Setting up password authentication for windows file sharing / samba (smb / cifs ) shares

Adding password based authentication to windows file shares / samba sharing on linux is never as simple as I'd expect. With the spread of cryptolocker (ransomware which can encrypt your network shares!)  I have been working to enhance the security and resilience of my windows samba network shares. Here are some simple pointers from my experience of setting up authentication on a Ubuntu machine running samba (tested on samba versions 3.4.7 and 3.6.3) :



1. Create user accounts on the Ubuntu machine that you want to use as your usernames with associated passwords. Create these without shell access.

useradd -s /usr/sbin/nologin ExampleUsername

2. Add to your samba config (/etc/smb/smb.conf) in the global section:

[global]

guest account = guest
# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
passdb backend = tdbsam
obey pam restrictions = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
usershare allow guests = yes

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user


3. In your defined shares include:

[ExampleShareName]
valid users = ExampleUsername
write list = ExampleUsername
read only = no
guest ok = no
    
4. Set the samba passwords up, for simplicity I would recommend aligning these to the user password defined in step 1. when creating the user account

sudo smbpasswd -a ExampleUsername

5. Enable the user account for samba

sudo smbpasswd -e ExampleUsername

6. Restart samba

sudo service smbd restart

Done!





7 comments:

  1. Nice post.
    The easiest method to fix YouTube issues by the online customer support center. Simply visit the official website Activate YouTube and there is an expert's team always ready to fix customer glitches.

    ReplyDelete
  2. We have identified the list of available devices for Amazon Prime Video; we can also check out the step by step to activate Primevideo.com/mytv on your smart TV. We only need a prime video activation code for the activation method. You can create the activation code on your device with the occasional help of Prime Video application. With this information handy, you can get a unique code and initiate their devices in less than one minute.
    Read more…

    ReplyDelete
  3. Thankyou for sharing the wonderful post and all the best for your future. I hope to see more post from you. I am satisfied with the arrangement of your

    post.

    aol mail login|
    aol mail login|
    aol mail login|
    netgearrouterlogin|
    facebooksignin|
    gmail not working|
    comcastemaillogin|

    ReplyDelete
  4. Outstanding Blog! I want people to know just how good this information is in your Blog. I will visit your blog daily because I know. It may be very beneficial for me. For Instant Support related to Common Roadrunner Email Problems please contact roadrunner support team for solution.

    ReplyDelete

Note: only a member of this blog may post a comment.