1
00:00:00,000 --> 00:00:17,879
Hey everyone and welcome back. Now in the previous nugget we had walked through the basic configurations

2
00:00:17,879 --> 00:00:23,400
of our SAMBA server. What I now want to do is to turn your attention to and look at a

3
00:00:23,400 --> 00:00:29,740
little bit more closely the process of working with passwords and authentication with respect

4
00:00:29,739 --> 00:00:35,359
to our SAMBA server. So with that said how about we dive in and let's get to it then

5
00:00:35,359 --> 00:00:39,960
shall we? Now the very first thing which I want to briefly talk about is the concept

6
00:00:39,960 --> 00:00:45,820
of hashing. Now if you don't know what hashing is all about a hash is a one-way function

7
00:00:45,820 --> 00:00:52,239
and it allows you to effectively encrypt your password. Now the key thing here is one-way.

8
00:00:52,239 --> 00:00:57,619
So when we talk about hashing a password we could have a password like say John and we

9
00:00:57,619 --> 00:01:04,219
run it through some type of one-way function and then it becomes all of this garbled indecipherable

10
00:01:04,219 --> 00:01:10,099
text but the key point here is that with respect to the one-way function is that when we run

11
00:01:10,099 --> 00:01:16,979
the password through that function we actually can reverse engineer that password i.e. you

12
00:01:16,979 --> 00:01:23,620
couldn't take this here i.e. the end product and run it through the function in reverse

13
00:01:23,620 --> 00:01:29,700
and be able to get the original passwords. Now this is done for purposes of security because

14
00:01:29,700 --> 00:01:35,500
servers who are storing all of people's passwords say for example if you go on to your Google

15
00:01:35,500 --> 00:01:41,540
account Google has to have a database of all of your password credentials so that you can

16
00:01:41,540 --> 00:01:46,500
log in but Google doesn't want to have a clear text database of all these passwords like

17
00:01:46,500 --> 00:01:53,900
John 1 and John 23 whatever it may be because in the event that Google's servers happen

18
00:01:53,900 --> 00:02:00,260
to be hacked then the hacker could see the clear text password as well as the username

19
00:02:00,260 --> 00:02:05,019
to which that corresponds to and then begin logging into that account or perhaps even

20
00:02:05,019 --> 00:02:11,259
trying that username password combination together on other sites maybe say banking websites.

21
00:02:11,259 --> 00:02:16,579
So we don't want to have this we want to have our passwords stored in an encrypted forum

22
00:02:16,579 --> 00:02:21,259
but it's crucial that the encrypted passwords cannot actually be reversed so we've got all

23
00:02:21,259 --> 00:02:27,060
this encrypted password stored. If the same server was compromised and the attacker was

24
00:02:27,060 --> 00:02:32,579
able to see the end product of the encryption they should not be able to look at what encryption

25
00:02:32,579 --> 00:02:38,340
algorithm was used to reverse engineer and ultimately get the original password back

26
00:02:38,420 --> 00:02:43,900
which may be say for example John 1. So really this is very secure but it does actually

27
00:02:43,900 --> 00:02:49,180
present a little bit of problems when we have different hashing algorithms in play. Now

28
00:02:49,180 --> 00:02:55,900
with respect to our SAMBA passwords this is pretty much done the way Windows handles

29
00:02:55,900 --> 00:03:02,539
passwords so they are encrypted one particular way whereas on your regular Linux system the

30
00:03:02,579 --> 00:03:08,219
passwords are hashed any different way. So what exactly is the relevance here? Well as we know

31
00:03:08,219 --> 00:03:14,060
hashes are one-way functions they cannot be reversed so you can't just take the hash of a

32
00:03:14,060 --> 00:03:20,180
Linux password reverse engineer it to get the original plain text password and then run it

33
00:03:20,180 --> 00:03:27,340
through another hash to get a SAMBA compatible hashed password that process is simply not

34
00:03:27,379 --> 00:03:33,500
possible. So when we want to have our password be authenticated by our SAMBA server we want to

35
00:03:33,500 --> 00:03:39,219
make sure that our password is hashed in the correct way. Now in order for us to generate a

36
00:03:39,219 --> 00:03:47,379
SAMBA password we can use a particular command called SMB PassWD. So this command here is

37
00:03:47,379 --> 00:03:53,980
certainly a command that we want to be digging into so with that said how about we begin building

38
00:03:54,219 --> 00:03:59,699
some shares over the network that actually cannot be accessed by anyone we actually are going to

