64/libwbclient.so.0: no version information available (required by /usr/lib/samba/libauth-samba4.so)

smbd: /usr/lib64/libwbclient.so.0: no version information available (required by /usr/lib/samba/libgensec-samba4.so)

-> 

# yum install *samba4.so -y

컴파일 옵션을 줄 때 리눅스에서 프린터를 사용 한다면 다음 명령어를 사용해서 컴파일 한다.

# yum install -y cups*

# ./configure --prefix=/usr/local/samba --with-smbmount --with-automount --with-cups

에러 없이 끝난다면 컴파일이 완료 된 것이다.

# make && make install

5. samba 설정 파일 복사 및 링크

# cd ../examples

# cp smb.conf.default /usr/local/samba/lib/smb.conf

# mv /etc/samba/smb.conf /etc/samba/smb.conf.old

# ln -s /usr/local/samba/lib/smb.conf /etc/samba/smb.conf

6. 설정 파일 변경 및 실행 테스트

# vi /etc/samba/smb.conf

--------------------------------------------------------------- 테스트를 위한 설정 변경임!!

[global]

   workgroup = workgroup

   security = share

---------------------------------------------------------------

# /usr/local/samba/sbin/nmbd -D

# /usr/local/samba/sbin/smbd -D

만약 여기서 라이브러리 오류가 발생 한다면 다음 패키지를 설치 한다.

# yum install libwbclient.so.0

7. 구동 스크립트 복사 및 테스트

# cd ../packaging/RHEL/setup

# cp smb.init /etc/init.d/smb

# cp samba.pamd /etc/pam.d/samba

둘 다 overwrite 한다.

# service smb stop

# service smb start

===============================================================================================

CentOS 7 samba install

yum install samba samba-client samba-common

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

vi /etc/samba/smb.conf

#############################

[pub]

path = /data/samba

read only = no

browsable = yes

guest ok = no

writable = yes

valid user = @smbgroup ,smbuser

create mask = 0664

directory mask = 0775

force create mode = 0664

force directory mode = 0775

force group = smbgroup

##############################

groupadd smbgroup

useradd smbuser -G smbgroup

smbpasswd -a smbuser

mkdir -p /data/samba

chmod -R 0777 samba/

systemctl enable smb

systemctl enable nmb

systemctl restart smb

systemctl restart nmb

firewall-cmd --permanent --zone=public --add-service=samba

firewall-cmd --reload