Samba - SMB

Samba refers to a software suite that allows for file and print services to be shared across different operating systems, specifically between Linux/Unix and Windows systems. Samba implements the Server Message Block (SMB) protocol, which is widely used for sharing files, printers, and other resources in a network.

https://ubuntu.com/tutorials/install-and-configure-samba#1-overview

---

1. Install Samba on Ubuntu Server

1. Update your package list and install Samba:

   sudo apt update
   sudo apt install samba

2. Verify Samba installation:

   whereis samba

---

2. Configure Samba Shares

Let's configure the shares you need (editable and readonly).

1. Edit the Samba configuration file: Open the smb.conf file:

   sudo nano /etc/samba/smb.conf

2. Create the shares: Add the following configuration at the end of the smb.conf file:

   [editable]
   path = /srv/samba/editable
   read only = no
   browsable = yes
   
   [readonly]
   path = /srv/samba/readonly
   read only = yes
   browsable = yes

   • editable: This share allows all users to read and write files.

   • readonly: This share allows all users to read but not modify the files.

3. Create directories for the shares:

   sudo mkdir -p /srv/samba/editable /srv/samba/readonly
   sudo chmod -R 0777 /srv/samba/editable
   sudo chmod -R 0755 /srv/samba/readonly

You need to ensure that the user sambauser exists in the system before adding them to Samba otherwise we cannot set passwords to the samba user.

---

Creating samba users :

1. Create the System User

First, create a system user named sambauser (if it doesn't already exist) to be used by Samba

The shell /usr/sbin/nologin ensures that user cannot access shell on the server to harden the security:

sudo useradd -s /usr/sbin/nologin sambauser

2. Add sambauser to Samba Database

Now that the user exists, you can proceed with adding sambauser to the Samba database:

sudo smbpasswd -a sambauser

This will allow you to set a Samba-specific password for sambauser.

3. Enable the User

After setting the password, you need to enable the user in Samba:

sudo smbpasswd -e sambauser

---

UFW Configuration

If you have enabled the UFW firewall across the organization then you might need to configure the ufw to access the smb

sudo ufw allow samba

If you want to allow samba connections from specific IPs or network then we can do it using the following commands :

# IPs
sudo ufw allow 10.10.10.100 from any port 139
sudo ufw allow 10.10.10.100 from any port 445 
# NETWORK
sudo ufw allow 10.10.10.0/24 from any port 139
sudo ufw allow 10.10.10.0/24 from any port 445

---

Adding OpenLDAP authentication (EXPERIMENTAL)

You can configure Samba to authenticate against an LDAP directory for user management. Make sure you have an LDAP server set up before proceeding.

1. Install necessary packages:

   sudo apt install libpam-ldap libnss-ldap nsswitch.conf libpam-mount libnss-db

2. Configure PAM to use LDAP: Edit the /etc/nsswitch.conf file to ensure that the system checks the LDAP server for user and group information.

   In /etc/nsswitch.conf, modify the following lines to include ldap:

   passwd:         compat ldap
   group:          compat ldap
   shadow:         compat ldap

3. Configure /etc/pam.d/common-session to use LDAP for authentication: Ensure this line is present:

   session required pam_ldap.so

4. Configure the Samba LDAP authentication: Edit the /etc/samba/smb.conf file and include the following:

   [global]
   security = user
   passdb backend = ldapsam:ldap://localhost
   ldap admin dn = "cn=admin,dc=example,dc=com"
   ldap suffix = "dc=example,dc=com"
   ldap group suffix = "ou=Groups,dc=example,dc=com"
   ldap user suffix = "ou=Users,dc=example,dc=com"

   Replace dc=example,dc=com with the correct base DN for your LDAP directory.

---

5. Restart Samba Service

After configuring the shares and LDAP authentication, restart the Samba service to apply the changes:

sudo systemctl restart smbd