Samba

Samba, your network file sharing protocol between Linux and Windows, well known for its notorious security and hard to test and use fame. Therefore, you should always set 3x careful attention when you setup a samba server, especially security. Like everyone in Linux community advises:

• Use SAMBA only for internal connection (e.g. VM inside your computer system).
• Use SSH for external connection (be it local or internet).
  • If SSH is available, use SSH / SCP / RSync / SSHFS instead of Samba. There are plenty of solutions including Remmina as well.

Install Necessary Package

If possible, try to install samba and its necessary packages from your distribution list. I split the packages into 2, where one is compulsory while the other is optional.

$ sudo apt install samba -y

Optionally,

$ sudo apt install samba-client -y

Configure Firewall

As a head start, you should always configure your firewall. This is to protect your computer system from any unauthorized access. This section varies depending on your choice of firewall. For me, I prefer configure via ufw package due to its ease to use. Let's configure them. If you are using other firewall packages like iptables, you might need to google around.

Set Default Policy

Let's start with setting universal rules for our system's firewall: deny for any incoming while allow for any outgoing.

$ sudo ufw default deny incoming

$ sudo ufw default allow outgoing

$ sudo ufw default allow forward

Enable Firewall

Once done, it's time to enable the firewall. Use status to check its condition.

$ sudo ufw enable

Firewall is active and enabled on system startup

$ sudo ufw status

Status: active

We should be ready to move forward with peace in mind.

Seek out NAT Network / or IP

You will first need to get the NAT network IP address from your system. On Debian, you can try the following:

$ ip address

...

7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000

    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

    inet 192.168.152.1/24 brd 192.168.152.255 scope global virbr0

       valid_lft forever preferred_lft forever

...

$ ip -o addr show virbr0 | awk '{print $4}'   # for automation

192.168.152.1/24

XXXX:XXXX:XX:XXXX:XXXX/64

$

Then, configure the UFW rules to allow Samba connection from this network using the range IP. Based on the example above, it is:

$ sudo ufw allow in on virbr0 to any app Samba

Rule added

Rule added (v6)

$

If you want to allow specific IP access, you can do it by allowing them:

$ sudo ufw allow from 192.168.122.1/24 to any app Samba

WARN: Rule changed after normalization

Rule added

$ sudo ufw allow from XXXX:XXXX:XX:XXXX:XXXX/64 to any app Samba

WARN: Rule changed after normalization

Rule added

If you check your ufw status, you should get the following:

$ sudo ufw status

Status: active

To                              Action     FROM

--                              ------     ----

...                             ...        ...

Samba on virbr0                 ALLOW      Anywhere

Samba (v6) on virbr0            ALLOW      Anywhere (v6)

Samba                           ALLOW      192.168.122.1/24

Samba (v6)                      ALLOW      XXXX:XXXX:XX:XXXX:XXXX/64

...                             ...        ...

TIP:

• If you're good at ufw, you can proceed to configure high level firewall settings. This is sufficient for QEMU to operate normally.

Setting Up Samba Server

Now let's start setting up the Samba server. You need to edit the /etc/samba/smb.conf configuration file. You can use your favorite editor.

Setting Workgroup

Look for the keyword "workgroup" and then modify it to a name. This is for Windows samba to recognize the workgroup in its internal usage.

[global]

   ...

   workgroup = YOURGROUPNAME

Disable Home Directory

By default, samba is configured to host all user's home directory. We do not want that so we should comment them off (instead of delete). These are the codes (seek out manually).

...

#[homes]

#   comment = Home Directories

#   browseable = no

...

#   read only = no

...

#   create mask = 0700

...

#   directory mask = 0700

...

#   valid users = %S

...

Permeate Printer Access

Samba provides printing service via network. We don't need that. Therefore, let's configure them properly:

[printers]

   comment = All Printers

   browseable = no

   path = /var/spool/samba

   printable = no

   guest ok = no

   read only = yes

   create mask = 0700

...

[print$]

   comment = Printer Drivers

   path = /var/lib/samba/printers

   browseable = no

   read only = no

   guest ok = no

Add Your Specific Share Directory

Now at the end of the section, you can add new samba share directory like the following example:

[NameOfShareDirectory]

   comment = Describe the NameOfShareDirectory for Reference

   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536

   read raw = yes

   write raw = yes

   dead time = 15

   getwd cache = yes

   max xmit = 65536

   read only = no

   locking = no

   guest ok = no

   path = /home/username/directory/to/share

   create mask = 0775

   directory mask = 0775

NOTE:

• TCP_NODELAY tells the server not to delay sending packet, thus, increasing send speed.
• IPTOS_LOWDELAY is another setting to increase the throughput for better traffic speed.
• SO_RCVBUF and SO_SNDBUF are defining the buffer size.

If you have more, you can repeat for more share directory.

Save it

Once done, save the file.

Add Samba Users

Now we need to add the users in the Linux system into Samba account. Samba uses a different password access from the Linux account so you need to think one for it.

$ smbpasswd -a $USER

$ smbpasswd -a otherUsername

You can check your addition/edits by:

$ pdbedit -w -L

Restart The Server Daemon

Now that everything is set, we should restart the server to pick up the new settings.

$ /etc/init.d/samba restart

Test it Out

If you have Samba client installed, you should be able to test it out now. You need your hostname.

$ cat /etc/hostname

YOURHOSTNAME

$ smbclient -U $USER //YOURHOSTNAME/NameOfShareDirectory

Enter username's password:

...

smb: \> 

If you get the samba terminal, it means you had successfully setup the samba. You can now setup your VM / internal network to connect to this machine.

NOTE:

• You must test out the guest machine before concluding that ufw is working properly. In any inoperable situation, use systematic debugging approach like:
  1. Disable ufw, restart the guest, and try again.
  2. Use trustable Samba client. Try again.
  3. Connect via another laptop/machine. Try again.
  4. ... and goes on.

That's all about SAMBA in Linux.