Configuring Red Hat Enterprise Linux 7.6 for SMB/HTTPS File Share Distribution with Jamf Pro
Important Notice About Samba Security Vulnerabilities
If you are planning to use Samba, be aware that the following vulnerabilities were recently discovered and patched in Samba:
- CVE-2021-44142—An attacker can abuse this vulnerability to execute code in the root context even without authentication. Also, an attacker can run arbitrary code as root remotely on the device hosting the SMB share.
- CVE-2021-44141—An attacker can discover what files exist on the device hosting the SMB share. This could be used to scout for information on the server or, in the case of a deployment share, find out what apps are installed within an organization.
- CVE-2022-0336—Denial of service against the SMB share.
For more information, see the following webpages:
The procedure may vary depending on your specific Linux operating system.
The procedure involves the following two main steps:
-
Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6
-
Setting Up an HTTP Distribution Point on Jamf Pro
Step 1: Setting Up SMB on Jamf Pro Using Red Hat Enterprise Linux 7.6
- Confirm the version of Red Hat Enterprise Linux you are using by executing the following command:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo)
- Install net-tools to allow for basic network operations by executing the following command:
$ sudo yum -y install net-tools
- Install the Samba service by executing the following command:
$ sudo yum -y install samba*
- Add users for the service and set passwords. You will need two accounts: one with read-only permissions and another with full permissions to the file share.
- Create the read-only account,
jamfR
by executing the following command:$ sudo useradd -d /home/jamfR jamfR -s /bin/false -N
- Set the password by executing the following command:
$ sudo smbpasswd -a jamfR New SMB password: Retype new SMB password: Added user jamfR.
- Create the full-access account,
jamfRW
by executing the following command:$ sudo useradd -d /home/jamfRW jamfRW -s /bin/false -N
- Set the password by executing the following command:
$ sudo smbpasswd -a jamfRW New SMB password: Retype new SMB password: Added user jamfRW.
- Create the read-only account,
- Create a location for the file share by executing the following command:
$ sudo mkdir -p /usr/local/jamf/jamfShare
- Set the owner of the account that has full access to the file share by executing the following command:
$ sudo chown jamfRW /usr/local/jamf/jamfShare
- Set permissions on the file share by executing the following command:
$ sudo chmod 755 /usr/local/jamf/jamfShare
- Edit the Samba configuration file by executing the following command:
$ sudo vi /etc/samba/smb.conf
- Add the following code block directly above the line that starts with
[global]
:[jamfShare] comment = jamfShare path = /usr/local/jamf/jamfShare browsable = yes guest ok = no read only = yes create mask = 0755 read list = jamfR write list = jamfRW valid users = jamfR, jamfRW
- Configure the firewall to allow Samba traffic by executing the following command:
$ sudo firewall-cmd --add-service=samba —permanent
- Reload the firewall to activate the new rule by executing the following command:
$ sudo firewall-cmd --reload
- To manage SELinux configuration, install semanage by executing the following command:
$ sudo yum -y install policycoreutils-python
- Set the SELinux configuration to allow Samba read/write permissions by executing the following commands:
$ sudo setsebool -P smbd_anon_write=1 $ sudo semanage fcontext -a -t public_content_rw_t "/usr/local/jamf(/.*)?" $ sudo restorecon -Rv /usr/local/jamf
- Start the Samba service by executing the following command:
$ sudo systemctl start smb
- Enable the service at startup by executing the following command:
$ sudo systemctl enable smb
- Using Terminal on a Mac, ensure you can connect to the file share (use port 139 and/or 445) by executing the following command:
$ nc -v fqdn.of.server 139 Connection to 172.27.1.33 port 139 [tcp/netbios-ssn] succeeded!
- Add the file share to your Jamf Pro server:
- In Jamf Pro, click Settings in the top-right corner of the page.
- Click Server Infrastructure, and then click File Share Distribution Points.
- Click New.
- Enter a Display Name for the file share and the fully qualified domain name of the server:
- Click the File Sharing tab and enter the Share Name that was defined in the Samba configuration file. Leave the Workgroup Or Domain field blank and the Port set to 139:
- Enter the credentials for the two Samba accounts that you created earlier:
- Click Save.
Step 2: Setting Up an HTTP Distribution Point on Jamf Pro
- Install httpd (Apache) to allow for distribution over HTTP by executing the following command:
$ sudo yum -y install httpd
- To secure the web share. install mod_ssl (for sharing over HTTPS) by executing the following command:
$ sudo yum -y install mod_ssl
- Create a configuration file that will be used to generate a certificate request by executing the following command:
$ vi req.conf
- Enter information similar to the following, and adjust the settings as needed for your environment:
[ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] CN = fqdn.of.server emailAddress = admin@your.domain O = Corp OU = IT L = Minneapolis ST = Minnesota C = US [ req_ext ] subjectAltName = DNS: fqdn.of.server, DNS: cname.of.server
- Create the certificate signing request by executing the following command:
$ openssl req -new -config req.conf -keyout sslkey.pem -out ssl.csr Generating a 4096 bit RSA private key .....................................................................++ ...++ writing new private key to 'sslkey.pem' -----
Note:This command also creates the private key file (sslkey.pem). Store the private key file in a secure location.