39
00:03:59,699 --> 00:04:05,620
require some type of specificity as to who can actually access the shares that we are well

40
00:04:05,620 --> 00:04:12,379
sharing out. So with that said what we'll do is we will go back in to our SAMBA configuration file

41
00:04:12,379 --> 00:04:20,060
because like I say right now if I go back notice when I go to my network here and I go into system

42
00:04:20,379 --> 00:04:26,740
and I double click the share of public blah there is no credentials at all required here to

43
00:04:26,740 --> 00:04:32,060
access this okay so let's try to lock a share down and see what happens then so what we'll do here

44
00:04:32,060 --> 00:04:41,060
so I will say sudo nano etsy SAMBA smb.conf and I will go in to the file so let's scroll all the

45
00:04:41,060 --> 00:04:46,579
way down to the very bottom here and create a new share once again so what I will do is call this

46
00:04:46,779 --> 00:04:54,699
another random share and I will say the comment will be testing some authentication stuff and the

47
00:04:54,699 --> 00:04:59,819
path this time I will actually make it a different name just so we can see that we don't actually

48
00:04:59,819 --> 00:05:06,019
have to have the name here match up so I'll just call this maybe say test one and now what I want

49
00:05:06,019 --> 00:05:13,180
to do is I want to specify the users who are able to access this particular share so what I will

50
00:05:13,220 --> 00:05:21,180
say is valid users and I'll make this equal to Trevor okay I will then say read only ie should

51
00:05:21,180 --> 00:05:28,620
this be writable I will say no so it's not read only it can be written to and I will create a mask

52
00:05:28,620 --> 00:05:36,300
so I will say 0777 very permissible masks I will also have the directory mask at the exact same

53
00:05:36,300 --> 00:05:41,819
all the sevens and now what I will do is I will save this and I'm going to have to create this

54
00:05:41,860 --> 00:05:48,420
directory here called test one so I will exit back out I will go to my root directory I will say

55
00:05:48,420 --> 00:05:55,219
pseudo MK Dar test one I will just make the permissions super relaxed once again so I will

56
00:05:55,219 --> 00:06:01,819
say all the sevens on test one so if I do an LS-L we can see here once again very relaxed

57
00:06:01,819 --> 00:06:09,019
permissions anyone who has access should be able to do anything so now if I go into my Etsy password

58
00:06:09,019 --> 00:06:14,500
file right now if I scroll on down we're not going to see any user here called Trevor I'm going to

59
00:06:14,500 --> 00:06:22,779
add Trevor we can see IPv0 after all let's go back and I will say pseudo user add m Trevor and then

60
00:06:22,779 --> 00:06:29,379
I will say pseudo password Trevor and I will type in the Unix password I'll just say Trevor one and

61
00:06:29,379 --> 00:06:37,099
I will confirm that as Trevor one so if I go back into the password file if I scroll on down at the

62
00:06:37,100 --> 00:06:42,660
very bottom we can now see we have a user called Trevor okay so if I go back out so let me clear

63
00:06:42,660 --> 00:06:49,820
the screen now what I'm going to say is pseudo SMB pass WD and then dash A and I'm going to add

64
00:06:49,820 --> 00:06:56,300
Trevor and I will just say the password can be hello and then hello again so now the user Trevor

65
00:06:56,300 --> 00:07:02,700
has an SMB password now what I'm going to do is I'm going to restart the server so I'll say system

66
00:07:03,420 --> 00:07:12,139
CTL restart SMB D and I'll restart NMBD so I'll go to the network I will right click and refresh

67
00:07:12,139 --> 00:07:18,659
let me go in here we can see another random share with the description testing some authentication

68
00:07:18,659 --> 00:07:23,819
stuff if I click this it's going to prompt me to enter credentials now so I will say Trevor and

69
00:07:23,819 --> 00:07:30,539
then I will say Trevor one notice that this is not going to allow access however if I take the

70
00:07:30,540 --> 00:07:36,900
password hello this indeed now gets me access because I'm using the SMB based password not

71
00:07:36,900 --> 00:07:42,580
Trevor's Linux based password you see that so now what I want to do is I want to say new and I will

72
00:07:42,580 --> 00:07:49,020
create a folder I'll just say some new folders here and I'll double click and then I will say new

73
00:07:49,020 --> 00:07:55,660
text document and I'll just say my file if I open this up and I just say this was modified by

74
00:07:55,980 --> 00:08:03,180
Trevor so if I save this one thing to note here is that on my Windows system I actually don't have

