Paranoid Penguin - Samba Security, Part II
The last task we've got space for this month is setting up our user accounts, and there are four steps:
Create the accounts under Linux.
Assign those accounts Linux passwords.
Create Samba password database entries for each.
Have the users change their Samba passwords.
Step one is to use whatever method you usually use to create user accounts on your system—either by using your system administration GUI of choice (such as GNOME's Users and Groups applet) or via the commands useradd, userdel and so forth.
For example, to create Pepe's account, I could use the following command. Note the sudo, necessary for Ubuntu. On other distributions, su to root before executing these commands, and omit the sudo that each begins with here:
bash-$ sudo useradd -c "Pepe" -m -g users pepe
This creates the user account pepe with the comment Pepe, automatically creates a home directory (/home/pepe) and assigns it to the group users. To be extra paranoid, you could insert the string -s /bin/false after -g users, which will disable normal Linux logins for Pepe's account, making it useless for anything other than Samba access.
Step two is to set each user's Linux password, like this:
bash-$ sudo passwd pepe
Obviously, you need to communicate whatever password you set here to Pepe in a secure fashion, and Pepe will need to change this password to something you don't know. (But that part happens in step four.)
Step three is to use the smbpasswd command to create each user's Samba password database entry, like so:
bash-$ sudo smbpasswd -a pepe
You'll be prompted to set and confirm Pepe's Samba password, after which the new account will be added. It's probably a good idea to use the same initial password here that you used in step two.
Finally, you'll want Pepe to log in to the system (assuming you didn't set his shell to /bin/false) and issue the following command:
Pepe will be prompted for his old password, his new password and confirmation of his new password. Assuming all three of those are good, Samba will change both Pepe's Samba password and his Linux password accordingly. Note that this synchronization does not occur when you create a new Samba password entry as root, using the -a flag.
If Pepe has an invalid shell, such as /bin/false, you'll have to let him sit at your console while you type the command sudo smbpasswd pepe, and then turn your back while he changes his password. You'll then need to do the same thing with the command sudo passwd pepe, because Samba does not synchronize Linux/UNIX passwords if you execute smbpasswd as root.
Regenerating smb.conf in Debian/Ubuntu
What if, in the process of tinkering with your Samba configuration, you so completely lose track of what you've changed versus what you started with that you want to begin again with the default /etc/samba/smb.conf file? And, what if you failed to create a backup copy of smb.conf before you changed it?
You might think Swat could do this. Swat has default buttons next to each configuration option. Clicking a default button is supposed to replace your custom value with the value from the default smb.conf file included with Samba. However, in my own experience, the behavior of these buttons is erratic. Sometimes null values are (incorrectly) returned, and clicking the default button for every option is time consuming anyhow.
My advice is that if you're using Debian or one of its derivatives, such as Ubuntu, and you need a fresh smb.conf file, you should completely un-install the package samba-common, and then re-install it. (This also will result in things that depend on samba-common to be un-installed, so note which packages you'll need to re-install after you've restored samba-common.)
In between removing and re-installing samba-common, you may want to check /etc/samba to make sure smb.conf is truly gone, and delete it if it isn't.
We've specified our usage scenario, set up some basic global settings using Swat and started adding users. Next month, we'll create the actual shares, but if you can't wait until then, you'll have no problem figuring out how using Swat's ample documentation. The “Official Samba 3.2.x HOWTO and Reference Guide” (see Resources) also may help. Have fun, and be safe!
- August 2015 Issue of Linux Journal: Programming
- Hacking a Safe with Bash
- Django Models and Migrations
- Secure Server Deployments in Hostile Territory, Part II
- The Controversy Behind Canonical's Intellectual Property Policy
- Huge Package Overhaul for Debian and Ubuntu
- Shashlik - a Tasty New Android Simulator
- KDE Reveals Plasma Mobile
- Embed Linux in Monitoring and Control Systems
- diff -u: What's New in Kernel Development