3

given today's date, running windows 10 or later and connecting to a RHEL 8.8 or newer Linux system which currently has samba-4.17.5-3.el8_8 what is a best practice for parameters one should have in /etc/samba/smb.conf to ensure the most secure and reliable connection over that protocol?

Below is what I am using. Can anyone modify or add to it to make it better? I am doing a simple samba setup with security=user and passdb backend = tdbsam withsimple local passwords created with smbpasswd -a. If you have a smb.conf template to share that involves windows domain joining and Active Directory and other more complicated things that would be cool too.

I am showing the two basic shares (home and data) that I almost always do, if there are parameters that should also be there to improve security?

note: not concerned all that much with the logging part, but appreciated if you can improve on it or provide explanation such that an admin could read and make a rationale decision on how to configure.

# /etc/samba/smb.conf template, RHEL 8.8 [global] workgroup = SAMBA security = user passdb backend = tdbsam printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes log level = 0 vfs:10 log file = /var/log/samba/sambavfs.log max log size = 0 smb encrypt = required client min protocol = SMB3 client max protocol = SMB3 client signing = mandatory server signing = mandatory [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes vfs objects = extd_audit [data] comment = data inherit acls = Yes read only = No path = /data directory mask = 770 create mask = 660 vfs objects = extd_audit

NOTE: just also found out that FIPS=1 in GRUB_CMDLINE_LINUX in /etc/default/grub (or doing fips-mode-setup --enable which is available in RHEL-8) kills a samba connection from windows. See https://access.redhat.com/discussions/7022626. This was not the case in RHEL-7.9 when doing FIPS=1.

Improve this question
6
  • 5
    "best" makes little sense here – you wouldn't share unix home directories, you wouldn't store passwords in a local database, but rely on LDAP+kerberos/AD for authentication, enroll your users with smartcards, the whole shabang. Generally, what is the "securest for your scenario" is really far too wide a scope, and would still under extensive requirements description be essentially asking for opinionated complete setups. Commented Nov 14, 2023 at 21:55
  • maybe I should just power everything off then Commented Nov 14, 2023 at 22:42
  • 2
    that would be the safest option! Commented Nov 14, 2023 at 22:45
  • all i'm asking is what are the handful of parameters that ought to be used in smb.conf... for example if one asked about password security then look in /etc/security/pwquality.conf that's where all those relevant settings you need to know about are and then set a number accordingly. Commented Nov 15, 2023 at 14:10
  • i didn't think my question would be poopoo'd so quick Commented Nov 15, 2023 at 14:11

1 Answer 1

Reset to default
2

for anyone interested, after going through the current man page for samba this is what I pulled out of it that seemed relevant. With the global section defined below a samba connection from windows 10 works for me to a RHEL-7.9 system (and I assume rhel 8.8+). Per the man page description I think much of it is default settings but it's nice eye candy knowing what's actually in effect.

# /etc/samba/smb.conf # https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html [global] server role = standalone security = user passdb backend = tdbsam map to guest = Bad User # turn off print stuff printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes # default deadtime to disconnect after N minutes of inactivity is 10080 deadtime = 5 server min protocol = SMB3_11 server smb encrypt = required server signing = mandatory # server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM # server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 server smb3 encryption algorithms = AES-256-GCM server smb3 signing algorithms = AES-128-GMAC client min protocol = SMB3_11 client smb encrypt = required client signing = required client ipc signing = required client protection = encrypt # client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM # client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 client smb3 encryption algorithms = AES-256-GCM client smb3 signing algorithms = AES-128-GMAC # client use kerberos = < off | desired | required > # kerberos encryption types = < all | strong | legacy > # hosts allow = 192.168.1.0/255.255.255.0 max log size = 0 log level = 0 vfs:10 log file = /var/log/samba/sambavfs.log
Improve this answer
4
  • so while the above smb.conf does work in rhel 7.9 when doing a smbpasswd it will report a handful of unknown parameters. And in rhel 8.9 just one of those as unknown- smb encrypt if I remember. Also while samba-server will successfully run in linux, the connection from a windows 10 pc will not connect based on some specifically chosen server/client encryption algorithms among a few others. Murcus I think doesn't approve of this type of info, so if i figure out anything else that seems like a good setting maybe i'll post it maybe i wont. Commented Nov 22, 2023 at 16:44
  • I appreciate the sharing of your findings and comments. A good quick step up for a simple/basic setup without the enterprise overcomplexities that bury the basic user config on the docs. Commented Apr 16, 2024 at 4:34
  • 1
    server min prototcol = SMB3_11 resulted in unknown parameter on service smb start when I initially posted here. But as of today's date in RHEL-8.9 with samba-4.18.6-3 that seems to have been corrected. note: AES-128-GMAC is not supported by win10 clients at least not how those win10 systems I deal with were set up Commented Apr 16, 2024 at 12:03
  • Got the same issue 4.17 but noticed it's because a typo on server min prototcol = SMB3_11, "prototcol" has an extra "t" and should be server min protocol = SMB3_11 (can't edit, edit needs more than 6 chars to be changed). Rest seems to be working fine for W10 clients Commented Apr 17, 2024 at 11:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.