Graham Eddy

samba Server

Install and configure secured samba server (SMB3.11) for local user accounts, not virtual domains.

2022-08-06 Raspbian bullseye

Configuration is based upon:

UNIX User
user (maps to parallel samba user)
UNIX group
sambashare
Chroot directory
(discouraged; not implemented)
Home directory
/srv/samba/user

Installation

graham:~ sudo apt update graham:~ sudo apt install samba graham:~ sudo systemctl stop nmbd smbd # stop smbd for updating graham:~ sudo systemctl disable nmbd # disable nmbd - unused graham:~ ip link 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 01:23:45:67:89:AB brd ff:ff:ff:ff:ff:ff graham:~ sudo vi /etc/samba/smb.conf
/etc/samba/smb.conf replace all content 
[global]
    server string = Samba %v
    workgroup = GEDDYAU
    server role = standalone
    interfaces = lo eth0
    bind interfaces only = yes
    disable netbios = yes
    smb ports = 445
    name resolve order = host
    lm announce = no
    client min protocol = SMB3_11
    client signing = mandatory
    smb encrypt = yes
    require strong key = yes
    map to guest = never
    restrict anonymous = 2
    usershare allow guests = no
    unix extensions = no
    use sendfile = yes
    log file = /var/log/samba/smb.log
    max log size = 10000
    log level = 3 passwd:5 auth:5
bind interfaces
to include only interfaces through which samba traffic is permitted e.g. prevent including unauthorised VPNs.
additional dns hostnames
add when supporting multiple DNS domains on the one host.
smb ports
must be 445 – windoze clients have it hardcoded.
name resolve order
    & lm announce
need to avoid exposing our samba services if we use a shared data centre LAN.
client min protocol
CRITICAL: must be at least 3.11 to force clients to connect at high security level – in particular, prevent old, very unsafe SMB1 clients from becoming security holes (e.g. ransomeware attacks).
restrict anonymous = 2
means no guests and don't accept any negotiation about it.
unix extension
disabled because most clients are windoze and it is better to have consistent behaviour by all the clients.
log file
    & not syslog
because samba is poorly integated with syslogd. samba has many different, explicit log files.
log level
the example enables some logging overall but detailed logging for login attempts.
graham:~ testparm # run syntax check graham:~ sudo systemctl start smbd # start smbd again graham:~ sudo systemctl status smbd graham:~ sudo smbstatus Samba version 4.13.13-Debian PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files graham:~ sudo tail /var/log/samba/smb.log

Create public share everyones

graham:~ sudo vi /etc/samba/smb.conf
/etc/samba/smb.conf append lines to end 
[everyones]
    path = /srv/samba/everyones
    browseable = yes
    read only = no
    force create mode = 0660
    force directory mode = 2770
    valid users = @sambashare @adminteam
    admin users = @adminteam
graham:~ sudo mkdir -p /srv/samba/everyones # container for this share graham:~ sudo adduser --no-create-home --home=/srv/samba/everyones \ --ingroup sambashare --shell /usr/sbin/nologin admin # create system user 'admin' Password: admin's password graham:~ sudo usermod --expiredate 1 admin graham:~ sudo chown admin:sambashare /srv/samba/everyones graham:~ sudo chmod 2770 /srv/samba/everyones graham:~ sudo addgroup adminteam graham:~ sudo adduser -G adminteam admin graham:~ sudo smbpasswd -a admin # create samba user 'admin' (yes...) Password: admin's password graham:~ sudo smbpasswd -e admin graham:~ testparm # run syntax check graham:~ sudo systemctl reload smbd # soft-restart smbd graham:~ sudo smbstatus graham:~ sudo tail /var/log/samba/smb.log

Create private share freds for new samba user fred

graham:~ sudo vi /etc/samba/smb.conf
/etc/samba/smb.conf append lines to end 
[freds]
    path = /srv/samba/freds
    browseable = no
    read only = no
    force create mode = 0660
    force directory mode = 2770
    valid users = fred @adminteam
    admin users = @adminteam
graham:~ sudo mkdir -p /srv/samba/freds # container for this share graham:~ sudo adduser --no-create-home --home=/srv/samba/freds \ --ingroup sambashare --shell /usr/sbin/nologin fred # create this system user graham:~ sudo usermod --expiredate 1 fred graham:~ sudo chown fred:sambashare /srv/samba/freds graham:~ sudo chmod 2770 /srv/samba/freds graham:~ sudo smbpasswd -a fred # create this samba user in parallel Password: fred's password graham:~ sudo smbpasswd -e fred graham:~ testparm # run syntax check graham:~ sudo systemctl reload smbd # soft-restart smbd graham:~ sudo smbstatus graham:~ sudo tail /var/log/samba/smb.log

Check security level

Have user fred connect to share fred (see Samba clients). Then:

graham:~ sudo smbstatus Samba version 4.13.13-Debian PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 1945896 fred sambashare 192.168.xx.yy (ipv4:192.168.xx.yy:63392) SMB3_11 AES-128-GCM partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- IPC$ 1945896 192.168.xx.yy Mon Aug 22 23:43:07 2022 AEST AES-128-GCM AES-128-CMAC freds 1945896 192.168.xx.yy Mon Aug 22 23:43:07 2022 AEST AES-128-GCM AES-128-CMAC No locked files