kalitut

KaliTut Where you learn about Kali Linux tips and Linux system

Advanced Samba configuration

by Leave a Comment

How to configure samba A simple file or directory share is set up with Samba with little configuration overhead. Many configuration options are optimally set by default.

How to configure samba

The following also discusses the default configuration of some options. So configuration options that you really do not have to specify. But there are reasons why you should set one or the other parameter anyway. When updating or switching to a new Samba version, it sometimes happens that options set by default get a different value, so sometimes the Samba shares do not work as usual.

  • User Authentication
  • user management
  • Create user for Samba
  • Password change by the user
  • Set up WINS server
  • Set NetBIOS name
  • NetBIOS communications

The following expanding Samba configurations are not meant to be step-by-step instructions, but are optional configuration options.
It is assumed that the following configurations are done as user “root” or as normal user with the command line suffix “sudo”.
It is also assumed that the user knows how Samba works, how it should be configured and what needs to be taken into account. The configuration usually takes place in the central configuration file “/etc/samba/smb.conf”.

samba User Authentication

The default setting for Samba is

security = user

Use encrypted passwords (default):

encrypted passwords = yes

samba user management

The following user management statements apply to Samba 3 and Samba 4 in Classic mode. That is, without a domain controller.

In order to access the Samba shares, each Samba user must have a local user account on the Samba server and an additional Samba account.
User information is managed through the user account and access through the Samba account.
The administration of the Samba account is done by “smbpasswd” in a file, by “tdbsam” in a local database or centrally via an LDAP server. If you only want to set up a workgroup server or just a Primary Domain Controller (PDC) on a small network, managing it via smbpasswd or tdbsam is fine.
Once you want to use Samba as a PDC and Backup Domain Controller (BDC) in a more complex environment, LDAP is a must-have for centralized user management.

When operating a single file server, local tdbsam is recommended for local user management. It is a simple database called Trivial Database. This database, in contrast to file-based management with “smbpasswd”, allows multiple users to write to the database at the same time. This is important if several users want to change their password at the same time. The recommendation is to use “tdbsam” for the user management up to a maximum of 250 users and then to switch to LDAP.
If you want to use several Samba servers as PDC and BDC, then you should definitely use LDAP as user management. But that also means you need a separate LDAP server.

In principle, you can omit the following user management configuration because they are set by default.

By default for Samba up to version 3.3.10:

passwd backend = smbpasswd

By default for Samba version 3.4 or higher:

passdb backend = tdbsam

But there is a reason why you should set the parameter maybe. If you switch from an old Samba version (until 3.3.10) to a new Samba version (from 3.4), and the parameter “passwd backend” is not set, then the user management will no longer work if another user administration is used by default Application comes. If the parameter is set, then the old user management is used. The is then outdated, but it still works after the conversion.

If you also want to change the user management from “smbpasswd” to “tdbsam” after switching from Samba 3 to 4, you can do this with the following command:

pdbedit -i smbpasswd -e tdbsam

Then you should adjust the configuration of “passdb backend” and restart Samba.

Create and manage Samba users

In the standard installation, Samba has a separate user administration system, which is administered with the “smbpasswd” command. This means that for every user who can access a Samba share, a Linux account and a Samba account must be created.
Even if a user can only access the Samba shares, but does not need a classic Linux account, a Linux account must still be created. Here is an account with limited functionality.

useradd -s /bin/ false -g users -m {USERNAME}

If the user can not log on to the Linux system, set the shell to “/ bin / false”. Because this user is not allowed to log on locally, it is not necessary to enter a password here.

If the Linux user has been created or already exists, then create the Samba user account. Here you must assign a password in any case that may differ from the password of the Linux account. The password must be confirmed a second time.

smbpasswd -a {USERNAME}

New SMB password:
Retype new SMB password:
The Samba user account is then active immediately. If not, then you have to activate the user.

Enables the user in the Samba database:

smbpasswd -e {USERNAME}

Disables the user in the Samba database:

smbpasswd -d {USERNAME}

Removes the user from the Samba database:

smbpasswd -x {USERNAME}

Password change by the user

With the program “smbpasswd” every user can change their own password.

unix password sync = yes

This default setting in the “[global]” section provides that if the user changes their Samba password, the normal Linux password will be changed as well.

Setup Samba WINS server

If a Samba server should also work as a WINS server, then add the following line in the section “[global]”:

winssupport = yes

This line ensures that the Samba server works as a WINS server in the network. If there is also a DHCP server in the LAN, make it known to the WINS server.

Set NetBIOS name

The NetBIOS name serves as the address in the Windows network environment and must be unique on the network. By default, this parameter is set by the host name of the system. It can be influenced in the Samba configuration.

Set the NetBIOS name of the machine in section “[global]”:

netbios name = {HOSTNAME}

The NetBIOS name may consist of a maximum of 15 characters, with no special characters except minus “-” and the underscore “_”.

Backup Samba configuration

A Samba configuration can be quite extensive, so a backup is recommended. The files that should be backed up are the “smb.conf” and the tdb files that store the user data and other information.

You secure it with the command:

tdbbackup /var/lib/samba/*.tdb

NetBIOS communications

After name resolution, a TCP connection is established to the server. There is a distinction between two ports. In the classic variant, where the SMB connection is via NetBIOS, port 139 is used.
The other variant does not use NetBIOS, but establishes the connection directly with SMB over TCP, using port 445.
Which protocol or which port is used can be checked with the following command on the Samba server.

netstat -l

The use of the port can be controlled. For this there is a parameter in the Samba configuration.

smb ports = xxx

Whether a local connection to one or both ports is possible, you can test with Telnet.

telnet 139
telnet 445

After calling the commands “netstat” displays a connection on the corresponding port.

netstat -pn

Leave a Reply

Your email address will not be published. Required fields are marked *