- Copy the contents of the ssl.csr file.Note: When copying, be sure to include the first
(-----BEGIN CERTIFICATE REQUEST-----)
and last(-----END CERTIFICATE REQUEST-----)
lines. - Use
cat
to display the file contents by executing the following command:$ cat ssl.csr -----BEGIN CERTIFICATE REQUEST----- MIIFETCCAvkCAQAwgY4xFzAVBgNVBAMMDmZxZG4ub2Yuc2VydmVyMSAwHgYJKoZI hvcNAQkBFhFhZG1pbkB5b3VyLmRvbWFpbjENMAsGA1UECgwEQ29ycDELMAkGA1UE . . . gMDxBCeRhg2uctDYH4z7DXkA9facd+Ij0Ws73p75Jz7gCFE9D1BtCeF7RZhniBUl jvi93tjtXNUseQQRy4TfheQneeF8hoRqCm7/Tzju2+Yxvv9ew4gsvCmVu/GQqlea vR/veW4= -----END CERTIFICATE REQUEST-----
- In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.
- Click on the Management Certificate Template tab, and then click the Create Certificate from CSR button:
- Click the Certificate Type pop-up menu, choose Web Server Certificate, and then paste the CSR into the text field:
- Click Create and the certificate will download to the Downloads folder. (If prompted about permitting the download, click Allow).
- Copy the certificate (.pem file) to the Red Hat Enterprise Linux server by executing the following command.
$ scp ~/Downloads/C\=US\,ST\=Minnesota\,L\=Minneapolis\,OU\=IT\,O\=Corp\,E\=admin@your.domain\,CN\=fqdn.of.server.pem jssadmin@fqdn.of.server:webshareSSL.pem
Note:Rename the certificate file while copying it to make the name more manageable.
- Move the certificate and private key .pem files to their respective default directories by executing the following commands:
$ sudo mv /home/jssadmin/webshareSSL.pem /etc/pki/tls/certs/ $ sudo mv /home/jssadmin/sslkey.pem /etc/pki/tls/private/
- Set the owner and permissions on the certificate and private key files by executing the following commands:
$ sudo chown root:root /etc/pki/tls/certs/webshareSSL.pem $ sudo chown root:root /etc/pki/tls/private/sslkey.pem $ sudo chmod 600 /etc/pki/tls/certs/webshareSSL.pem $ sudo chmod 600 /etc/pki/tls/private/sslkey.pem
- Modify the ssl.conf file so it will use the certificate and private key that you created. Change the lines ssl.conf as indicated in the table below after executing the following command:
$ sudo vi /etc/httpd/conf.d/ssl.conf
Original Lines Change to the Following Listen 443 https
Listen 0.0.0.0:443 https
#DocumentRoot "/var/www/html"
DocumentRoot "/usr/local/jamf"
#ServerName www.example.com:443
ServerName fqdn.of.server:443
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/pki/tls/certs/webshareSSL.pem
<Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments:
<Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Directory "/usr/local/jamf"> AuthType Basic AuthName "Authorization Required" AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory> # SSL Protocol Adjustments:
- Modify the document root in the httpd.conf file by executing the following command and changing the line as indicated in the table below:
$ sudo vi /etc/httpd/conf/httpd.conf
Original Line Change to the Following DocumentRoot "/var/www/html"
DocumentRoot "/usr/local/jamf"
- Create the password file and configure the Samba read-only user to have access to the HTTPS share by executing the following command:Important:
The
-c
option will delete and recreate the password file if one exists. If you have an existing configuration do not use the-c
option.$ sudo htpasswd -c /etc/httpd/.htpasswd jamfR New password: Re-type new password: Adding password for user jamfR
- Set owner and permissions on the password file by executing the following command:
$ sudo chown apache:root /etc/httpd/.htpasswd $ sudo chmod 0460 /etc/httpd/.htpasswd
- Configure the firewall to allow HTTPS traffic. List the currently active zones by executing the following command:
$ sudo firewall-cmd --get-active-zones public interfaces: ens192
- Add the zone and the service to the firewall configuration by executing the following command:
$ sudo firewall-cmd --zone=public --add-service=https --permanent
- Activate the new configuration by reloading the firewall by executing the following command:
$ sudo firewall-cmd --reload
- Configure SELinux policies to allow read access to the web share by executing the following command:
$ sudo semanage fcontext -a -t httpd_sys_content_t "/usr/local/jamf(/.*)?"
- Apply the new configuration by executing the following command:
$ sudo restorecon -Rv /usr/local/jamf
- Configure SELinux to allow access to the certificate and private key:
- Allow access to the certificate by executing the following commands:
$ sudo semanage fcontext -a -t cert_t /etc/pki/tls/certs/webshareSSL.pem $ sudo restorecon -v /etc/pki/tls/certs/webshareSSL.pem
- Allow access to the private key by executing the following commands:
$ sudo semanage fcontext -a -t cert_t /etc/pki/tls/private/sslkey.pem $ sudo restorecon -v /etc/pki/tls/private/sslkey.pem
- Allow access to the certificate by executing the following commands:
- Disable the default web page by executing the following command:
$ sudo mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.backup
- Start the web server (httpd) by executing the following command:
$ sudo systemctl start httpd
- Enable the service at startup by executing the following command:
$ sudo systemctl enable httpd
- Add the web share to the Jamf Pro server:
- Navigate to the SMB share that you created earlier, and click the HTTP/HTTPS tab.
- Select Use HTTP downloads to enable the service.
- Complete the configuration and click Save.
- You should now be able to use Jamf Admin to replicate packages to the new distribution point. After replication is complete, the HTTPS distribution point can quickly be tested by directing your web browser to a URL similar to the following:
https://fqdn.of.server/jamfShare/Packages/<somePackage.pkg>
- When prompted for credentials, enter the read-only (JamfR) account credentials and click Log In.
- If prompted about permitting the download, click Allow, and the package should successfully download.