75
00:08:03,180 --> 00:08:10,780
any users on this system called Trevor the actual authentication here was by virtue of that user

76
00:08:10,780 --> 00:08:17,100
existing on the Linux system and the fact that that user had an SMB password configured on that

77
00:08:17,100 --> 00:08:22,780
Linux system because of this even though via my Windows system there is no Trevor user present I

78
00:08:22,779 --> 00:08:29,019
could still log into that system access the share and make the necessary modifications as I see right

79
00:08:29,019 --> 00:08:36,539
here so if I go back to my Linux machine minimize this and if I do a CD into the root directory I go

80
00:08:36,539 --> 00:08:43,100
into the test one folder do an LS we can see the some new folders here we do an LS we can see my

81
00:08:43,100 --> 00:08:50,379
file and I can cat my file and we can see here indeed this was modified by Trevor now one thing I

82
00:08:50,379 --> 00:08:58,379
will say is that it might be strange or confusing to have users on a Windows system that don't actually

83
00:08:58,379 --> 00:09:04,620
exist on the Linux system and vice versa been able to tie everything together can be a little bit

84
00:09:04,620 --> 00:09:11,500
awkward for example in my case to access this particular share from the Windows system I had

85
00:09:11,500 --> 00:09:17,820
to enter in a username which doesn't exist on my local Windows system and I suppose I could just

86
00:09:17,900 --> 00:09:23,820
have these credentials pass to me by someone on the network just saying hey use the username Trevor

87
00:09:23,820 --> 00:09:29,820
but this can be clunky it can be difficult to manage moving forward so what I can actually do

88
00:09:29,820 --> 00:09:36,540
is I can actually map accounts for users that don't actually exist on my Linux system that means I

89
00:09:36,540 --> 00:09:43,020
can tie the Windows user names to valid accounts on the SAMBA system so let me show you how I could

90
00:09:43,019 --> 00:09:48,539
actually feasibly do this if I go into the exe directory and then go into SAMBA once again we're

91
00:09:48,539 --> 00:09:53,899
going to go into that smb.com configuration fail that's going to help us out so much if I scroll

92
00:09:53,899 --> 00:09:59,579
on down what I'm going to do is under the global settings which we can see right here I'm going to

93
00:09:59,579 --> 00:10:07,500
add the keyword username space map and what I'm going to do is I'm going to point to a particular

94
00:10:07,500 --> 00:10:12,299
configuration fail now this configuration fail doesn't actually exist so I'll just specify the

95
00:10:12,299 --> 00:10:17,500
path right now and then I will create it and I'll just call this maybe my mapper okay because I'm

96
00:10:17,500 --> 00:10:24,059
going to map Windows names to my local names okay okay so like I say this fail doesn't actually

97
00:10:24,059 --> 00:10:30,139
exist right here so what I want to do is I want to create it so I'll save this for now and I will go

98
00:10:30,139 --> 00:10:37,019
in and within this directory I will say sudo nano and I'll create this file called my mapper now all

99
00:10:37,100 --> 00:10:45,340
I'm going to do here is a type of key value formatting i.e on the left will be what I want to

100
00:10:45,340 --> 00:10:51,899
specify so let's maybe just call this linux underscore user and I will make that equal to

101
00:10:51,899 --> 00:11:00,059
the value trevor so that means that the user on Windows could just specify linux underscore user

102
00:11:00,059 --> 00:11:06,779
and under the hood the SAMBA server is going to interpret that as the user trevor and as we know

103
00:11:07,100 --> 00:11:13,659
the user trevor has been granted access to that latest share so when the Windows user enters in

104
00:11:13,659 --> 00:11:19,659
the generic linux user credential it will map to this and they still will get access now this can

105
00:11:19,659 --> 00:11:25,740
also be very useful let's maybe say we create another user let's maybe say gai magovern and that

106
00:11:25,740 --> 00:11:33,259
is on my windows account I can map that to ipv0 which is what is on the linux system when I'm on

107
00:11:33,259 --> 00:11:40,220
my windows system if I just type in gai magovern it's going to map to ipv0 and if ipv0 exists within

108
00:11:40,220 --> 00:11:45,580
the SAMBA configurations and the permissions of who is allowed to access a particular share

109
00:11:45,580 --> 00:11:51,340
then gai magovern still will get access and what we can also do by the way is we can actually just

