Configuring Red Hat Enterprise Linux 7.6 for SMB/HTTPS File Share Distribution with Jamf Pro

Updated: 11 February 2022
Product: Jamf Pro

Important Notice About Samba Security Vulnerabilities

If you are planning to use Samba, be aware that the following vulnerabilities were recently discovered and patched in Samba:

  • CVE-2021-44142An attacker can abuse this vulnerability to execute code in the root context even without authentication. Also, an attacker can run arbitrary code as root remotely on the device hosting the SMB share.
  • CVE-2021-44141An attacker can discover what files exist on the device hosting the SMB share. This could be used to scout for information on the server or, in the case of a deployment share, find out what apps are installed within an organization.
  • CVE-2022-0336Denial of service against the SMB share.

For more information, see the following webpages:

This article explains how to use Samba to host a file share distribution point with an SMB share on a Linux server. The distribution point can then be added to the Jamf Pro server and used with Jamf Pro.
Note:

The procedure may vary depending on your specific Linux operating system.

The procedure involves the following two main steps:

  1. Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6

  2. Setting Up an HTTP Distribution Point on Jamf Pro

Step 1: Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6

  1. Confirm the version of Red Hat Enterprise Linux you are using by executing the following command:
    $ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
  2. Install net-tools to allow for basic network operations by executing the following command:
    $ sudo yum -y install net-tools
  3. Install the Samba service by executing the following command:
    $ sudo yum -y install samba*
  4. Add users for the service and set passwords. You will need two accounts: one with read-only permissions and another with full permissions to the file share.
    1. Create the read-only account, jamfR by executing the following command:
      $ sudo useradd -d /home/jamfR jamfR -s /bin/false -N
    2. Set the password by executing the following command:
      $ sudo smbpasswd -a jamfR 
New SMB password: 
Retype new SMB password: 
Added user jamfR.
    3. Create the full-access account, jamfRW by executing the following command:
      $ sudo useradd -d /home/jamfRW jamfRW -s /bin/false -N
    4. Set the password by executing the following command:
      $ sudo smbpasswd -a jamfRW 
New SMB password: 
Retype new SMB password: 
Added user jamfRW.
  5. Create a location for the file share by executing the following command:
    $ sudo mkdir -p /usr/local/jamf/jamfShare
  6. Set the owner of the account that has full access to the file share by executing the following command:
    $ sudo chown jamfRW /usr/local/jamf/jamfShare
  7. Set permissions on the file share by executing the following command:
    $ sudo chmod 755 /usr/local/jamf/jamfShare
  8. Edit the Samba configuration file by executing the following command:
    $ sudo vi /etc/samba/smb.conf
  9. Add the following code block directly above the line that starts with [global]:
    [jamfShare]
    comment = jamfShare
    path = /usr/local/jamf/jamfShare
    browsable = yes
    guest ok = no
    read only = yes
    create mask = 0755
    read list = jamfR
    write list = jamfRW
    valid users = jamfR, jamfRW
  10. Configure the firewall to allow Samba traffic by executing the following command:
    $ sudo firewall-cmd --add-service=samba —permanent
  11. Reload the firewall to activate the new rule by executing the following command:
    $ sudo firewall-cmd --reload
  12. To manage SELinux configuration, install semanage by executing the following command:
    $ sudo yum -y install policycoreutils-python
  13. Set the SELinux configuration to allow Samba read/write permissions by executing the following commands:
    $ sudo setsebool -P smbd_anon_write=1
$ sudo semanage fcontext -a -t public_content_rw_t "/usr/local/jamf(/.*)?"
$ sudo restorecon -Rv /usr/local/jamf
  14. Start the Samba service by executing the following command:
    $ sudo systemctl start smb
  15. Enable the service at startup by executing the following command:
    $ sudo systemctl enable smb
  16. Using Terminal on a Mac, ensure you can connect to the file share (use port 139 and/or 445) by executing the following command:
    $ nc -v fqdn.of.server 139
Connection to 172.27.1.33 port 139 [tcp/netbios-ssn] succeeded!
  17. Add the file share to your Jamf Pro server:
    1. In Jamf Pro, click Settings in the top-right corner of the page.
    2. Click Server Infrastructure, and then click File Share Distribution Points.
    3. Click New.
    4. Enter a Display Name for the file share and the fully qualified domain name of the server:
    5. Click the File Sharing tab and enter the Share Name that was defined in the Samba configuration file. Leave the Workgroup Or Domain field blank and the Port set to 139:
      File Sharing Tab
    6. Enter the credentials for the two Samba accounts that you created earlier:
      File Sharing Read/Write Account and Read-Only Account
    7. Click Save.

