CONFIGURATION
VERSIONS
SETTINGS
DANGEROUS SETTINGS
root@sa:~$ nano /etc/samba/smb.conf
[global]
workgroup = DEV.INFREIGHT.HTB
server string = DEVSMB
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[notes]
comment = CheckIT
path = /mnt/notes/
browseable = yes
read only = no
writable = yes
guest ok = yes
enable privileges = yes
create mask = 0777
directory mask = 0777
root@sa:~$ sudo systemctl restart smbd
* the above sets two global settings and three shares.
- the global settings are the configuration of the available SMB server that is
used for all shares.
- In the individual shares, however, the global settings can be overwritten, which
can be configured with high probability even incorrectly.
- the individual shares are two printer shares & one notes shareDISPLAY SAMBA SERVER STATUS
root@sa:~$ smbstatus
Samba version 4.11.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
75691 sambauser samba 10.10.14.4 (ipv4:10.10.14.4:45564) SMB3_11 - -
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
notes 75691 10.10.14.4 Do Sep 23 00:12:06 2021 CEST - -
No locked files
* Apart from the Samba version, the following can be seen
- see who, from which host, and which share the client is connected
* with domain-level security, the samba server acts as a member of a Windows domain.
- the domain controllers keep track of users and passwords in their own NTDS.dit
and Security Authentication Module (SAM) and authenticate each user when they log
in for the first time and wish to access another machine's share.CREATING SHARES
root@sa:~$ sudo mkdir -p /srv/samba/shared
root@sa:~$ sudo chown nobody:nogroup /srv/samba/shared
root@sa:~$ sudo chmod 777 /srv/samba/shared
//specify shares
root@sa:~$ nano /etc/samba/smb.conf
...
//for anonymous/guest shares
[notes]
comment = CheckIT
path = /mnt/notes/
browseable = yes
read only = no
writable = yes
guest ok = yes
enable privileges = yes
create mask = 0777
directory mask = 0777
//for secure shares
[Shared]
path = /srv/samba/shared
browseable = yes
read only = no
valid users = sambauser
* path: directory being shared
browseable: makes it visible in Windows network explorer
read only = no: allows write access
guest ok = yes: lets anyone access without authentication (can tighten later)
root@sa:~$ sudo systemctl restart smbd
root@sa:~$ sudo systemctl restart smbd nmbd
root@sa:~$ sudo systemctl enable smbd nmbd
//adjust FW
root@sa:~$ sudo ufw allow sambaCONFIGURING USER ACCOUNTS (IF REQUIRED)
root@sa:~$ sudo adduser sambauser
//set PW
root@sa:~$ sudo smbpasswd -a sambauserDISPLAY SHARE LISTINGS
root@sa:~$ smbclient -N -L //10.129.14.128
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
home Disk INFREIGHT Samba
dev Disk DEVenv
notes Disk CheckIT
IPC$ IPC IPC Service (DEVSM)
SMB1 disabled -- no workgroup available
* -L lists shares
* -N attempts the connection with an empty (null) password.
* the print$ and an IPC$ are already included by default in the basic settingLast updated