Samba configuration help

[TheFu]

Yeah I suppose I can't expect to learn every little thing. As long as I have the settings I need and make notes of them it should be perhaps enough. Who's Mr. Scroogle?

scroogle was a web search engine that didn't pass on any information to the upstream search engine.

Is samba even safe to use? I dont really plan to use it for anything but my LAN so I can store and access files. But say I wanted to access from the internet, would using Sambe be a security issue? Really I wanted to try out Samba for the learning experience. But I've heard of openmedia vault. Would that be a better choice?

No networked service is "safe", but we can mitigate as many risks as possible. Hence, why the deny/allow.
No way, no how, should you use CIFS/Samba over the internet!!!! !!!!! !!!!!!!!!! !!!!!!!!!!!
Use something based on ssh or through a full VPN that you host yourself. sftp, scp, rsync, sshfs are all based on ssh. sftp is built-into most Linux file managers. Just use sftp://IP-address/ to access the resource you want. The firewall port for ssh needs to allow inbound connections. To mitigate attacks, use a non-standard port (never port 22/tcp), ssh-keys (NEVER, EVER, passwords), and run an automatic firewall blocker like fail2ban or denyhosts. I still see brute force attempts on my systems, but just moving off the default port reduced the attempts 10,000x.

Subnets is something else I need to look into implementing. There are things I need to separate. But again, one thing at a time. Networking is not an easy subject. Although learning it is definitely fun.

It is very worthwhile to learn enough to handle subnetting in a home environment. You'll want a real router to handle that or a LAN router to be paired with your WAN router. The router from the ISP is **not** to be trusted.

Manpage? got a link?

That's sorta funny. My icon talks about xman. man man at a shell prompt will explain manpages. Every Unix system since 1970 has manpages.

Thats exactly what I'm doing. I find this kind of stuff tedious, yet its completely entertaining and fun. For me anyways. Thx for you help btw.

There's always more to know. I figure I know about 10% after 25+ yrs.

[fjl05]

scroogle was a web search engine that didn't pass on any information to the upstream search engine.


No networked service is "safe", but we can mitigate as many risks as possible. Hence, why the deny/allow.
No way, no how, should you use CIFS/Samba over the internet!!!! !!!!! !!!!!!!!!! !!!!!!!!!!!

Why exactly not? Wouldn't later version be made to deal with the latest security issues? or is SAMBA made with the intention of being used as a file server only within a LAN setting?

Use something based on ssh or through a full VPN that you host yourself. sftp, scp, rsync, sshfs are all based on ssh. sftp is built-into most Linux file managers.

Currently I use a VPN option built into my Asus router to connect to my LAN. It's openVPN. Is that safe?

Just use sftp://IP-address/ to access the resource you want. The firewall port for ssh needs to allow inbound connections. To mitigate attacks, use a non-standard port (never port 22/tcp), ssh-keys (NEVER, EVER, passwords), and run an automatic firewall blocker like fail2ban or denyhosts. I still see brute force attempts on my systems, but just moving off the default port reduced the attempts 10,000x.

SSH keys is something I also need to look into.

It is very worthwhile to learn enough to handle subnetting in a home environment. You'll want a real router to handle that or a LAN router to be paired with your WAN router. The router from the ISP is **not** to be trusted.

The only thing I have from my ISP is the wire coming into my house. The modem is one I bought, and the router is also one I bought. ASUS RT-ACRH17

That's sorta funny. My icon talks about xman. man man at a shell prompt will explain manpages. Every Unix system since 1970 has manpages.

I didnt know this one, thanks. Still pretty new to Linux.

There's always more to know. I figure I know about 10% after 25+ yrs.

only 10% :O

[TheFu]

Why exactly not? Wouldn't later version be made to deal with the latest security issues? or is SAMBA made with the intention of being used as a file server only within a LAN setting?

You have some understanding to gain, it seems.

Currently I use a VPN option built into my Asus router to connect to my LAN. It's openVPN. Is that safe?

Assume nothing is safe until YOU do the research on it. If your router hasn't been patched this month, I'd assume there are known bugs being attacked now. I don't know any consumer router that doesn't have a history of security failures. Asus was so bad they are in a 20 yr agreement with the FTC for security issues.
In general, I think no WAN router should be used for anything but the core purposes. That's routing and firewalling. If you want a VPN, setup a VPN on a separate system that can be patched and maintained. Any whatever you do, please don't think that a router is a NAS.

SSH keys is something I also need to look into.

This should be your first task. Before everything else. ssh is how system communicate. ssh-keys are 1,000,000x more secure than any password a human can enter. ssh-keys are much more convenient that typing a password too. How often is something both vastly more secure AND more convenient? ssh, scp, sftp, rsync, sshfs, and most Unix backup tools are build using libssh ... which means those keys are automatically used for all those connections, once setup. I've posted detailed instructions multiple times in these forums.

The only thing I have from my ISP is the wire coming into my house. The modem is one I bought, and the router is also one I bought. ASUS RT-ACRH17

Asus ... eh.

