Samba is Trash

[brendaem]

I am sorry, but Samba needs a rethink, and a redesign.

Yes, this is my first post here, and I am deeply sorry that I have nothing positive to state on my very first post. Up front, I am sorry. In spite of the coarseness of my choice of words and the harshness of my abject opinion--please don't negate my aim.

[My Linux experience is lower-medium, which means that I've compiled several programs from source such as code-aster, survived dependency-hell installing Gnome from source packages, have added repositories to apt/synapic, have unblacklisted various network adapters and Alsa hardware, and with a little appreciated for configuring old steppers, have configured LinuxCNC's HAL .... So, I am just a lower-medium Linux user.]

I had hoped that by following instructions, I would have safely shared a network drive under Linux Mint for local use only. That was not the case. I ended up consulting over a dozen threads, some of which are commonly referred to yet barely applicable. I've allowed a firewall exception, chmoded this and chowned that, added samba users, created passwords. The last straw was: allow/denies just don't seem work. Perhaps it wasn't compiled with those options. Perhaps all the planets weren't quite lined up. Who knows.

Given that there is one thing that should terrorize any new person wanting to network a drive--it would be sharing it on the internet.
What would have been wrong with adding one statement in the smb.conf which read: local only = true ?

What would be interesting: a contest--a contest to see who could take the average user from a distro-fresh Linux Mint download, share a drive to local traffic only, with a network share login to at least keep some of the riff-Raff out.

So my challenge is: for anyone to create a webpage or a thread to do that--that works.

Or, as I suspect perhaps the problem is Samba itself. Apparently Mint had so much confidence in Samba that they disabled it by default. Wouldn't it be better if--in a imaginary world--it just worked?

Anyway, thank you for reading this far. I strongly feel that a Linux server is a great gateway device, one of Linux's diplomats, and one of the first Linux installations most people see at work.

[Moonstone Man]

I am sorry, but ...

Now that you've vented your spleen at other Linux users, this is a user forum after all, where Linux users provide assistance to other Linux users, do you have a support question or not?

[rene]

As to your subject line: hear, hear. And in that sense: why are you trying to use Samba? Samba is a reverse-engineered implementation of foreign, Windows network technology on Linux. If "local" as you use it means intra-Linux then just use native technology such as NFS.

But also note that if you are as is expected behind a standard modem/router nothing was ever open to "the internet" unless you went out of your way to make it so. Lastly; if you do for some or other reason need/want Samba and do for some misty reason not trust your LAN to not be open see "hosts allow/deny" in man smb.conf.

[djph]

I am sorry, but Samba needs a rethink, and a redesign.

Yes, this is my first post here, and I am deeply sorry that I have nothing positive to state on my very first post. Up front, I am sorry. In spite of the coarseness of my choice of words and the harshness of my abject opinion--please don't negate my aim.

It's okay, the SMB (now CIFS) protocol that Microsoft released 20-odd years ago is terrible. We all know it, and it's why we avoid it unless absolutely necessary.

The linux program "samba" is a reverse-engineered attempt to play nice with SMB/CIFS, but ...

Given that there is one thing that should terrorize any new person wanting to network a drive--it would be sharing it on the internet.
What would have been wrong with adding one statement in the smb.conf which read: local only = true ?

Stopping the internet from accessing your samba shares would be stopped by your edge firewall (usually part of your ISP-supplied "residential gateway" device), as rene pointed out.

How exactly were you testing that it was blocked from "the internet" ?

What would be interesting: a contest--a contest to see who could take the average user from a distro-fresh Linux Mint download, share a drive to local traffic only, with a network share login to at least keep some of the riff-Raff out.

So my challenge is: for anyone to create a webpage or a thread to do that--that works.

1. install samba (or whatever the server package is)
2. ???
3. Done.

[ivar]

Samba is a reverse-engineered implementation of foreign, Windows network technology on Linux. If "local" as you use it means intra-Linux then just use native technology such as NFS.

Sums it up pretty good. Can't be very easy to get a good reverse-engineered implementation of a target which is buggy and full of security holes. And a moving target as well, at Microsoft patches the holes

[etoufee]

I can empathise with the OP. I can only suggest that it's time to use NFS.

[rene]

Or by the way simply sftp. I.e., set up regular ssh access to the system you want to remote access files on (preferably via public key) and go to and/or bookmark e.g. sftp://1.2.3.4/home/you in your file manager for access to your home directory on that machine. Or Warpinator certainly if all/both are Mint.

[altair4]

Well, you don't see a post like this very often.

The usual complaint goes something like: "OK, I followed some HowTo and set up samba and it don't work good".

But this one is the opposite. I set up samba and it works too well. Teenage kids from the planet Tralfamadore can access my samba share bypassing my router, whatever firewall I may be using on Linux, whatever settings I have in smb.conf, .....

