Samba
Samba, your network file sharing protocol between Linux and Windows, well known for its notorious security and hard to test and use fame. Therefore, you should always set 3x careful attention when you setup a samba server, especially security. Like everyone in Linux community advises:
- Use SAMBA only for internal connection (e.g. VM inside your computer system).
- Use SSH for external connection (be it local or internet).
- If SSH is available, use SSH / SCP / RSync / SSHFS instead of Samba. There are plenty of solutions including Remmina as well.
Install Necessary Package
If possible, try to install samba and its necessary packages from your distribution list. I split the packages into 2, where one is compulsory while the other is optional.
$ sudo apt install samba -yOptionally,
$ sudo apt install samba-client -yConfigure Firewall
As a head start, you should always configure your firewall. This is to protect your computer system from any unauthorized access. This section varies depending on your choice of firewall. For me, I prefer configure via ufw package due to its ease to use. Let's configure them. If you are using other firewall packages like iptables, you might need to google around.
Set Default Policy
Let's start with setting universal rules for our system's firewall: deny for any incoming while allow for any outgoing.
$ sudo ufw default deny incoming$ sudo ufw default allow outgoing$ sudo ufw default allow forwardEnable Firewall
Once done, it's time to enable the firewall. Use status to check its condition.
$ sudo ufw enableFirewall is active and enabled on system startup$ sudo ufw statusStatus: activeWe should be ready to move forward with peace in mind.
Seek out NAT Network / or IP
You will first need to get the NAT network IP address from your system. On Debian, you can try the following:
$ ip address...7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet 192.168.152.1/24 brd 192.168.152.255 scope global virbr0 valid_lft forever preferred_lft forever...$ ip -o addr show virbr0 | awk '{print $4}' # for automation192.168.152.1/24XXXX:XXXX:XX:XXXX:XXXX/64$Then, configure the UFW rules to allow Samba connection from this network using the range IP. Based on the example above, it is:
$ sudo ufw allow in on virbr0 to any app SambaRule addedRule added (v6)$If you want to allow specific IP access, you can do it by allowing them:
$ sudo ufw allow from 192.168.122.1/24 to any app SambaWARN: Rule changed after normalizationRule added$ sudo ufw allow from XXXX:XXXX:XX:XXXX:XXXX/64 to any app SambaWARN: Rule changed after normalizationRule addedIf you check your ufw status, you should get the following:
$ sudo ufw statusStatus: activeTo Action FROM-- ------ ----... ... ...Samba on virbr0 ALLOW AnywhereSamba (v6) on virbr0 ALLOW Anywhere (v6)Samba ALLOW 192.168.122.1/24Samba (v6) ALLOW XXXX:XXXX:XX:XXXX:XXXX/64... ... ...TIP:
- If you're good at ufw, you can proceed to configure high level firewall settings. This is sufficient for QEMU to operate normally.
Setting Up Samba Server
Now let's start setting up the Samba server. You need to edit the /etc/samba/smb.conf configuration file. You can use your favorite editor.
Setting Workgroup
Look for the keyword "workgroup" and then modify it to a name. This is for Windows samba to recognize the workgroup in its internal usage.
[global] ... workgroup = YOURGROUPNAMEDisable Home Directory
By default, samba is configured to host all user's home directory. We do not want that so we should comment them off (instead of delete). These are the codes (seek out manually).
...#[homes]# comment = Home Directories# browseable = no...# read only = no...# create mask = 0700...# directory mask = 0700...# valid users = %S...Permeate Printer Access
Samba provides printing service via network. We don't need that. Therefore, let's configure them properly:
[printers] comment = All Printers browseable = no path = /var/spool/samba printable = no guest ok = no read only = yes create mask = 0700...[print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = no read only = no guest ok = noAdd Your Specific Share Directory
Now at the end of the section, you can add new samba share directory like the following example:
[NameOfShareDirectory] comment = Describe the NameOfShareDirectory for Reference socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 read raw = yes write raw = yes dead time = 15 getwd cache = yes max xmit = 65536 read only = no locking = no guest ok = no path = /home/username/directory/to/share create mask = 0775 directory mask = 0775NOTE:
- TCP_NODELAY tells the server not to delay sending packet, thus, increasing send speed.
- IPTOS_LOWDELAY is another setting to increase the throughput for better traffic speed.
- SO_RCVBUF and SO_SNDBUF are defining the buffer size.
If you have more, you can repeat for more share directory.
Save it
Once done, save the file.
Add Samba Users
Now we need to add the users in the Linux system into Samba account. Samba uses a different password access from the Linux account so you need to think one for it.
$ smbpasswd -a $USER$ smbpasswd -a otherUsernameYou can check your addition/edits by:
$ pdbedit -w -LRestart The Server Daemon
Now that everything is set, we should restart the server to pick up the new settings.
$ /etc/init.d/samba restartTest it Out
If you have Samba client installed, you should be able to test it out now. You need your hostname.
$ cat /etc/hostnameYOURHOSTNAME$ smbclient -U $USER //YOURHOSTNAME/NameOfShareDirectoryEnter username's password:...smb: \> If you get the samba terminal, it means you had successfully setup the samba. You can now setup your VM / internal network to connect to this machine.
NOTE:
- You must test out the guest machine before concluding that
ufwis working properly. In any inoperable situation, use systematic debugging approach like:- Disable ufw, restart the guest, and try again.
- Use trustable Samba client. Try again.
- Connect via another laptop/machine. Try again.
- ... and goes on.
That's all about SAMBA in Linux.