Skip to content

Samba

Install samba

emerge --ask net-fs/samba
emerge --ask kde-apps/kdenetwork-filesharing

Add samba user

smbpass -a wuseman

Configure /etc/samba/smb.conf

cp /etc/samba/smb.conf.default /etc/samba/smb.conf
  • Example: Sharing folder, /etc/samba/smb.conf
[elitedesk-rootfs]
   comment = This is foo dir from my Laptop
   path = /foo
   public = yes
   writable = no
   printable = no
   create mask = 0755
   valid users = wuseman
   browseable = yes
#  write list = @staff

Disable printer sharing

By default Samba shares printers configured using CUPS.

If you do not want printers to be shared, use the following settings:

[global]
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  show add printer wizard = no

Symlinks

[global] 
   follow symlinks = yes 
   wide links = yes 
   unix extensions = no

Block certain file extensions on Samba share

Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned. Samba offers an option to block files with certain patterns, like file extensions.

This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in smb.conf(5).

List public shares

The following command lists public shares on a server

smbclient -L hostname -U%

smbtree -N
[foo-share]
  comment = Private
  path = /mnt/data
  read only = no
  veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/

Disable NetBIOS/WINS supportĀ¶

When not using NetBIOS/WINS host name resolution, it may be preferred to disable this protocol

[global]
  disable netbios = yes
  dns proxy = no

Storing share passwords

Storing passwords in a world readable file is not recommended. A safer method is to use a credentials file instead, e.g. inside /etc/samba/credentials

For the mount command replace username=myuser,password=mypass with credentials=/etc/samba/credentials/share

The credential file should explicitly readable/writeable to root

mkdir -v -p /etc/samba/credentials
chown root:root /etc/samba/credentials
chmod 700 /etc/samba/credentials
chmod 600 /etc/samba/credentials/share

cat << "EOF" > /etc/samba/credentials/share
username=myuser
password=mypass
EOF

Restrict protocols for better security

By default, Samba versions prior to 4.11 allow connections using the outdated and insecure SMB1 protocol.

When using one these Samba versions, it is highly recommended to set server min protocol = SMB2_02 to protect yourself from ransomware attacks. In Samba v4.11 and newer, SMB2 is the default min protocol, so no changes are required there.

Clients using mount.cifs

mount -t cifs //SERVER/sharename /mnt/mountpoint -o username=username,password=password,iocharset=utf8,vers=3.1.1