Create a Script for Login to Samba Share
Here is a scenario where you have Windows users who need to log into an encrypted directory that is mounted on a Linux Samba share. This provides an interesting option for security.
The Linux user, who has sudo access logs in and when they do are asked to mount the truecrypt volume and also restart samba server because the volume will exist on a Samba share. It is imperative that the user who mounts the share is in the adm group so they are able to enter the sudo commands to run programs as root.
Verify that the user is in the /etc/group file and listed in the “adm” group. Here we have two users mike and sue in the adm group.
adm:x:4:mike , sue
Edit the Samba Server
Edit your /etc/samba/smb.conf file to allow the user mike to login to the encrypted directory. Be sure your workgroup is the same for your Windows machines. Notice that passwords are encrypted and the more secure tdbsam is used for the database backend.
This is a copy of what you need in your /etc/samba/smb.conf file.
[global]
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
encrypt passwords = yes
passdb backend = tdbsam
[mike]
comment = Truecrypt Directory
path = /media/truecrypt3
valid users = mike
browsable = no
guest ok = no
read only = no
Create a smbpasswd Account
Be sure that the user you are using has their password on both the Linux system account and also on samba as they are separate databases.
smbpasswd -a mike
New SMB password:
Retype new SMB password:
Added user mike.
Edit the User’s .bashrc File
Each user that logs in to the Linux box has their environment created by the hidden .bashrc file which is in every user home directory. What you want to do is at the end of the .bashrc file you want to add a line that will execute the script that you create. Here is the information needed for the user mike to execute the script that will be in the user’s home directory.
#truecrypt
sh /home/mike/truecrypt.sh
Create the truecrypt Script
This simple script will ask for the password of the sudo user (the password for the user mike in this example who has sudo rights), then it will mount the directory and restart samba so the directory is available with Samba.
#!/bin/sh
# Truecrypt Script
truecrypt -k “” –protect-hidden=no –mount /protect/encrypt.tc /media/truecrypt3
sudo /etc/init.d/samba restart
Here is the output.
Last login: Thu Jan 1 06:59:09 2009 from 192.168.5.178
Enter password for /protect/encrypt.tc:
Enter system administrator password:
[sudo] password for mike:
* Stopping Samba daemons [ OK ]
Starting Samba daemons [ OK ]
Verify that the mount is running with this command:
truecrypt -l
3: /protect/encrypt.tc /dev/mapper/truecrypt3 /media/truecrypt3
Login from another Linux box with this command or with samba from a Windows machine, this is the Linux example.
smbclient //192.168.5.102/mike
Enter mike’s password:
Domain=[WK] OS=[Unix] Server=[Samba 3.2.3]
smb: \> ls
. D 0 Fri Dec 26 05:49:43 2008
.. D 0 Thu Jan 1 11:39:10 2009
debconf.conf 2969 Fri Dec 26 05:49:42 2008
sensors.conf 85602 Fri Dec 26 05:49:43 2008
adduser.conf 2986 Fri Dec 26 05:49:42 2008
nsswitch.conf 475 Fri Dec 26 05:49:42 2008
ltrace.conf 13144 Fri Dec 26 05:49:42 2008
xinetd.conf 289 Fri Dec 26 05:49:43 2008
host.conf 92 Fri Dec 26 05:49:42 2008
47157 blocks of size 2048. 41816 blocks available
smb: \>
{ 5 comments }
Perhaps I’m missing something but wouldn’t that scenario mean that any file which the Windows user opens will be decrypted on-the-fly between TrueCrypt and Samba before passing across the network with it’s unencrypted content visible to any network sniffer?
One of the aspects of truecrypt is that while the volume is active the data is not encrypted, thus over the wire on a Samba transfer a sniffer could retrieve the data like any other data transfer with Samba. However, when the volume is not mounted it is encrypted and thus offers additional protection against theft or access when the owner is not accessing the share….it certainly is not a perfect solution.
Your title is a little misleading. To encrypt data to a Samba share you need “smb transport encryption” which is being added to Samba. For mounting the truecrypt volume at login you can use pam_mount (http://pam-mount.sourceforge.net/).
re jhansonxi: pam_mount cannot use truecrypt because tc is terribly broken with regards to its password prompt, leading to an infinite loop on EOF.
The safest solution for remote encryption is to create a plain dm-crypt image using pmt-ehd(8), export the crypto container, and then mount it on a remote Windows using FreeOTFE (or on Linux with dm-crypt).
as a simple user on a netra 1, I took a lot of time to get “samba on SPARC/Solaris 10″ working. Your blog was very useful Thanx a lot