Configure Samba server

You have a Linux box linuxhost which you want to configure as a Samba server for a Windows box windowshost.

Warning

For security reasons, your boxes should allow the Samba protocol only on a (dedicated) private network. And/Or make sure iptables on linuxhost restricts traffic to ports 139 and 445 only to windowshost.

What we aim to achieve

The Linux box acts as a Samba server to the Windows box.

Two users, smbrw and smbro are allowed to connect, no guest access.

Two paths are served:

  • /home/pathRO, visible in Windows as datain, with read-only access to everyone
  • /home/pathRW, visible in Windows as dataout, with read-write access to user smbrw and read-only access to user smbro

Configuration: pre-requisite

All following commands are to be executed on the Linux box.

Install the required packages:

$ apt-get install samba samba-common python-glade2 system-config-samba
$ apt-get install smbclient

Create Unix users. Since these users will be solely used by Samba, they do not need to be able to connect directly to Linux, hence we make them non-interactive by setting the shell to /bin/false:

$ addgroup smbgrp
$ adduser smbrw --shell /bin/false --ingroup smbgrp
$ adduser smbro --shell /bin/false --ingroup smbgrp

Make sure the paths being served exist and have the right privileges. We omit the part relevant to the read-only path, but since such path most probably already exists, you only need to make sure it is world-readable:

$ mkdir /home/pathRW
$ chown -R smbrw.smbgrp /home/pathRW

Create a path which will be referenced in the smb.conf file:

$ mkdir /etc/samba/private/

Setting firewall rules

It’s wise to restrict access to this server, via firewall rules on the server.

Moreover if the server is hosted in cloud, and you need to access this server from outside your OpenStack tenant, you will also need to add SecurityGroup rules allowing access from public Internet. Specifically, you need to allow:

# UDP ingress to port-range 137-138
# TCP ingress to port 139
# TCP ingress to port 445

If you are using IPtables, we assume package iptables-persistent has been previously installed, so we just need to add these lines in file /etc/iptables/rules.v4:

# Samba
-A INPUT -s <IP_of_windowshost>/32  -p udp -m state --state NEW -m udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s <IP_of_windowshost>/32  -p tcp -m state --state NEW -m tcp -m multiport --dports 139,445 -j ACCEPT

Restart iptables:

$ service iptables-persistent restart

If you are using ufw, previous installation of samba packages will have already defined application Samba, so you now only need to:

$ ufw allow from <IP_of_windowshost>/32 to any app Samba
$ ufw enable

and check with:

$ ufw status verbose

Configuration: Samba

Create file /etc/samba/smb.conf with content similar to:

#
# Inspired by:
# - http://guide.debianizzati.org/index.php/SAMBA:_configurazione_lato_server
# - https://www.howtoforge.com/samba-server-ubuntu-14.04-lts
# - https://www.samba.org/samba/docs/using_samba/ch09.html
#
[global]
server role = standalone server
server string = Samba Server test %v
### NOTE: the following 4 lines assume we are the only Samba master ###
preferred master = yes
local master = yes
domain master = yes
os level = 65
#
log level = 2
max log size = 10000
#
workgroup = WORKGROUP
#
# Restrict binding to networks or interfaces, adapt as appropriate
interfaces = 127.0.0.0/8 eth1
bind interfaces only = yes
#
netbios name = server test
security = user
map to guest = Bad User
dns proxy = no
username map = /etc/samba/private/utenti.map
smb passwd file = /etc/samba/private/smbpasswd
# Fix
unix extensions = No

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes

#============================ Share Definitions ==============================
# [Anonymous]
# path = /home/anonymous
# browsable =yes
# writable = yes
# guest ok = yes
# read only = no

[datain]
path = /home/pathRO
comment = Read-only FS
valid users = smbrw, smbro
read only = yes
oplocks = False
level2 oplocks = False

[dataout]
path = /home/pathRW
comment = Read-write FS
valid users = smbrw, smbro
read only = no
write list = smbrw
read list = smbro
directory mask = 0755
create mask = 0644
oplocks = False
level2 oplocks = False

If you really want some form of anonymous access, consider editing the section Anonymous in the example above.

Check the configuration file is OK:

$ testparm

Create Samba passwords for your users:

$ smbpasswd -a smbrw
$ smbpasswd -a smbro

Start samba and ensure it runs at boot:

$ systemctl enable smbd
$ systemctl restart smbd
$ systemctl status smbd

The status command may output some funny messages, but those may be harmless, so please go on and check functionality.

Verify

On linuxhost:

$ smbclient -L localhost

On windowshost open File Explorer and try to connect to:

\\<IP_of_linuxhost>\

a pop-up should appear asking you credentials for connection.

If you want to also test the second account, open a command prompt and execute:

$ net use
$ net use \\<IP_of_linuxhost>\<network_path> /del

or more simply:

$ net use * /del

then go back to File Explorer and connect again.