Securing File and Print Server
Samba Security Modes
There are two security levels available to the Common Internet Filesystem (CIFS) network protocol user-level and share-level. Samba's security mode implementation allows more flexibility, providing four ways of implementing user-level security and one way to implement share-level:
security = user: requires clients to supply a username and password to connect to shares. Samba user accounts are separate from system accounts, but the libpam-winbind package will sync system users and passwords with the Samba user database.
security = domain: this mode allows the Samba server to appear to Windows clients as a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or a Domain Member Server (DMS). See As a Domain Controller for further information.
security = ADS: allows the Samba server to join an Active Directory domain as a native member. See Active Directory Integration for details.
security = server: this mode is left over from before Samba could become a member server, and due to some security issues should not be used. See the Server Security section of the Samba guide for more details.
security = share: allows clients to connect to shares without supplying a username and password.
The security mode you choose will depend on your environment and what you need the Samba server to accomplish.
Security = User
First, install the libpam-winbind package which will sync the system users to the Samba user database:
sudo apt install libpam-winbind
If you chose the Samba Server task during installation libpam-winbind is already installed.
Edit /etc/samba/smb.conf, and in the [share] section change:
guest ok = no
Finally, restart Samba for the new settings to take effect:
sudo systemctl restart smbd.service nmbd.service
Now when connecting to the shared directories or printers you should be prompted for a username and password.
If you choose to map a network drive to the share you can check the “Reconnect at Logon” check box, which will require you to only enter the username and password once, at least until the password changes.
Samba AppArmor Profile
Ubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using AppArmor see AppArmor.
There are default AppArmor profiles for /usr/sbin/smbd and /usr/sbin/nmbd, the Samba daemon binaries, as part of the apparmor-profiles packages. To install the package, from a terminal prompt enter:
sudo apt install apparmor-profiles apparmor-utils
This package contains profiles for several other binaries.
By default the profiles for smbd and nmbd are in complain mode allowing Samba to work without modifying the profile, and only logging errors. To place the smbd profile into enforce mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
Edit /etc/apparmor.d/usr.sbin.smbd adding information for [share] from the file server example:
/srv/samba/share/ r, /srv/samba/share/** rwkix,
Now place the profile into enforce and reload it:
sudo aa-enforce /usr/sbin/smbd cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
You should now be able to read, write, and execute files in the shared directory as normal, and the smbd binary will have access to only the configured files and directories. Be sure to add entries for each directory you configure Samba to share. Also, any errors will be logged to /var/log/syslog.
For in depth Samba configurations see the Samba HOWTO Collection
The guide is also available in printed format.
O'Reilly's Using Samba is also a good reference.
Chapter 18 of the Samba HOWTO Collection is devoted to security.
For more information on Samba and ACLs see the Samba ACLs page .
The Ubuntu Wiki Samba page.