• The forum software that supports hummy.tv has been upgraded to XenForo 2.3!

    Please bear with us as we continue to tweak things, and feel free to post any questions, issues or suggestions in the upgrade thread.

How to secure Samba share access

/df said:
Has anyone successfully shared a path with spaces (say, /media/My Music) using the CF Samba?
Click to expand...
This is the way things are normally set up on the HDR:
Code: 
humax3 ~ # cat /mod/etc/smb-hotplug.conf
# Do not modify this file - it will be overwritten

[My Music]
   comment = My Music
   path = /mnt/hd2/My Music
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no

etc.
And from a 'doze box:
Code: 
>net view \\humax3
Shared resources at \\humax3

Samba HDR-Fox-T2

Share name  Type  Used as  Comment

-----------------------------------------------------
Media       Disk           Media
My Music    Disk           My Music
My Photo    Disk           My Photo
My Video    Disk           My Video
The command completed successfully.
and dir "\\humax3\my video" works as you would expect.

Having said that, I've modified my other boxes to get rid of the space in the share name as I think it is stupid, and it causes other problems with things that don't understand the space.
 
this is my /mod/etc/smb-hotplug.conf which I've not edited as it says it will be overwritten hence I edited the smb.conf file.

Thanks

Rodp

Code: 
# Do not modify this file - it will be overwritten

[My Music]
   comment = My Music
   path = /mnt/hd2/My Music
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no

[My Photo]
   comment = My Photo
   path = /mnt/hd2/My Photo
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no

[My Video]
   comment = My Video
   path = /mnt/hd2/My Video
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no

[drive1]
   comment = drive1
   path = /media/drive1
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no
 
prpr said:
This is the way things are normally set up on the HDR:
...
Having said that, I've modified my other boxes to get rid of the space in the share name as I think it is stupid, and it causes other problems with things that don't understand the space.
Click to expand...
The web is full of stuff about spaces in the share name, not so good on spaces in the shared pathname in smb.conf, but your examples show that that isn't @rodp's problem. I wonder what happens with /path/with/final/space or if you accidentally leave white space at the end of the path = directive.
 
rodp said:
this is my /mod/etc/smb-hotplug.conf which I've not edited as it says it will be overwritten hence I edited the smb.conf file.
...
Click to expand...
I believe that file is meant to be used through an include directive in smb.conf. You could try seeing what happens if you comment out the include.
 
/df said:
I wonder what happens with /path/with/final/space or if you accidentally leave white space at the end of the path = directive.
Click to expand...
Trailing spaces get stripped off both the path name and the share name. Same with leading spaces, as you might expect.
 
prpr said:
I've modified my other boxes to get rid of the space in the share name as I think it is stupid, and it causes other problems with things that don't understand the space.
Click to expand...
And for the record, here is the mod:
Diff: 
humax# diff /mod/etc/mdev/z9samba~ /mod/etc/mdev/z9samba
--- /mod/etc/mdev/z9samba~
+++ /mod/etc/mdev/z9samba
@@ -12,7 +12,7 @@
 add_entry ()
 {
 cat <<EOD
-[$name]
+[${name// /}]
    comment = $name
    path = $mp
    public = yes
 
I eventually got this to work by making a patch to the source and making the following changes to smb.conf. It has not been tried with Windows but looks promising.
Code: 
Comment out: 'public = yes'
Add: 'valid users = settop'
Without the patch...
Code: 
pvr# smbclient //localhost/Media -U settop
added interface ip=10.0.0.5 bcast=10.0.0.255 nmask=255.255.255.0
Password: 
Domain=[HOME] OS=[Unix] Server=[Samba 2.2.12]
tree connect failed: Call returned zero bytes (EOF)
With the patch...
Code: 
smbclient //localhost/Media -U settop
added interface ip=10.0.0.5 bcast=10.0.0.255 nmask=255.255.255.0
Password: 
Domain=[HOME] OS=[Unix] Server=[Samba 2.2.12]
smb: \> ls
  .                                   D       0  Sat Jan  1 00:00:16 2000
  ..                                  D       0  Wed Apr 15 18:11:21 2020
  My Photo                            D       0  Sat Sep  2 14:09:39 2017
  My Music                            D       0  Wed Nov 27 20:37:19 2013
  My Video                            D       0  Sat Mar 27 14:05:12 2021
  drive1                              D       0  Sun Sep 24 17:38:29 2017

                62508 blocks of size 1024. 62508 blocks available
I don't have all the patches to the source code for the current release, this would be for @af123 to update.
 
