User Account
Fusion File Share server supports two types of authentications: NTLM and Kerberos.
NTLM is authentication where client provides known NTLM hash that is associated with particular user.
NTLM can be stored in local DB (plain text file that is managed with tsmb-passwd utility). This is described in the sections User Database File and Mapping a Fusion File Share User to a UNIX User.
NT hashes can be stored in LDAP - this is described in the section LDAP.
In Windows domain (where Domain Controller exists), Fusion File Share supports only Kerberos authentication. For Kerberos authentication, make sure to set the following in the global configuration file:
domain = <valid FQDN>
userdb_type = ad
Fusion File Share server works in UNIX systems, but manages its own accounts. Fusion File Share accounts are later mapped to system user accounts, under which all the operations are done. This is explained in the section Mapping a Fusion File Share User to a UNIX User.
User Database File
In the SMB world, like in UNIX systems, a user account is a pair made up of a username and password.
To create a new Fusion File Share user, run:
# tsmb-passwd -a new-user
New SMB password:
Retype SMB password:
The command asks you to enter a password that you need to retype.
The Fusion File Share user database file creates a record that corresponds to Fusion File Share user ‘new-user’ with the specified password. The path to the Fusion File Share user database file is controlled by Fusion File Share configuration file’s ‘userdb_file’ global configuration setting:
userdb_file = <path>/users_db.txt
Mapping a Fusion File Share User to a UNIX User
The command mentioned in the previous section is enough if you already have a UNIX system user with the same name and you want all the operations executed under this user.
TIP: You can check if you have this user configured in your system in the /etc/passwd file (only if you use local system authorization, not KDC).
If you do not have a system user with this name, or you want this Fusion File Share user mapped to another UNIX system user, do either of the following:
- Add the corresponding system user to the system, or
- Specify which UNIX system user to which the Fusion File Share user is mapped.
In the second case, run the following commands:
# tsmb-passwd -z unix-user test-user
This creates a mapping of ‘test-user’ Fusion File Share user to ‘unix-user’ system user.
To access Fusion File Share share, only the password specified in the ‘tsmb-passwd -a’ command is verified. A system user password check is not performed.
Fusion File Share can authorize a user to access files and other resources according to Windows conventions (using a list of security identifiers (SIDs)), or according to POSIX conventions (using user identifier (UID) and one or more group identifiers (GIDs)). By default, both types of authorization data are collected during logon attempt, but none of them is required at this stage. Absence of specific type of authorization data affects only access check for a specific resource, when logged-on user tries to use it.
You can require presence of POSIX-style authorization data at logon stage using:
authz_require_posix = true
With this setting a user that does not have associated UID and GID gets an error immediately at logon attempt.
Guest Account
The guest account is a special account in Windows. Its handling depends on many parameters configured in the system. For example, the guest account can be used with or without a password (empty password), it can be disabled or enabled (disabled by default), or network access for guest account can be enabled or disabled by group policy (disabled by default).
In Fusion File Share we follow Windows behavior as closely as possible.
Create the guest account in the Fusion File Share account management database using:
# tsmb-passwd -a -G
The command creates a special guest account and associates it with the username ‘guest’. Again, you will either need to have configured a UNIX system user named ‘guest’ or you should map the Fusion File Share user to another system user.
For example, if you want Fusion File Share guest sessions to be executed under ‘nobody’ system user privileges, then run:
# tsmb-passwd -z nobody -G
The user is enabled after it is created. You can disable it using:
# tsmb-passwd -d -G
and enable it again later using:
# tsmb-passwd -e -G
Even though you created the guest account, you still need to enable guest sessions in the global configuration plane:
allow_guest = true
With this setting, any session that uses an unknown username (not registered in the Fusion File Share user database) is mapped to Fusion File Share user ‘guest’ and its password is validated against the guest password specified during the ‘tsmb-passwd -a -G’ command run.
LDAP
Fusion File Share supports LDAP authentication when NT hashes are stored in LDAP. You must con figure an LDAP user that has read access to NT hashes of all users in order to use the LDAP backend.
When LDAP backend is used, every user is authenticated by logging in as ‘ldap_bind_dn’ using the ‘ldap_bind_pw’ password and then requesting the ‘ldap_nthash_attr’ attribute for the client’s username. The acquired value is then used in the authentication process.
To enable the LDAP backend, you must set ‘userdb_type’ to ‘ldap’ in the global configuration file:
userdb_type = ldap
The following parameters must then be configured:
ldap_uri = ldaps://ldap.company.com
LDAP server URI. If TLS is used, ensure that the system certificate store can validate the server certificate
ldap_bind_dn = cn=admin,dc=company,dc=com
Distinguishing name for LDAP account that is used to access NT hashes
ldap_base_dn = ou=people,dc=company,dc=com
Base DN to the subtree where users are looked up
ldap_nthash_attr = tsmbNTPassword
NT hash attribute name in your LDAP schema. The value must be in ASCII encoded hex format
ldap_username_attr = username
When clients are authenticated, this attribute is used when searching for their username
ldap_timeout = 30
Timeout for LDAP requests in seconds
ldap_bind_pw = secretpassword
Password for the ‘ldap_bind_dn’ user
NULL Sessions (Anonymous users)
This option allows anonymous users to connect to named pipes (or shares) and enumerate (or access) information without providing any credentials. Enabling this option allows hosts to establish null sessions over CIFS/SMB1 and SMB2/SMB3.
By default, Fusion File Share follows Windows default, and disables null sessions for all server interactions except for retrieving servers list from browser protocol using RAP NetServerEnum2 RPC over CIFS.
This option can be set using:
null_session_access = true
To allow anonymous users to access disk shares, a special predefined group (‘anonymous’) must be specified in the ‘permissions’ field of the share-specific configuration.
Windows Privilege Support
A privilege is the right of an account to perform specific operations, overriding normal permissions. These rights are managed separately and saved in a privilege database. Fusion File Share supports the only way of keeping privilege database – as a plain file, whose pathname is specified in tsmb.conf using privilegedb option, e.g.:
privilegedb = /var/lib/tsmb/privilege
Privilege database is normally managed using tsmb-privilege tool:
- To list current set of privileges:
tsmb-privilege list
- To grant an account with some privilege:
tsmb-privilege grant <privilege_name> <user_name>
- To revoke privilege from an account:
tsmb-privilege revoke <privilege_name> <user_name>
The tool reads location of your privilege database from tsmb.conf as Fusion File Share does. By default, it uses compiled-in location of this file.
You can specify alternative location using ‘-c <tsmb_conf_path>’ command-line argument.
The list of available privileges includes general privileges defined by Microsoft, and customer-specific ones.
Default build of Fusion File Share contains the following privileges:
- SeSecurityPrivilege privilege allows user to manage System ACL (SACL) part of security descriptors of files. In Windows this privilege is implicitly granted to built-in Administrators group. Fusion File Share has no pre-defined settings for this.
- SeTakeOwnershipPrivilege privilege allows user to change ownership of any file, ignoring the security descriptor of that file. In Windows this privilege is implicitly granted to built-in Administrators group. Fusion File Share has no pre-defined settings for this.
- TsmbServerOperatorsPrivilege privilege allows user to perform all available management operations remotely using DCE/RPC services. The privilege is specific to Fusion File Share.
Use ‘tsmb-privilege -h’ to see a full list of privileges available in your release.