Samba is Trash

[altair4]

So it's been 8 days since the original post and we still don't know:

** How samba is set up on the user's machine.

** If a firewall is in use.

** If a firewall is in use how it is configured.

** And more fundamentally why the user believes someone from outside the local lan can access the share.

The only things we do know:

** The user referenced a bunch of HowTo's used which if followed verbatim and in series should have resolved the issue since in all likelihood it would have rendered their samba service inoperable to everyone.

** And this little tidbit:

I do not have access to the router where I am, am unsure of it's configuration, ...

Hmm....

[AndyMH]

@brendaem, for reference, if you bother to post on this subject again, altair4's little finger knows more about samba/CIFS than the rest of us put together.

[altair4]

I have had a lot of "I don't know" posts lately concerning Samba - at least in this forum - so I don;t think the above statement is true. But thanks.

[brendaem]

Are there any instructions anywhere to restrict Samba totally to local traffic, that work with Mint 20.2?

So, we finally get to the nub of the problem you are trying to solve, which is not the actual problem that you have. Here is the real problem:

.. I do not have access to the router where I am, am unsure of it's configuration ...

Use ufw.

Linux is a server operating system, and it is built with components. It's not samba's job to block traffic, it's the job of the firewall.

https://www.digitalocean.com/community/ ... untu-20-04

Start there.

https://www.linux.com/training-tutorial ... ewall-ufw/

So, despite your disagreeable posts, and blaming samba for your misdiagnosis, you now have the correct advice to solve the correct problem. You could read the samba documentation too. It contains a mechanism to block hosts, but with the real problem being not having access to the router, it might not do you any good, so ufw is the best course of action, along with setting up a private enclave for your private network.

For a great many people, setting up a shared drive/folder on their home or small business network, is there any reason why it should to be visible from outside?

Not everyone disagreed with my post.

[brendaem]

As a file system, I see EXT4 as an advantage that I don't want to abandon it for NFS; it's the networking I am having trouble with.

You mistook NFS for NTFS there. Latter is a local filesystem type in the same sense as ext4; former is the UNIX-centric Network File System and the UNIX-canonical way in which you create network "shares", i.e., much like SMB/CIFS is/was on Windows.

I didn't mistake NTFS for NFS. I just prefer EXT4.

[brendaem]

Samba needs a way to restrict to local only. It's really not as simple as that, as I strongly feel that in no way should everyone use using the same network for local intranet as we do for the Internet, anyway.

Go and read the Samba documentation about the smb.conf:

Code: Select all

man smb.conf

The part you need has the heading 'hosts allow'

With that you can restrict connection to the local network.

I cannot recommend using any Samba howto's you might find on the web, they all seem to contain errors (that includes the raspberrypi documentation), have you tried reading the Samba wiki: https://wiki.samba.org/index.php/Main_Page

If there is something on the Samba wiki you do not understand, please tell me and I will try to alter it until you do.

Thank you for the links. It's would be helpful if there was instructions for setting up to safely set up smalloffice/home network.

[brendaem]

Hi

Have you tried my tutorial? I tried to cover many angles and to give a rather complicated task to put in practice. My 20 months of search are in it.

viewtopic.php?f=42&t=353391

Best regards,

Thank you for the link. It's obvious that you a lot about Samba. Printed, your documentation would be about 30 pages of text. Is that what it takes to get Samba going on a home/small-office network?

[brendaem]

Well, you don't see a post like this very often.

The usual complaint goes something like: "OK, I followed some HowTo and set up samba and it don't work good".

But this one is the opposite. I set up samba and it works too well. Teenage kids from the planet Tralfamadore can access my samba share bypassing my router, whatever firewall I may be using on Linux, whatever settings I have in smb.conf, .....

You might want to list what you did to make that happen as a service to others. Maybe something that you did here:

[My Linux experience is lower-medium, which means that I've compiled several programs from source such as code-aster, survived dependency-hell installing Gnome from source packages, have added repositories to apt/synapic, have unblacklisted various network adapters and Alsa hardware, and with a little appreciated for configuring old steppers, have configured LinuxCNC's HAL .... So, I am just a lower-medium Linux user.]

How other people post has nothing to do with this thread.

No, Samba does not work too well. If Samba did what I wanted it to do, I wouldn't have posted this thread.

[rene]

I didn't mistake NTFS for NFS. I just prefer EXT4.

It was either that or you having not a clue what you are in fact saying. Once again (but last time): NFS is not a local filesystem type at the level of ext4 and is not an alternative for ext4. It is a network protocol that lives at the same level as SMB/CIFS, i.e., of Samba as it's used here in this thread. Underlying filesystem can be exactly as in the case of SMB/CIFS anything and certainly including ext4. What I told you is that you need not use Samba if you don't care for it. Alternatives that I mentioned are NFS for the most direct UNIX-centric analogon, SSH/SFTP and, easiest of all if you're sharing between Mint systems, Warpinator.

Seems you're set on complaining rather then on being helped but note that quite a few people and certainly I agree that Samba is trash. We therefore simply do not use it.

[brendaem]

The problem with Samba is that it is such a complex beast, this is because it can do many things, It can be a standalone server, an NT4-style domain controller, an AD DC or a Unix domain member. No wonder it can be complex to configure, this isn't helped by the numerous incorrect 'howtos' found on the internet, indeed the one linked to in this thread has problems.