You might want to list what you did to make that happen as a service to others. Maybe something that you did here:

[My Linux experience is lower-medium, which means that I've compiled several programs from source such as code-aster, survived dependency-hell installing Gnome from source packages, have added repositories to apt/synapic, have unblacklisted various network adapters and Alsa hardware, and with a little appreciated for configuring old steppers, have configured LinuxCNC's HAL .... So, I am just a lower-medium Linux user.]

[JezekiljMonk]

Hi

Have you tried my tutorial? I tried to cover many angles and to give a rather complicated task to put in practice. My 20 months of search are in it.

viewtopic.php?f=42&t=353391

Best regards,

[altair4]

I had hoped that by following instructions, I would have safely shared a network drive under Linux Mint for local use only. That was not the case. I ended up consulting over a dozen threads, some of which are commonly referred to yet barely applicable. I've allowed a firewall exception, chmoded this and chowned that, added samba users, created passwords. The last straw was: allow/denies just don't seem work. Perhaps it wasn't compiled with those options. Perhaps all the planets weren't quite lined up. Who knows.

Given that there is one thing that should terrorize any new person wanting to network a drive--it would be sharing it on the internet.
What would have been wrong with adding one statement in the smb.conf which read: local only = true ?

There is really no way to respond to the question. He already created a share and it works - too well. He's sharing it not only to the local network but across the internet.

How can that be? I do not know - not without a whole lot more information.

I mean I can make it happen. Let's say I want to share the contents of a USB attached HDD connected to my laptop. I create the share definition:

Code: Select all

[MyUSB1]
path = /media/tester/USB1
read only = no
valid users = andy, agnes, tester
force user = tester

Restart smbd and we're done.

But wait it doesn't work because ufw has been enabled so I allow samba clients in:

Code: Select all

sudo ufw allow Samba

Bada Bing Bada Boom - it all works.

Sooo..... What happens when I leave the "relative" safety of my "behind the router" home network and take my laptop down to the Evil-Doers Bar and Grill w/Free WiFi? Unless I go back to ufw and set Samba back to deny the whole world can see my host and it's share. May not be able to get access to it but they will see it if they try hard enough.

Anyhoo, we don't know how everything is set up in this question and under what circumstances the original problem manifests itself. Is it on a laptop in the world at large or is it behind a router. If it's behind a router and someone on the internet is accessing his samba server the problem is much bigger than samba/

[brendaem]

I am sorry, but ...

Now that you've vented your spleen at other Linux users, this is a user forum after all, where Linux users provide assistance to other Linux users, do you have a support question or not?

Indeed I vented; at the same time if no one communicates, nothing will get better. This is an emperor's new clothes thing. I have not vented at any user or forum member. If someone is personally hurt by a statement like "Samba is Trash" then it's unlikely they could be objective about it.

I do think that Samba, or whatever replaces it is an important tool. The fact is some programs only run under Windows. It may be an ugly fact, but still it's something that exists.

I don't think that anyone really wants to accidentality share everything they own. I also don't want a SSH account facing the even a local network if it doesn't need to be.

Yes, I did created a firewall pinhole/exception for Samba as several of the tutorials stated.

As a file system, I see EXT4 as an advantage that I don't want to abandon it for NFS; it's the networking I am having trouble with. My lofty Samba goal was to create a share for collaborating on large video projects, kind of like Linus's server, but using old crappy hardware, well, and 2 of 6TB drives, which are still pretty nice. I do want a functional desktop, so the computer can do other things, and also, it would afford other solutions such as a sync graphical front for manually mirroring drives--when I see fit. Gnome-Mahjong helps relax me after working on Samba, and replying to threads.

JezekiljMonk's tutorial thread looks comprehensive, yet vastly more complicated than the other tutorials. I've not installed Caja-share by name.
Still, it's too much to expect people to do all of that to safely? share a drive. The firewall tweak is so fiddly. Anyone could make a mistake with that.
It seems that subnets are not disasllowed in your setup. I don't want anyone to even see my login prompt from outside the DMZ.

As for the manual pages for Samba as well as the web instructions, I see discrete commands with no context. No wonder so many people have problems with Samba.

Thank you all for replying.

[Moonstone Man]

Indeed I vented; at the same time if no one communicates, nothing will get better.

https://www.youtube.com/watch?v=TJLvyWLxrBA

It's worth watching, well listening to mostly.

Thanks to Lady Fitzgerald for the link.

[rene]

As a file system, I see EXT4 as an advantage that I don't want to abandon it for NFS; it's the networking I am having trouble with.

You mistook NFS for NTFS there. Latter is a local filesystem type in the same sense as ext4; former is the UNIX-centric Network File System and the UNIX-canonical way in which you create network "shares", i.e., much like SMB/CIFS is/was on Windows.

