Setting up password authentication for windows file sharing / samba (smb / cifs ) shares

Adding password based authentication to windows file shares / samba sharing on linux is never as simple as I'd expect. With the spread of cryptolocker (ransomware which can encrypt your network shares!)  I have been working to enhance the security and resilience of my windows samba network shares. Here are some simple pointers from my experience of setting up authentication on a Ubuntu machine running samba (tested on samba versions 3.4.7 and 3.6.3) :

1. Create user accounts on the Ubuntu machine that you want to use as your usernames with associated passwords. Create these without shell access.

useradd -s /usr/sbin/nologin ExampleUsername

2. Add to your samba config (/etc/smb/smb.conf) in the global section:


guest account = guest
# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
passdb backend = tdbsam
obey pam restrictions = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
usershare allow guests = yes

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user

3. In your defined shares include:

valid users = ExampleUsername
write list = ExampleUsername
read only = no
guest ok = no
4. Set the samba passwords up, for simplicity I would recommend aligning these to the user password defined in step 1. when creating the user account

sudo smbpasswd -a ExampleUsername

5. Enable the user account for samba

sudo smbpasswd -a ExampleUsername

6. Restart samba

sudo service smbd restart


No comments:

Post a Comment