Step 2: Setting Up an HTTP Distribution Point on Jamf Pro

  1. Install httpd (Apache) to allow for distribution over HTTP by executing the following command:
    $ sudo yum -y install httpd
  2. To secure the web share. install mod_ssl (for sharing over HTTPS) by executing the following command:
    $ sudo yum -y install mod_ssl
  3. Create a configuration file that will be used to generate a certificate request by executing the following command:
    $ vi req.conf
  4. Enter information similar to the following, and adjust the settings as needed for your environment:
    [ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = fqdn.of.server
emailAddress = admin@your.domain
O = Corp
OU = IT
L = Minneapolis
ST = Minnesota
C = US
[ req_ext ]
subjectAltName = DNS: fqdn.of.server, DNS: cname.of.server
  5. Create the certificate signing request by executing the following command:
    $ openssl req -new -config req.conf -keyout sslkey.pem -out ssl.csr
Generating a 4096 bit RSA private key
.....................................................................++
...++
writing new private key to 'sslkey.pem'
-----
    Note:

    This command also creates the private key file (sslkey.pem). Store the private key file in a secure location.

  6. Copy the contents of the ssl.csr file.
    Note: When copying, be sure to include the first (-----BEGIN CERTIFICATE REQUEST-----) and last (-----END CERTIFICATE REQUEST-----) lines.
  7. Use cat to display the file contents by executing the following command:
    $ cat ssl.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFETCCAvkCAQAwgY4xFzAVBgNVBAMMDmZxZG4ub2Yuc2VydmVyMSAwHgYJKoZI
hvcNAQkBFhFhZG1pbkB5b3VyLmRvbWFpbjENMAsGA1UECgwEQ29ycDELMAkGA1UE
.
.
.
gMDxBCeRhg2uctDYH4z7DXkA9facd+Ij0Ws73p75Jz7gCFE9D1BtCeF7RZhniBUl
jvi93tjtXNUseQQRy4TfheQneeF8hoRqCm7/Tzju2+Yxvv9ew4gsvCmVu/GQqlea
vR/veW4=
-----END CERTIFICATE REQUEST-----
  8. In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.
  9. Click on the Management Certificate Template tab, and then click the Create Certificate from CSR button:
  10. Click the Certificate Type pop-up menu, choose Web Server Certificate, and then paste the CSR into the text field:
    Create Certificate from CSR Field
  11. Click Create and the certificate will download to the Downloads folder. (If prompted about permitting the download, click Allow).
    Downloads Folder
  12. Copy the certificate (.pem file) to the Red Hat Enterprise Linux server by executing the following command.
    $ scp ~/Downloads/C\=US\,ST\=Minnesota\,L\=Minneapolis\,OU\=IT\,O\=Corp\,E\=admin@your.domain\,CN\=fqdn.of.server.pem jssadmin@fqdn.of.server:webshareSSL.pem
    Note:

    Rename the certificate file while copying it to make the name more manageable.

