Samba
Samba, your network file sharing protocol between Linux and Windows, well known for its notorious security and hard to test and use fame. Therefore, you should always set 3x careful attention when you setup a samba server, especially security. Like everyone in Linux community advises:
- Use SAMBA only for internal connection (e.g. VM inside your computer system).
- Use SSH for external connection (be it local or internet).
- If SSH is available, use SSH / SCP / RSync / SSHFS instead of Samba. There are plenty of solutions including Remmina as well.
Install Necessary Package
If possible, try to install samba and its necessary packages from your distribution list. I split the packages into 2, where one is compulsory while the other is optional.
$ sudo apt install samba -y
Optionally,
$ sudo apt install samba-client -y
Configure Firewall
As a head start, you should always configure your firewall. This is to protect your computer system from any unauthorized access. This section varies depending on your choice of firewall. For me, I prefer configure via ufw
package due to its ease to use. Let's configure them. If you are using other firewall packages like iptables, you might need to google around.
Set Default Policy
Let's start with setting universal rules for our system's firewall: deny for any incoming while allow for any outgoing.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw default allow forward
Enable Firewall
Once done, it's time to enable the firewall. Use status to check its condition.
$ sudo ufw enable
Firewall is active and enabled on system startup
$ sudo ufw status
Status: active
We should be ready to move forward with peace in mind.
Seek out NAT Network / or IP
You will first need to get the NAT network IP address from your system. On Debian, you can try the following:
$ ip address
...
7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet 192.168.152.1/24 brd 192.168.152.255 scope global virbr0
valid_lft forever preferred_lft forever
...
$ ip -o addr show virbr0 | awk '{print $4}' # for automation
192.168.152.1/24
XXXX:XXXX:XX:XXXX:XXXX/64
$
Then, configure the UFW rules to allow Samba connection from this network using the range IP. Based on the example above, it is:
$ sudo ufw allow in on virbr0 to any app Samba
Rule added
Rule added (v6)
$
If you want to allow specific IP access, you can do it by allowing them:
$ sudo ufw allow from 192.168.122.1/24 to any app Samba
WARN: Rule changed after normalization
Rule added
$ sudo ufw allow from XXXX:XXXX:XX:XXXX:XXXX/64 to any app Samba
WARN: Rule changed after normalization
Rule added
If you check your ufw
status, you should get the following:
$ sudo ufw status
Status: active
To Action FROM
-- ------ ----
... ... ...
Samba on virbr0 ALLOW Anywhere
Samba (v6) on virbr0 ALLOW Anywhere (v6)
Samba ALLOW 192.168.122.1/24
Samba (v6) ALLOW XXXX:XXXX:XX:XXXX:XXXX/64
... ... ...
TIP:
- If you're good at ufw, you can proceed to configure high level firewall settings. This is sufficient for QEMU to operate normally.
Setting Up Samba Server
Now let's start setting up the Samba server. You need to edit the /etc/samba/smb.conf
configuration file. You can use your favorite editor.
Setting Workgroup
Look for the keyword "workgroup" and then modify it to a name. This is for Windows samba to recognize the workgroup in its internal usage.
[global]
...
workgroup = YOURGROUPNAME
Disable Home Directory
By default, samba is configured to host all user's home directory. We do not want that so we should comment them off (instead of delete). These are the codes (seek out manually).
...
#[homes]
# comment = Home Directories
# browseable = no
...
# read only = no
...
# create mask = 0700
...
# directory mask = 0700
...
# valid users = %S
...
Permeate Printer Access
Samba provides printing service via network. We don't need that. Therefore, let's configure them properly:
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = no
guest ok = no
read only = yes
create mask = 0700
...
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = no
read only = no
guest ok = no
Add Your Specific Share Directory
Now at the end of the section, you can add new samba share directory like the following example:
[NameOfShareDirectory]
comment = Describe the NameOfShareDirectory for Reference
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
read raw = yes
write raw = yes
dead time = 15
getwd cache = yes
max xmit = 65536
read only = no
locking = no
guest ok = no
path = /home/username/directory/to/share
create mask = 0775
directory mask = 0775
NOTE:
- TCP_NODELAY tells the server not to delay sending packet, thus, increasing send speed.
- IPTOS_LOWDELAY is another setting to increase the throughput for better traffic speed.
- SO_RCVBUF and SO_SNDBUF are defining the buffer size.
If you have more, you can repeat for more share directory.
Save it
Once done, save the file.
Add Samba Users
Now we need to add the users in the Linux system into Samba account. Samba uses a different password access from the Linux account so you need to think one for it.
$ smbpasswd -a $USER
$ smbpasswd -a otherUsername
You can check your addition/edits by:
$ pdbedit -w -L
Restart The Server Daemon
Now that everything is set, we should restart the server to pick up the new settings.
$ /etc/init.d/samba restart
Test it Out
If you have Samba client installed, you should be able to test it out now. You need your hostname.
$ cat /etc/hostname
YOURHOSTNAME
$ smbclient -U $USER //YOURHOSTNAME/NameOfShareDirectory
Enter username's password:
...
smb: \>
If you get the samba terminal, it means you had successfully setup the samba. You can now setup your VM / internal network to connect to this machine.
NOTE:
- You must test out the guest machine before concluding that
ufw
is working properly. In any inoperable situation, use systematic debugging approach like:- Disable ufw, restart the guest, and try again.
- Use trustable Samba client. Try again.
- Connect via another laptop/machine. Try again.
- ... and goes on.
That's all about SAMBA in Linux.