[RowlandP]

The problem with Samba is that it is such a complex beast, this is because it can do many things, It can be a standalone server, an NT4-style domain controller, an AD DC or a Unix domain member. No wonder it can be complex to configure, this isn't helped by the numerous incorrect 'howtos' found on the internet, indeed the one linked to in this thread has problems.

Anything to do with the various OS GUI's has nothing to do with Samba, they are provided by the OS or the desktop. Most of these are having problems at the moment caused by SMBv1 being turned off by default.

[altair4]

Just for giggles you might want to post the output of the following commands from the server that can apparently be accessed by everyone:

Code: Select all

testparm -s

Code: Select all

net usershare info --long

Code: Select all

sudo ufw status

Code: Select all

sudo nmap -sS -sU -T4 localhost

That's a start anyway. May not solve the problem but I suspect it may ... may ... indicate that this is a networking problem not a samba problem.

[brendaem]

Indeed I vented; at the same time if no one communicates, nothing will get better.

https://www.youtube.com/watch?v=TJLvyWLxrBA

It's worth watching, well listening to mostly.

Thanks to Lady Fitzgerald for the link.

I am sorry, but your post is off-topic. I see no reason to attack me personally because my message is not to your liking.

[Moonstone Man]

It's worth watching, well listening to mostly.

Thanks to Lady Fitzgerald for the link.

I am sorry, but your post is off-topic. I see no reason to attack me personally ...

Where in those words do you perceive an attack? If my post is an attack, report it to the moderators. If it is off-topic, that is not your call, it's the moderators' call, so again, report it.

because my message is not to your liking.

Right back at you, pal.

[brendaem]

Currently, I swapped drives, and reinstalled Mint 20.2 . So, right now there is nothing to test.

I am running through lists of instructions.
One mentions using Samba 1.x, which doesn't seem like a good idea.
Another uses guest accounts, which also doesn't seem like a good idea.

Anyway these are some of them, and some covering extra-credit issues:
https://techviewleo.com/install-and-con ... inux-mint/
https://ubuntu.com/tutorials/install-an ... g-up-samba
viewtopic.php?t=335196
https://itsfoss.com/share-folders-local ... u-windows/
https://www.youtube.com/watch?v=oRHSrnQueak
viewtopic.php?t=272334
viewtopic.php?t=332739
https://www.youtube.com/watch?v=dxUWco22_uk
https://tenbulls.co.uk/2017/04/18/samba_on_mint/
https://www.samba.org/samba/docs/server_security.html
https://askubuntu.com/questions/888205/ ... e-in-samba
https://www.how2shout.com/linux/install ... h-windows/
https://ubuntuforums.org/showthread.php?t=825965
https://askinglot.com/what-is-force-user-in-samba
https://www.linuxhelp.com/how-to-instal ... ux-mint-20
https://serverfault.com/questions/68351 ... ks-locally

Samba needs a way to restrict to local only. It's really not as simple as that, as I strongly feel that in no way should everyone use using the same network for local intranet as we do for the Internet, anyway.

For ha-ha's I looked at OpenMediaVault, to see how Samba is handled in it, though the though of managing a local file server through a web-brower gives me the creeps.

Things are also complicated as I do not have access to the router where I am, am unsure of it's configuration, and might (need to) set up an ad-hock wired network somewhere. I don't want to rely on a router only for security, as their firmware is usually closed, and foreign.

Are there any instructions anywhere to restrict Samba totally to local traffic, that work with Mint 20.2?

[Moonstone Man]

Are there any instructions anywhere to restrict Samba totally to local traffic, that work with Mint 20.2?

So, we finally get to the nub of the problem you are trying to solve, which is not the actual problem that you have. Here is the real problem:

.. I do not have access to the router where I am, am unsure of it's configuration ...

Use ufw.

Linux is a server operating system, and it is built with components. It's not samba's job to block traffic, it's the job of the firewall.

https://www.digitalocean.com/community/ ... untu-20-04

Start there.

https://www.linux.com/training-tutorial ... ewall-ufw/

So, despite your disagreeable posts, and blaming samba for your misdiagnosis, you now have the correct advice to solve the correct problem. You could read the samba documentation too. It contains a mechanism to block hosts, but with the real problem being not having access to the router, it might not do you any good, so ufw is the best course of action, along with setting up a private enclave for your private network.

[RowlandP]

Samba needs a way to restrict to local only. It's really not as simple as that, as I strongly feel that in no way should everyone use using the same network for local intranet as we do for the Internet, anyway.

Go and read the Samba documentation about the smb.conf:

Code: Select all

man smb.conf

The part you need has the heading 'hosts allow'

With that you can restrict connection to the local network.

I cannot recommend using any Samba howto's you might find on the web, they all seem to contain errors (that includes the raspberrypi documentation), have you tried reading the Samba wiki: https://wiki.samba.org/index.php/Main_Page

If there is something on the Samba wiki you do not understand, please tell me and I will try to alter it until you do.