Samba - opening windows to a wider world

mail

The Samba encrypted password file 

/var/lib/samba/private/secrets.tdb
mail

smbpasswd

Usage

Flags

Flag For only Usage
-a kevin yes
  • add kevin to the local password file
  • if the user account kevin already exists, proceed to a password change
kevin must already exist in the system password file : /etc/password
-d kevin yes disable kevin in the local password file
-e kevin yes enable kevin in the local password file
-x kevin yes delete kevin from the local password file
-s no makes smbpasswd silent :
  • it won't display password prompts (old + new + confirm new)
  • it will expect passwords from the standard input rather than from /dev/tty

Example

Set / change a user's password non-interactively (source) :

As :
{ echo 'password'; echo 'password'; } | smbpasswd -s -a kevin
mail

SMB1 and EternalBlue / WannaCrypt / WannaCry

Situation

Details

In order to mitigate this risk, we'll have to :
  1. disable SMB1 on Samba
  2. disable SMB1 on Windows clients
This might be :

Solution

Disable SMB1 on Samba

  1. Add to /etc/samba/smb.conf, in the global section : 
    [global]
	
	min protocol = SMB2
	client min protocol = SMB2
    Depending on Samba version (/usr/sbin/samba --version, or dpkg -l samba) and Windows version, see server min protocol and server max protocol.
  2. restart Samba :
    systemctl restart smbd
Don't forget to disable SMB1 on your Windows clients !
mail

smb.conf configuration directives

Flags

Flag Default value Level Usage
browseable Yes service
  • when set to yes, the share is seen in the list of available shares in a net view and in the browse list
  • aka browsable
client max protocol SMB3_11 global the highest protocol level that will be supported by the client (details)
client min protocol SMB2_02 global the minimum protocol version that the client will attempt to use (details)
create mask 0744 service default permissions for new files
directory mask 0755 service default permissions for new directories
force user (empty) service
  • after specifying force user = kevin, all file operations will be performed as kevin
  • users still need to connect as a valid user and supply a valid password
  • this is useful for sharing files without requiring to chmod 777 the whole shared tree
guest ok No service when set to yes, no password is required to connect to the share. Privileges will be those of the guest account.
hosts allow (empty)
= everybody
  • global
  • service
  • comma / space / tab-delimited set of hosts which are permitted to access a service
  • if specified in [global] section : apply to all services + override values set in services if any
  • the default value none implies all hosts are permitted access
  • hosts allow 192.168.10.0/255.255.255.0
    allow all hosts in the given network/netmask
    hosts allow 160.210 EXCEPT 160.210.24.56
    allow all hosts beginning with 160.210 except 160.210.24.56
    hosts allow 192.168.10 192.168.20
    allow all hosts beginning with 192.168.10 or 192.168.20
    hosts deny 130.74
    deny all hosts beginning with 130.74
log file (no default value) global
  • set the name of the Samba log file
  • it is possible to have distinct log files per user or machine using substitutions
logging (empty) global
path (empty) service directory to which the user of the service is to be given access
read only Yes service
  • when set to yes, users of a share may not create or modify files in this share
  • inverted synonym of writable
server max protocol
max protocol		 SMB3 global the highest protocol level that will be supported by the server
server min protocol
min protocol 		SMB2_02 global the minimum protocol version that the server will allow the client to use
unix extensions Yes global
  • enable Samba to better serve Unix CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.
  • unix extensions = yes automatically causes wide links = no, unless you also set allow insecure wide links = yes
valid users empty, meaning everyone is valid service comma-separated list of users who are allowed to use this service
workgroup WORKGROUP global The workgroup the Samba server will appear to be in when queried by clients. 
Looks like this "workgroup" thing comes from the past and is not necessary anymore (with SMB2+ / Win10)
https://superuser.com/questions/1554784/samba-configuration-on-rhel-8-2-smb1-disabled-no-workgroup-available
https://askubuntu.com/questions/1265923/configuring-20-04-samba-for-smbv1
writable No service see read only
  • "Parameter level = service" means the corresponding parameter may be used in the [homes], [printers] or Share Definitions sections of the configuration file (details).
  • Parameters listed here display an extra letter between parentheses, describing where the corresponding parameter can be used :
    • (G) : in the [global] section only
    • (S) : either in a service section or in the [global] section. When used in the [global] section, the parameter value applies to all services.