Anything to do with the various OS GUI's has nothing to do with Samba, they are provided by the OS or the desktop. Most of these are having problems at the moment caused by SMBv1 being turned off by default.

It does appear that Samba was designed to be flexible, but I just want to share a drive with two or three Windows boxes, on a home/small-office network, with some measure of confidence that if even my roommate's router or wherever these boxes end up isn't up set up well, then I won't have uninvited guests--with regard to the share anyway.

Concise documentation toward that goal would help, with just a little spatial awareness as to why. Obviously, I am not against reading documentation, and I may be alone in this, but I don't want to read an entire book to network a few computers.

Is it possible to write two or three pages of documentation that describe how to share a drive or folder with Samba with some measure of safety, that works?

[RowlandP]

Is it possible to write two or three pages of documentation that describe how to share a drive or folder with Samba with some measure of safety, that works?

Do you mean something like this:
https://wiki.samba.org/index.php/Settin ... one_Server

[brendaem]

Is it possible to write two or three pages of documentation that describe how to share a drive or folder with Samba with some measure of safety, that works?

Do you mean something like this:
https://wiki.samba.org/index.php/Settin ... one_Server

Thank you for the link. That certainly is concise, but even according to the warnings and the consensus elsewhere, autonomous Guest access is a marked security risk. [To be pedantic, as an organization issue, I did want to share one or more whole drives, as I hoped to make organization as simple as possible for storing video projects.]

"This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users.
Starting from Windows 10 1709, guest access in SMB2 and SMB3 is disabled by default. This means that guest access from Windows 10 to a Samba share will not work, for more information, see here."

[Moonstone Man]

... I just want to share a drive with two or three Windows boxes, on a home/small-office network, with some measure of confidence that if even my roommate's router or wherever these boxes end up isn't up set up well, then I won't have uninvited guests--with regard to the share anyway.

viewtopic.php?f=42&t=312993

That solution covers everything you are concerned about. You treat your inaccessible router as the WAN, and everything else is the LAN.

[brendaem]

Thank you for the information.

Reading the text on Samba, we find that insanity is engaged by default, as if a few people from inside Samba wanted to destroy it from the inside. LOL!

"By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable."

Ref: https://www.samba.org/samba/docs/server_security.html
[Meh: and there should be a comma between: "default" and "Samba" .]

I did try restricting with almost those lines, and I wasn't sure if I had chosen my ranges too tightly, or if the network here is a little strange. There, apparently are versions of Samba on some distros compiled with non-functioning allow/restrict options.

Even with all of Microsoft's bewildering security blunders [COUGH! registry, filemanager/webrowser lookalike, allowing DRM rootkits COUGH!] ...anyway, to their credit, from the networking user interface, they at least tried to differentiate the local network from the Internet UI-wise.

It would have been my hope that if Samba truly emulated Windows networking, they would not security-wise put the user out there on a busy inner-city streetcorner, on a hot summer night, with $20-bills taped to its otherwise naked body.

[ricardogroetaers]

To unwind.
This samba works!

[RowlandP]

"This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users.
Starting from Windows 10 1709, guest access in SMB2 and SMB3 is disabled by default. This means that guest access from Windows 10 to a Samba share will not work, for more information, see here."

Guest access is insecure by its very nature. If you allow guest access, anyone, who can connect to your system, can read (at least) your data. Why do you think I added that warning to the Samba wiki ?

If you want security from the internet, I suggest you look elsewhere, you need to ensure all unnecessary incoming ports are closed on your internet facing router.

[ivar]

Thank you for the information.

Reading the text on Samba, we find that insanity is engaged by default, as if a few people from inside Samba wanted to destroy it from the inside. LOL!

"By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable."

. just like a Windows server would do if you shared a folder with incorrect (share + folder) permissions

[altair4]

Thank you for the information.

Reading the text on Samba, we find that insanity is engaged by default, as if a few people from inside Samba wanted to destroy it from the inside. LOL!

"By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable."

. just like a Windows server would do if you shared a folder with incorrect (share + folder) permissions

That is a very true statement. But consider this in the context of this topic.

Windows Defender differentiates between Public ( outside of your lan ) and Private ( inside your lan ) and by default sets up it's firewall that way:

SMB is pretty much disabled and un-browseable in the Public space. You can achieve this with ufw / gufw I suppose - probably more seamlessly with FirewallD.

But in the context of this topic none of that will work - Not in Windows. Not in Linux. The reason why is because the original poster cannot guarantee the security of the router he is using.

[RowlandP]

But in the context of this topic none of that will work - Not in Windows. Not in Linux. The reason why is because the original poster cannot guarantee the security of the router he is using.

Has he ever said what router he is using ? Most, if not all, routers I have come across, are secure out of the box.

[altair4]

But in the context of this topic none of that will work - Not in Windows. Not in Linux. The reason why is because the original poster cannot guarantee the security of the router he is using.

Has he ever said what router he is using ? Most, if not all, routers I have come across, are secure out of the box.

No he has not. And despite being offered several options to limit access to his server mainly by you he has never stated if they worked. And if they didn't work how - exactly - he knows they didn't work.

I think I stated somewhere in this - now 11 day - thread that if he is being accessed from outside the lan the least of his issues is samba.