Securing a SAMBA Share with SMB3 and encrypted connection
This works only with WINDOWS 10, because WINDOWS 7 doesn't support SMB3.
First add your user in linux:
groupadd workgroup
useradd -g workgroup -r --shell=/sbin/nologin user1
The 'noshell' entry ensures that a login under linux is not possible.
SAMBA is only looking for a user, no matter what shell he has.
Add your samba-account:
smbpasswd -a user1
Add entries in yout smb.conf in the [global] section:
# browsing
os level = 0
local master = no
domain master = no
preferred master = no
enhanced browsing = no
wins support = no
# users and passwords
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat debug = no
passdb expand explicit = no
guest account = nobody
map to guest = Bad User
encrypt passwords = yes
unix password sync = yes
guest ok = no
# authentication
smb encrypt = required
client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes
lanman auth = no
ntlm auth = ntlmv2-only
# SMB protocols
server min protocol = SMB3
server max protocol = SMB3
client ipc min protocol = SMB3
client min protocol = SMB3
smb ports 445 139
Add entries in your smb.conf in the [serivice] section:
[data]
# set your service name
path
=
/srv/samba
# set your path
smb encrypt = required
Restart your SAMBA:
service smb restart
I have no nmb service running for browsing.
Settings on the windows client:
Open a command line with administrator rights an set up the following:
REM disable SMB v1
powershell -command "Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol"
REM detect SMB v1
powershell -command "Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol"
REM enable SMB v2/v3
powershell -command "Set-SmbServerConfiguration –EnableSMB2Protocol $true"
REM detect SMB v2/v3
powershell -command "Get-SmbServerConfiguration | Select EnableSMB2Protocol"
Modify registry keys:
REM no plaintext passwords
reg add
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters"
/v EnablePlainTextPassword /t REG_DWORD /d 0 /f
REM enable SMB-Signing
reg add
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters"
/v EnableSecuritySignature /t REG_DWORD /d 1 /f
REM require SecuritySignature always
reg add
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters"
/v RequireSecuritySignature /t REG_DWORD /d 1 /f
REM send always NTLMv2 answers, no NTLM
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v
LmCompatibilityLevel /t REG_DWORD /d 5 /f
REM Restrict anonymous access to Named Pipes and Shares
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v
restrictanonymous /t REG_DWORD /d 1 /f
Open a connection on the client side:
net use n: \\<ip-address>\data
smbstatus on the server side will give out the following lines:
Samba version 4.10.16
PID
Username
Group
Machine
Protocol Version
Encryption
Signing
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
2483 user1
workgroup 192.168.xxx.xxx
(ipv4:192.168.xxx.xxx:50321)
SMB3_11
AES-128-CCM
AES-128-CMAC
Service
pid
Machine Connected
at
Encryption
Signing
------------------------------------------------------------------------------------------------------------------------------
data
2483 192.168.xxx.xxx So Feb 28 10:26:14 2021
CET AES-128-CCM AES-128-CMAC
Locked files:
Pid
User(ID) DenyMode
Access
R/W
Oplock
SharePath Name Time
------------------------------------------------------------------------------------------------------------------------------
2483
990 DENY_NONE
0x80
RDONLY
NONE
/srv/samba . Sun Feb 28 10:26:14 2021
Your connection will be signed and encryptet.
This is done on CentOS7 with WINDOWS 10