Usage

About client min protocol and client max protocol :

As said in the documentation : The Samba suite includes a number of different programs. Some of them operate in a client mode, others are server daemons . This suggests the client min protocol and client max protocol directives are mostly pointless when configuring up a file server (otherwise they would duplicate + conflict with their "server" counterparts : server min protocol and server max protocol).
So —until I find information stating how useful the client min protocol and client max protocol directives can be in the context of a Samba file server (i.e. dealing with /usr/sbin/smbd)— I'll consider they can safely be ignored.

Allow Samba to follow symlinks :

Add to the [global] section : 
# (explicit)
follow symlinks = yes

# allows following symlinks outside of the shared directory
wide links = yes

# related to uid/gid between server and client, but also collides with 'wide links' above when enabled
unix extensions = no

DOs and DON'Ts of /etc/samba/smb.conf :

DOs :

DON'Ts :

  • /etc/samba/smb.conf is ok with TABs, but comments after configuration mess things up : 
    	option = value		# this is a comment		DON'T DO THAT !!!
  • references to hosts defined in /etc/hosts are not recognized : 
    hosts allow = myLaptop		DON'T DO THAT !!!
mail

A quick'n'dirty Samba share

  • The title says it all : quick and dirty. Use at your own risk.
  • Some (hopefully) less dirty settings here.

Let's get dirty !!!

Found this in old notes, not sure this is still true / useful :
				
If you just want to setup a network share with no special permissions (easiest but lowest security level), you just have to
					
    
						
  • switch from security = user to security = share
    • 
						
  • "chmod 777" the shared directory
    •
  1. apt install samba
  2. samba -V
    Version 4.5.12-Debian
  3. edit /etc/samba/smb.conf : 
    [global]
	hosts allow 192.168.56.1
	interfaces = eth0
	bind interfaces only = yes
  4. Comment the whole Share Definitions section
  5. Define your own share :
    Read-only :
    [myShare]
	path = /directory/to/share
	comment = this is a directory to share
	guest ok = yes
    The browseable, read only / writable parameters are not necessary since default values apply.
    Writable :
    [myShare]
	path = /directory/to/share
	comment = this is a directory to share
	guest ok = yes
	writable = yes
  6. Check settings :
    testparm
  7. Reload Samba configuration :
    systemctl restart smbd.service
  8. To be able to write into a share from a client, you may have to :
    chmod -R 777 /directory/to/share
    (told you his was dirty )

That's about it for a functional means to share files. The only "security" feature here is that it only allows 1 host, identified by its IP address. This is VERY POOR and only suited for temporary configuration, like while debugging other stuff !!!

A little less dirty setting :

[myShare]
	force user = kevin
	create mask = 0700
	directory mask = 0700
mail

Samba

Quick reference

Action Linux FreeBSD
setup apt install samba Samba is available in the FreeBSD ports at /usr/ports/net/samba. A simple make install + make clean and it should work.
configuration file /etc/samba/smb.conf /usr/local/etc/smb.conf
check configuration testparm /usr/local/bin/testparm -s
start / stop / restart / status commands systemctl start/stop/restart/status smbd.service
Logs 1 file per client machine : /var/log/samba/log.sambaClient

Access control

See hosts allow and hosts deny.

Users management

To configure user accounts and passwords, see smbpasswd.

Utilities :

smbstatus

This utility outputs the Samba version and a table listing:
  • who's connected
  • to which share
  • the corresponding PID
  • the machine name
  • the machine IP
  • the date/time the connection was established

smbclient

list the network shares :
smbclient -L sambaServer
connect to a Samba share :
smbclient //sambaServer/shareName
mount a share :
smbmount //sambaServer/shareName /mnt/mountPoint
unmount :
smbumount /mnt/mountPoint

Let users mount / unmount Samba shares on Unix machines

  1. in /etc/fstab, declare the share and specify the username and password in the mount options
  2. still in /etc/fstab, declare that shares can be mounted by users with the user option
  3. as , set the setuid bit on smbmnt and smbumount :
    chmod u+s /usr/bin/smbmnt /usr/bin/smbumount
Don't forget that on Unix systems, mounted filesystems are owned by the user who mounted them.

Let Unix clients handle files bigger than 2GB

This section looks obsolete, but I've not been able to find a documentation to confirm it yet.

Samba is based on the Microsoft SMB protocol for sharing files and printers. It seems that, historically, since the FATxx filesystems had limitations on file size, the same occurred on SMB. Sometimes, Unix clients can't use some of these large files through Samba.

To workaround this, the lfs option should be used in the mount options :

smbmount //server/share /mount/point/ -o lfs