samba Server
Install and configure secured samba server (SMB3.11) for local user accounts, not virtual domains.
2022-08-06 Raspbian bullseye
Configuration is based upon:
- UNIX User
- user (maps to parallel samba user)
- UNIX group
sambashare
- Chroot directory
- (discouraged; not implemented)
- Home directory
/srv/samba/user
Installation
graham:~ sudo apt update graham:~ sudo apt install samba graham:~ sudo systemctl stop nmbd smbd # stop smbd for updating graham:~ sudo systemctl disable nmbd # disable nmbd - unused- NetBIOS is not used – ensure it is disabled. This eliminates some windoze link-level niceties but they are unsuitable for unbridged remote access, let alone via open internet.
-
Take note of the network interface names,
lo
andeth0
in this case.
bind interfaces
- to include only interfaces through which samba traffic is permitted e.g. prevent including unauthorised VPNs.
additional dns hostnames
- add when supporting multiple DNS domains on the one host.
smb ports
- must be 445 – windoze clients have it hardcoded.
name resolve order
&lm announce
- need to avoid exposing our samba services if we use a shared data centre LAN.
client min protocol
- CRITICAL: must be at least 3.11 to force clients to connect at high security level – in particular, prevent old, very unsafe SMB1 clients from becoming security holes (e.g. ransomeware attacks).
restrict anonymous = 2
- means no guests and don't accept any negotiation about it.
unix extension
- disabled because most clients are windoze and it is better to have consistent behaviour by all the clients.
log file
& notsyslog
- because samba is poorly integated with syslogd. samba has many different, explicit log files.
log level
- the example enables some logging overall but detailed logging for login attempts.
- Verify no syntax errors in samba configuration.
- Verify systemd thinks it has started samba services correctly.
- Verify samba services think they have started (with no shares or connections yet).
- Verify that samba thinks it is running okay.
Create public share everyones
graham:~ sudo vi /etc/samba/smb.conf-
UNIX group
sambashare
was automatically created by installation. All samba users belong to it. -
We define UNIX group
adminteam
for samba service administrators, and UNIX useradmin
as chief administrator.
- Verify samba services appear healthy (no connections yet).
Create private share freds for new samba user fred
graham:~ sudo vi /etc/samba/smb.conf graham:~ sudo mkdir -p /srv/samba/freds # container for this share graham:~ sudo adduser --no-create-home --home=/srv/samba/freds \ --ingroup sambashare --shell /usr/sbin/nologin fred # create this system user graham:~ sudo usermod --expiredate 1 fred graham:~ sudo chown fred:sambashare /srv/samba/freds graham:~ sudo chmod 2770 /srv/samba/freds graham:~ sudo smbpasswd -a fred # create this samba user in parallel Password: fred's password graham:~ sudo smbpasswd -e fred graham:~ testparm # run syntax check graham:~ sudo systemctl reload smbd # soft-restart smbd graham:~ sudo smbstatus graham:~ sudo tail /var/log/samba/smb.log- Verify samba services appear healthy (no connections yet).
Check security level
Have user fred connect to share fred
(see Samba clients). Then:
-
CRITICAL: Verify protocol level used is
SMB3_11
. - CRITICAL: Verify that both encryption and signing are enabled and at least 128 bits.
- Verify user fred is logged in.
- Verify there is a connection to share freds.