  13. Move the certificate and private key .pem files to their respective default directories by executing the following commands:
    $ sudo mv /home/jssadmin/webshareSSL.pem /etc/pki/tls/certs/
$ sudo mv /home/jssadmin/sslkey.pem /etc/pki/tls/private/
  14. Set the owner and permissions on the certificate and private key files by executing the following commands:
    $ sudo chown root:root /etc/pki/tls/certs/webshareSSL.pem
$ sudo chown root:root /etc/pki/tls/private/sslkey.pem
$ sudo chmod 600 /etc/pki/tls/certs/webshareSSL.pem
$ sudo chmod 600 /etc/pki/tls/private/sslkey.pem
  15. Modify the ssl.conf file so it will use the certificate and private key that you created. Change the lines ssl.conf as indicated in the table below after executing the following command:
    $ sudo vi /etc/httpd/conf.d/ssl.conf
    Original LinesChange to the Following
    Listen 443 https
    		 
    Listen 0.0.0.0:443 https
    #DocumentRoot "/var/www/html"
    		 
    DocumentRoot "/usr/local/jamf"
    #ServerName www.example.com:443
    		 
    ServerName fqdn.of.server:443
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    		 
    SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    		 
    SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem
    <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

# SSL Protocol Adjustments:
    		 
    <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory> 

<Directory "/usr/local/jamf">
    AuthType Basic
    AuthName "Authorization Required"
    AuthUserFile /etc/httpd/.htpasswd
    Require valid-user
</Directory>

# SSL Protocol Adjustments:
  16. Modify the document root in the httpd.conf file by executing the following command and changing the line as indicated in the table below:
    $ sudo vi /etc/httpd/conf/httpd.conf
    Original LineChange to the Following
    DocumentRoot "/var/www/html"
    		 
    DocumentRoot "/usr/local/jamf"
  17. Create the password file and configure the Samba read-only user to have access to the HTTPS share by executing the following command:
    Important:

    The -c option will delete and recreate the password file if one exists. If you have an existing configuration do not use the -c option.

    $ sudo htpasswd -c /etc/httpd/.htpasswd jamfR
New password:
Re-type new password:
Adding password for user jamfR
  18. Set owner and permissions on the password file by executing the following command:
    $ sudo chown apache:root /etc/httpd/.htpasswd
$ sudo chmod 0460 /etc/httpd/.htpasswd
  19. Configure the firewall to allow HTTPS traffic. List the currently active zones by executing the following command:
    $ sudo firewall-cmd --get-active-zones public interfaces: ens192
  20. Add the zone and the service to the firewall configuration by executing the following command:
    $ sudo firewall-cmd --zone=public --add-service=https --permanent
  21. Activate the new configuration by reloading the firewall by executing the following command:
    $ sudo firewall-cmd --reload
  22. Configure SELinux policies to allow read access to the web share by executing the following command:
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/usr/local/jamf(/.*)?"
  23. Apply the new configuration by executing the following command:
    $ sudo restorecon -Rv /usr/local/jamf
  24. Configure SELinux to allow access to the certificate and private key:
    1. Allow access to the certificate by executing the following commands:
      $ sudo semanage fcontext -a -t cert_t /etc/pki/tls/certs/webshareSSL.pem
$ sudo restorecon -v /etc/pki/tls/certs/webshareSSL.pem 
    2. Allow access to the private key by executing the following commands:
      $ sudo semanage fcontext -a -t cert_t /etc/pki/tls/private/sslkey.pem 
$ sudo restorecon -v /etc/pki/tls/private/sslkey.pem
  25. Disable the default web page by executing the following command:
    $ sudo mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.backup
  26. Start the web server (httpd) by executing the following command:
    $ sudo systemctl start httpd
  27. Enable the service at startup by executing the following command:
    $ sudo systemctl enable httpd
  28. Add the web share to the Jamf Pro server:
    1. Navigate to the SMB share that you created earlier, and click the HTTP/HTTPS tab.
    2. Select Use HTTP downloads to enable the service.
    3. Complete the configuration and click Save.
      HTTP/HTTPS Tab
  29. You should now be able to use Jamf Admin to replicate packages to the new distribution point. After replication is complete, the HTTPS distribution point can quickly be tested by directing your web browser to a URL similar to the following: 
    https://fqdn.of.server/jamfShare/Packages/<somePackage.pkg>
  30. When prompted for credentials, enter the read-only (JamfR) account credentials and click Log In.
    Log in to FQDN
  31. If prompted about permitting the download, click Allow, and the package should successfully download.