I didnt know this one, thanks. Still pretty new to Linux.

only 10% :O

Some days, I think only 1%. My systems humble me way too often.

[fjl05]

You have some understanding to gain, it seems.


Assume nothing is safe until YOU do the research on it. If your router hasn't been patched this month, I'd assume there are known bugs being attacked now. I don't know any consumer router that doesn't have a history of security failures. Asus was so bad they are in a 20 yr agreement with the FTC for security issues.
In general, I think no WAN router should be used for anything but the core purposes. That's routing and firewalling. If you want a VPN, setup a VPN on a separate system that can be patched and maintained.

How would I go about this exactly? like a vpn running on ubuntu? Would a raspberry pi work? also, wouldn't the machine running it require two ethernet ports?

And whatever you do, please don't think that a router is a NAS.

Actually thats what I have now due to limitations. But not exactly what you think. I have a separate router which has NAS capability that I use to store all the videos from my IP cameras. This is not the router that acts as the WAN. This one is set as a DHCP client for its NAS capabilities which I plan to replace with the RasPi. Which is part of why I am learning all of this.

This should be your first task. Before everything else. ssh is how system communicate. ssh-keys are 1,000,000x more secure than any password a human can enter. ssh-keys are much more convenient that typing a password too. How often is something both vastly more secure AND more convenient? ssh, scp, sftp, rsync, sshfs, and most Unix backup tools are build using libssh ... which means those keys are automatically used for all those connections, once setup. I've posted detailed instructions multiple times in these forums.

yeah I'll make sure to look into it.

[TheFu]

How would I go about this exactly? like a vpn running on ubuntu? Would a raspberry pi work? also, wouldn't the machine running it require two ethernet ports?

Part of the skills important to being successful with Linux is where to search, how to search, and who to trust.
You are asking great questions, but the answers are only 10% of the problem. Skipping all the other things that need to be known and mastered would be a disservice.

Here's a hint for where to look for ubuntu stuff ... look for websites with "ubuntu" in the domain part of the DNS name.
Providing "what" to type is 1000x less important than "why" - and the why aspects are critical, as are the "why not". Just because we can do something, that doesn't make it a good idea and definitely doesn't make it secure.

When I was learning many of these things, Altavista was the main websearch engine. Everyone had bookmarks to remember where stuff was. I stopped using bookmarks over a decade ago. The world has changed.

[rsteinmetz70112]

The [homes] section of smb.conf is a special share in that it will create a samba share of a user's home directory on the fly for every local user on your Linux server. You will note that the [homes] share has no path.

It is possible to put a path statement into [homes] to define another location. On some of my machines I redirect the [homes] to another server and it works just fine. The default is path=/home/%U You could use that to have a separate home directory for Windows users.

[TheFu]

It is possible to put a path statement into [homes] to define another location. On some of my machines I redirect the [homes] to another server and it works just fine. The default is path=/home/%U You could use that to have a separate home directory for Windows users.

I cannot see this method always working. The location of the HOME is determined by the getpwent() call. It is NOT hard-coded to /home/{username}. Just because something undocumented works, that doesn't mean it will forever. But if it does work, great.

This is a key reason why the entire snap subsystem is broken. The hard-coded /home rather than using the system records for each user.

[rsteinmetz70112]

I cannot see this method always working. The location of the HOME is determined by the getpwent() call. It is NOT hard-coded to /home/{username}. Just because something undocumented works, that doesn't mean it will forever. But if it does work, great.

This is a key reason why the entire snap subsystem is broken. The hard-coded /home rather than using the system records for each user.

The use of path={directory name} in a [homes] share is documented in the Samba documentation, although detail is sparse, but I assume the Samba Team has worked out how it should work.

I took a little bit of a shortcut in my earlier post, skipping overs some stuff not usually needed. A normal users home is traditionally set in /etc/passwd and usually defaults /home/{username}, although root's home directory is generally set nowadays to /root and many special users have other home directories. If you use another method of authentication like ldap then it can be set there. You obviously know this.

The samba backends handle Samba and Windows authentication so they also contain the home directory information and Windows User and Group information. Users can have different Linux and Samba passwords and home directories, among other things. Samba generally prepends the logon server name to the user home directory when you have a domain, showing \\SERVER\{homes path}\{username] wherever the user logins. Samba looks up the User Home Directory and if it can't finds one creates one. If you set the home directory to another server then the backend shows the Home directory server. There doesn't seem to be anything keeping Samba from doing a conditional check and if path={some random path} is set for [homes] using that. I can see some good reasons for having separate windows and Linux home share, I can also see complications. In our case only a few users use Linux directly so most users won't run into problems.

[fjl05]

It is possible to put a path statement into [homes] to define another location. On some of my machines I redirect the [homes] to another server and it works just fine. The default is path=/home/%U You could use that to have a separate home directory for Windows users.

But how would I be able to add different parameters for each user that logs in?

[TheFu]

But how would I be able to add different parameters for each user that logs in?

Use NFS. Then POSIX permissions work.