  • Like
Reactions: /df
Will / could this patch be provided as a package? Will this fix the issue I am seeing or at keast get me abit closer to getting it working?

Thanks

Rodp
 
I submitted the patch for inclusion around the time of my previous post. It should appear as an updated version of the package but unfortunately some package updates can take a while at the moment.

Once it has been updated you may still have problems with Windows 10 but hopefully they can be overcome.
 
Just wanted to check if there has been any further progress on this. I have infact moved on to the beta SMB package (3.6.25-1). I'd like to add an extra user. do I need to follow this comment about adding it into the passwd file:

mr-b said:
It's hard wired, I was just looking for a way to protect the shares from being open by default on the network.
I had a quick look on configuring samba but adding a user seems to require the smbpasswd -a cmd, and the user then needs to be in /etc/passwd.
Will take a look in next few days.
Click to expand...

How do I add it into /etc/passwd. Through a normal text editor?
 
Whilst I'm trying to figure this out, I'm jus trying to edit some filenames via a mapped drive from windows 10 to My Music folder but it's telling me that i require permission from HUMAX\root to make changes. I've gone into the mnt/hd2/mod/etc/smb.conf and changed it so that the user (settop) is forced to root user but this doesn't seem to make a difference. In fact changing the path also doesn't seem to be having any effect. I am restarting the samba service seach time I make a change but other than stopping it, doesn't seem to make any difference.

This is the smb.conf file

Code: 
[global]
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
#   guest account = root
#   guest ok = yes
   security = user
   encrypt passwords = yes
   null passwords = yes
   server string = Samba HDR-Fox-T2
   workgroup = WORKGROUP
   netbios name = %h
   case sensitive = yes
   preserve case = yes
   short preserve case = yes
   hosts allow = 10.0.0.0/255.0.0.0 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0 127.0.0.0/255.0.0.0
   dos charset = ASCII
   max protocol = SMB2

# The directories under /media are auto-generated and added to the included
# file. Any additional shares which are not under /media should be added
# to this file (/mod/etc/smb.conf).

include = /mod/etc/smb-hotplug.conf

## Removed since it may appear as a small disk on the client
#[Media]
#   comment = Media
#   path = /media
#   public = no
#   writable = yes
#   browsable = yes
#   create mask = 0644
#   directory mask = 0755
#   hide dot files = no
#   valid users = root

[Media2]
   comment = Media-music
   path = /mnt/hd2/My Music
   public = no
   writable = yes
   guest ok = no
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no
   valid users = settop
   force user = root
 
rodp said:
How do I add it into /etc/passwd. Through a normal text editor?
Click to expand...
You can't as it's in the read-only flash root filesystem. The only way of doing this is via a bind mount e.g.
Code: 
cp -a /etc/passwd /mod/etc/passwd
echo "rodp:x:1002:1002:rodp:/:/bin/sh" >>/mod/etc/passwd
mount --bind /mod/etc/passwd /etc/passwd
Then you can smbpasswd -a rodp and set your SMB password (having restarted the samba service first of course).
You will need to make sure you have the right things in "valid users" and "force user", otherwise more misery ensues, but you seem to be OK with that.

The snag with this is that the bind mount goes away when you reboot, so you need that one line in a script in e.g. /mod/etc/init.d/S91mysamba
rodp said:
I've gone into the mnt/hd2/mod/etc/smb.conf and changed it so that the user (settop) is forced to root user but this doesn't seem to make a difference. In fact changing the path also doesn't seem to be having any effect. I am restarting the samba service seach time I make a change but other than stopping it, doesn't seem to make any difference.
Click to expand...
You would appear to be doing something wrong somewhere, but it's not immediately obvious what.

To save editing smb.conf too much, I just added a line at the bottom:
include = /mod/etc/smb-user.conf
and put my customised shares in there.

smbclient is a useful testing tool, as shown in #27.
 
You must log in or register to reply here.
Back
Top