110
00:11:51,340 --> 00:12:00,220
add in email addresses so I could say gai magovern at CBTN blah blah dot com I can make that map to

111
00:12:00,220 --> 00:12:07,980
ipv0 or make it map to john whatever it may be meaning that on my windows machine I could actually

112
00:12:07,980 --> 00:12:15,340
use this email address and have it correlate to this username on the local linux system but for

113
00:12:15,340 --> 00:12:20,379
now what I'll do is I'll exit out so that is how we can neatly map different username together

114
00:12:20,379 --> 00:12:26,620
but what I now want to show you is how we can actually query the smb server for particular

115
00:12:26,620 --> 00:12:31,980
information using the smb client command so let's say we were on a machine and this doesn't

116
00:12:31,980 --> 00:12:37,100
have to be on the local server like I am right now this could be a separate linux machine say for

117
00:12:37,100 --> 00:12:45,580
example I could just say so though smb clients and I could say dash u for trevor and I can say dash l

118
00:12:45,580 --> 00:12:51,820
to list the information relating to the shares that are available to trevor on the server and this

119
00:12:51,820 --> 00:13:00,780
is the server ip address 192 1680.44 if I hit enter it's going to ask me for trevor's password so I

120
00:13:00,780 --> 00:13:07,580
will just say hello and hit enter and we can actually see here the shares which are available

121
00:13:07,580 --> 00:13:14,379
right now so we can see here say for example public blah which was available to absolutely everyone

122
00:13:14,379 --> 00:13:20,220
and we can see the another random share which was the share we actually created to test some

123
00:13:20,300 --> 00:13:25,740
authentication stuff now if I want to be a little bit more specific oh and I accidentally copy pasted

124
00:13:25,740 --> 00:13:33,259
right there if we want to be more specific what I can actually do here is the sudo smb client and

125
00:13:33,259 --> 00:13:40,060
you trevor and then I will say forward slash forward slash followed by the ip address of the

126
00:13:40,060 --> 00:13:46,300
server or the name of the server if you wish and then forward slash and then the name of that

127
00:13:46,299 --> 00:13:52,539
particular share so I could say maybe public blah there we go if I hit enter I'm going to have to

128
00:13:52,539 --> 00:13:58,620
type in the password which is hello for trevor hit enter and we can see here we have access to a

129
00:13:58,620 --> 00:14:04,539
command line if I say help to get a list of the commands if I do an ls we can actually see the

130
00:14:04,539 --> 00:14:11,419
file which is within this particular folder the test 123 and if I happen to exit out and I do the

131
00:14:11,419 --> 00:14:19,339
same for another random share type in the password hello again we do an ls we can see some new

132
00:14:19,339 --> 00:14:26,059
folders here again accessible to trevor I could cd into that folder just like we see here do an ls

133
00:14:26,059 --> 00:14:31,259
and let's just maybe say I wanted to remove the file I could delete that file right there and ls

134
00:14:31,259 --> 00:14:38,219
and now that file is gone so a different way that we can use to actually access the server as a

135
00:14:38,220 --> 00:14:43,500
linux client over the terminal now one last thing that I just want to briefly show you if I exit

136
00:14:43,500 --> 00:14:50,860
out and I go back into my configuration so I'll go into it say samba smb.conf notice that with respect

137
00:14:50,860 --> 00:14:57,340
to the visibility of our server if I go to network we can see the server is called system as per the

138
00:14:57,340 --> 00:15:03,660
host name I could present a different name by using the samba configuration file once again

139
00:15:03,659 --> 00:15:09,980
so lastly before we close what we will do is within the global section what I'm going to do is I'm

140
00:15:09,980 --> 00:15:15,579
going to add this configuration right here I'm going to say net bios name and then I can give

141
00:15:15,579 --> 00:15:20,459
the name of my server which I want to present to the shares so I could just maybe call this let's

142
00:15:20,459 --> 00:15:27,579
call it share server whatever it may be let's save you and then I'll do my system CTL restart

143
00:15:27,660 --> 00:15:35,900
smb d as well as nmbd and now if I go back let me close this down I'll open a fresh one let's go

144
00:15:35,900 --> 00:15:43,100
to network and if I right click and refresh the server is now seen as share server which we can

145
00:15:43,100 --> 00:15:49,259
click into and again we see the same information that we saw before no problem at all okay so that

146
00:15:49,259 --> 00:15:54,300
is us for our samba authentication I hope this has been informative for you and I'd like to thank you

147
00:15:54,299 --> 00:15:58,539
for viewing