Samba - SMB

Samba refers to a software suite that allows for file and print services to be shared across different operating systems, specifically between Linux/Unix and Windows systems. Samba implements the Server Message Block (SMB) protocol, which is widely used for sharing files, printers, and other resources in a network.

https://ubuntu.com/tutorials/install-and-configure-samba#1-overview

1. Install Samba on Ubuntu Server

Update your package list and install Samba:
```
sudo apt update
sudo apt install samba
```
Verify Samba installation:
```
whereis samba
```

2. Configure Samba Shares

Let's configure the shares you need (editable and readonly).

Edit the Samba configuration file: Open the smb.conf file:
```
sudo nano /etc/samba/smb.conf
```
Create the shares: Add the following configuration at the end of the smb.conf file:
```
[editable]
path = /srv/samba/editable
read only = no
browsable = yes

[readonly]
path = /srv/samba/readonly
read only = yes
browsable = yes
```
- editable: This share allows all users to read and write files.
- readonly: This share allows all users to read but not modify the files.

Create directories for the shares:

sudo mkdir -p /srv/samba/editable /srv/samba/readonly
sudo chmod -R 0777 /srv/samba/editable
sudo chmod -R 0755 /srv/samba/readonly

You need to ensure that the user sambauser exists in the system before adding them to Samba otherwise we cannot set passwords to the samba user.

Creating samba users :

1. Create the System User

First, create a system user named sambauser (if it doesn't already exist) to be used by Samba

The shell /usr/sbin/nologin ensures that user cannot access shell on the server to harden the security:

sudo useradd -s /usr/sbin/nologin sambauser

2. Add `sambauser` to Samba Database

Now that the user exists, you can proceed with adding sambauser to the Samba database:

sudo smbpasswd -a sambauser

This will allow you to set a Samba-specific password for sambauser.

3. Enable the User

After setting the password, you need to enable the user in Samba:

sudo smbpasswd -e sambauser

UFW Configuration

If you have enabled the UFW firewall across the organization then you might need to configure the ufw to access the smb

sudo ufw allow samba

If you want to allow samba connections from specific IPs or network then we can do it using the following commands :

# IPs
sudo ufw allow 10.10.10.100 from any port 139
sudo ufw allow 10.10.10.100 from any port 445 
# NETWORK
sudo ufw allow 10.10.10.0/24 from any port 139
sudo ufw allow 10.10.10.0/24 from any port 445

Adding OpenLDAP authentication (EXPERIMENTAL)

You can configure Samba to authenticate against an LDAP directory for user management. Make sure you have an LDAP server set up before proceeding.

Install necessary packages:

sudo apt install libpam-ldap libnss-ldap nsswitch.conf libpam-mount libnss-db

Configure PAM to use LDAP: Edit the /etc/nsswitch.conf file to ensure that the system checks the LDAP server for user and group information.
In /etc/nsswitch.conf, modify the following lines to include ldap:
```
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
```
Configure /etc/pam.d/common-session to use LDAP for authentication: Ensure this line is present:
```
session required pam_ldap.so
```

Configure the Samba LDAP authentication: Edit the /etc/samba/smb.conf file and include the following:

[global]
security = user
passdb backend = ldapsam:ldap://localhost
ldap admin dn = "cn=admin,dc=example,dc=com"
ldap suffix = "dc=example,dc=com"
ldap group suffix = "ou=Groups,dc=example,dc=com"
ldap user suffix = "ou=Users,dc=example,dc=com"

Replace dc=example,dc=com with the correct base DN for your LDAP directory.

5. Restart Samba Service

After configuring the shares and LDAP authentication, restart the Samba service to apply the changes:

sudo systemctl restart smbd

PreviousAuditing Linux NextNFS - Network File System

Last updated 9 months ago