# Samba - SMB **Samba** refers to a software suite that allows for file and print services to be shared across different operating systems, specifically between Linux/Unix and Windows systems. Samba implements the **Server Message Block (SMB)** protocol, which is widely used for sharing files, printers, and other resources in a network. {% hint style="info" %} {% endhint %} *** #### 1. Install Samba on Ubuntu Server 1. **Update your package list and install Samba**: ``` sudo apt update sudo apt install samba ``` 2. **Verify Samba installation**: ``` whereis samba ``` *** #### 2. Configure Samba Shares Let's configure the shares you need (`editable` and `readonly`). 1. **Edit the Samba configuration file**: Open the `smb.conf` file: ```bash sudo nano /etc/samba/smb.conf ``` 2. **Create the shares**: Add the following configuration at the end of the `smb.conf` file: ```bash [editable] path = /srv/samba/editable read only = no browsable = yes [readonly] path = /srv/samba/readonly read only = yes browsable = yes ``` * **editable**: This share allows all users to read and write files. * **readonly**: This share allows all users to read but not modify the files. 3. **Create directories for the shares**: ```bash sudo mkdir -p /srv/samba/editable /srv/samba/readonly sudo chmod -R 0777 /srv/samba/editable sudo chmod -R 0755 /srv/samba/readonly ``` You need to ensure that the user `sambauser` exists in the system before adding them to Samba otherwise we cannot set passwords to the samba user. *** #### Creating samba users : #### 1. Create the System User First, create a system user named `sambauser` (if it doesn't already exist) to be used by Samba The shell `/usr/sbin/nologin` ensures that user cannot access shell on the server to harden the security: ```bash sudo useradd -s /usr/sbin/nologin sambauser ``` #### 2. Add `sambauser` to Samba Database Now that the user exists, you can proceed with adding `sambauser` to the Samba database: ```bash sudo smbpasswd -a sambauser ``` This will allow you to set a Samba-specific password for `sambauser`. #### 3. Enable the User After setting the password, you need to enable the user in Samba: ```bash sudo smbpasswd -e sambauser ``` *** #### UFW Configuration If you have enabled the UFW firewall across the organization then you might need to configure the ufw to access the smb ```bash sudo ufw allow samba ``` If you want to allow samba connections from specific IPs or network then we can do it using the following commands : ```bash # IPs sudo ufw allow 10.10.10.100 from any port 139 sudo ufw allow 10.10.10.100 from any port 445 # NETWORK sudo ufw allow 10.10.10.0/24 from any port 139 sudo ufw allow 10.10.10.0/24 from any port 445 ``` *** #### Adding OpenLDAP authentication (EXPERIMENTAL) You can configure Samba to authenticate against an LDAP directory for user management. Make sure you have an LDAP server set up before proceeding. 1. **Install necessary packages**: 
sudo apt install libpam-ldap libnss-ldap nsswitch.conf libpam-mount libnss-db
2. **Configure PAM to use LDAP**: Edit the `/etc/nsswitch.conf` file to ensure that the system checks the LDAP server for user and group information. In `/etc/nsswitch.conf`, modify the following lines to include `ldap`: 
passwd:         compat ldap
   group:          compat ldap
   shadow:         compat ldap
3. **Configure `/etc/pam.d/common-session`** to use LDAP for authentication: Ensure this line is present: ``` session required pam_ldap.so ``` 4. **Configure the Samba LDAP authentication**: Edit the `/etc/samba/smb.conf` file and include the following: 
[global]
   security = user
   passdb backend = ldapsam:ldap://localhost
   ldap admin dn = "cn=admin,dc=example,dc=com"
   ldap suffix = "dc=example,dc=com"
   ldap group suffix = "ou=Groups,dc=example,dc=com"
   ldap user suffix = "ou=Users,dc=example,dc=com"
Replace `dc=example,dc=com` with the correct base DN for your LDAP directory. *** #### 5. Restart Samba Service After configuring the shares and LDAP authentication, restart the Samba service to apply the changes: {% code overflow="wrap" %} ```bash sudo systemctl restart smbd ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ghoulsec.gitbook.io/ghoulsec-vault/server-are-fun/securing-linux/samba-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.