1. Introduction
While Linux is a full-featured operating system (OS), network integration with other systems like Microsoft Windows is a common scenario for data exchange, development, or even administration.
In this tutorial, we’ll explore how to access Microsoft Windows administrative shares from a Linux system. First, we dive into the feature in general. Next, we discuss ways to access administrative shares in Linux. Finally, we describe some common pitfalls when doing so.
We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4. It should work in most POSIX-compliant environments unless otherwise specified.
2. Microsoft Windows Administrative Shares (Admin Shares)
Microsoft Windows provides full remote access to system data for authorized users via so-called administrative shares. In essence, the feature exposes special shares with specific functions:
- C$ – system partition access, roughly related to rootfs in Linux
- D$–Z$ – secondary drive access, roughly related to /mnt in Linux
- IPC$ – responsible for inter-process communication with named pipes
- Admin$ – %SYSTEMROOT% access, roughly related to the combination of the /etc, /lib, and /sbin directories in Linux
- Printer$ – access to shared printers
- FAX$ – access to shared FAX
Just like mapped drives, the shares, named with drive or partition letters followed by a $ dollar sign, provide full data, system, and configuration access to authorized users.
Of course, security is important, so administrative shares use the Common Internet FileSystem (CIFS) protocol. Its implementation in Linux is Samba, from Server Message Block (SMB), their common base.
Although the protocol is mainly for file exchange, among other options, we can leverage administrative shares to enable remote access protocols:
- Remote Desktop Protocol (RDP)
- Secure Shell (SSH) protocol
- psexec tunnels
So, let’s see how we can access Microsoft Windows Administrative Shares from a Linux machine.
3. Access Administrative Shares in Linux
Since admin shares use CIFS in Windows, we can employ an SMB implementation under Linux to access them.
Importantly, administrative shares cannot be accessed anonymously, so a username and password are always necessary.
3.1. Desktop Environment
Depending on our graphical user interface (GUI), we might be able to access administrative shares directly with a desktop environment application:
If entering the Universal Resource Identifier (URI), we can specify colon-separated credentials after it and before the hostname or IP address:
smb://Administrator:PASSWORD@WindowsServer
If we don’t supply them, the GUI should present a prompt. In most interfaces, we need the smb:// protocol prefix.
3.2. mount
To access administrative shares from the command line interface (CLI), we can use the mount command after installing cifs-utils via a package manager like apt:
$ apt-get -y install cifs-utils
[...]
$ mkdir /mnt/admin_C
$ mount -t cifs //WindowsServer/C$ /mnt/admin_C
In fact, the last command is what commonly gets run at the back-end of GUI operations with SMB but usually with another directory as the mount point. Furthermore, we can change the owner of the resulting mount.
3.3. smbclient
Another CLI way to access administrative shares is the smbclient tool.
First, let’s install smbclient via apt:
$ apt install smbclient
Now, we can supply the path we want to access along with the default Administrator [-U]sername:
$ smbclient //WindowsServer/C$ -U Administrator
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \>
After entering the correct password, we see an smb: \> prompt, where we can enter a command such as help:
$ smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
While this interface provides more limited control compared to a mount, it’s usually a convenient way to quickly browse an administrative share.
4. Potential Issues
Of course, no technology is flawless, and the CIFS-Samba combination is no exception. In addition to the many standard problems with Samba, some pitfalls pop up more often with administrative shares in particular.
4.1. Configuration
Although a regular occurrence in general, administrative shares are especially prone to misconfiguration since there are requirements to enable them in Windows:
- File and Printer Sharing should be enabled
- the correct firewall rules are set
- registry corrections to the protocol version or access control are sometimes needed
Still, home editions of Microsoft Windows don’t support administrative shares. Regardless of our setup, access to a non-existent share isn’t possible.
4.2. Mismatched Protocol Versions
SMB has many versions:
- vers=3.1 is SMB3_11 (Windows 11, Windows Server 2022, Windows 10, Windows Server 2016)
- vers=3.0 is SMB3 (Windows 8, Windows Server 2012)
- vers=2.1 is SMB2_10 (Windows 7, Windows Server 2008 R2)
- vers=2.0 is SMB2_02 (Vista SP1, Windows Server 2008)
- vers=1.0 is NT1 (Windows 95, NT 4.0)
If Samba doesn’t match CIFS in terms of their default SMB version, the connection can fail. Negotiating the version is part of the setup, but it might not always be successful due to external limitations like configuration or OS version.
5. Summary
In this article, we discussed browsing Microsoft Windows administrative shares from Linux.
In conclusion, although Linux provides the necessary facilities to access an admin share, we need a proper configuration on both sides.