How to secure Samba share access

mr-b

Member
Hi

I've just added the custom firmware to my HDR-Fox 2T to replace my old Toppy and was glad to see that adding samba was able to make it visible as a windows/cifs/samba share, so that I can use robocopy to copy decrypted files off onto my media server.
Now my question is how do I enable security and/or permissions to secure it on my network?
 
If you look in /mod/etc you will find an smb.conf file and an smbpasswd file. If you know what you're doing (not me!) no doubt manipulating those will achieve what you want (after a reboot).

The WebIF provides a file inspection/editing facility: WebIF >> Diagnostics >> File Editor >> Open
 
Is your box wifi'd (if so, how) or hard wired. If the latter, what security do you need?
 
It's hard wired, I was just looking for a way to protect the shares from being open by default on the network.
I had a quick look on configuring samba but adding a user seems to require the smbpasswd -a cmd, and the user then needs to be in /etc/passwd.
Will take a look in next few days.
 
It's hard wired, I was just looking for a way to protect the shares from being open by default on the network.
I had a quick look on configuring samba but adding a user seems to require the smbpasswd -a cmd, and the user then needs to be in /etc/passwd.
Will take a look in next few days.

Did you manage to do this mr-b?

I've been reading around how to add a samba user (smbpasswd -a) that requires a password for access the box and stopping non password access but I'm a little unsure as 1) there seems to be difference between Samba 3 and 4 (i don't know what version is on the humax) and 2) I've read that for Samba 3 you have to have a local user account setup (https://www.cyberciti.biz/faq/adding-a-user-to-a-samba-smb-share/). I know the humax is most likely not setup in the same manner as a normal linux system but it's something that has made me pause and try and find someone a little more in the know!

Can you (or anyone) advise?

Thanks

Rodp
 
Samba 3 and 4 (i don't know what version is on the humax)
Neither of those! Are you not aware of the trouble people have with Windows 10, because it does not offer SMB1/2 compatibility by default? You need to think SMB1.
 
Neither of those! Are you not aware of the trouble people have with Windows 10, because it does not offer SMB1/2 compatibility by default? You need to think SMB1.
Yes am aware of smb v1 and v2. I was referencing the version mentioned in the url above which i guess is the driver/software version. My windows 10 PCs don't talk to my humax that much (i use ftp or DLNA if needed, however i do believe that despite the PCs being up-to-date i still have normal windows explorer access to the drives which i guess I should investigate, i don't recall specifically telling the PCs to stick with SMB1 as i know that's a security problem for windows PCs) but this is about using my android phone and managing access for my boys (11-12 year old tech messer-uppers if they're given the chance!).
 
Last edited:
Another reason for me investigating this is that android apps vary in terms of smb v1 or v2 access but also password and passwordless setups. Eg. my favourite android app (vlc) won't access the humax via smb, which i suspect is due to it currently being a passwordless connection. Other apps, eg x-plore, bs player work fine with no password.

So that in effect is now two reason to change smb access. So if anyone could advise that would be great.

Thanks

Rodp
 
It's hard wired, I was just looking for a way to protect the shares from being open by default on the network.
I had a quick look on configuring samba but adding a user seems to require the smbpasswd -a cmd, and the user then needs to be in /etc/passwd.
...
User settop could be used, which is already in the RO /etc/passwd; or even just root.

If smbpasswd -a settop runs, you should be able to enter settop's SMB password. Then some configuration like a valid users=settop line in the share definition should enable the desired access control. Surely it can't be that easy, or someone would have done it already?
 
I shudder at the memory of this - sorry I never found a solution and had to file it in the "too hard" pile.

I got as far as https://www.samba.org/samba/docs/man/manpages-3/smbpasswd.8.html

smbpasswd -a fred
New SMB password:
Retype new SMB password:
User fred does not exist in system password file (usually /etc/passwd). Cannot add account without a valid local system user.
Failed to modify password entry for user fred

TBH I've never had a good experience with Samba/SMB/CIFS/Lan Manager on Unix/Linux. If you ever get it working an update comes along and breaks it. Or the filesystems break all the permissions.
Win10 even used to uninstall SMB1.0 if it wasn't used for 15 days. I guess it's just an old religious war.

Ditto for Android - I could only ever get ES-Explorer to work as a CIFS client but then they rewrote it and broke it.
E2A they must have fixed ES Explorer - it sees the humax using smb (but it doesn't show up in a scan) and anon access.
VLC lists the humax under smb but says "This directory is empty".
 
Last edited:
As /etc/passwd has no fred but does have a settop, my suggestion to use that for testing might be relevant!

If that worked, we might then investigate whether there is a requirement for custom Samba usernames (fred, say) and, if so, how to make Samba think that they exist in /etc/passwd.
 
Just seen that reply. I just added a settop password and it worked!
But adding "valid users = settop" in either [global] or [media] sections seemed to be authenticated but I could still access the share anonymously via Windows and ES Explorer. I restarted samba under Service rather than a reboot so that might make a difference. I know that sometime Windows caches credentials which may also muddy the waters - I've not rebooted etc. so my results may not be 100%.
 
... adding "valid users = settop" in either [global] or [media] sections seemed to be authenticated but I could still access the share anonymously via Windows and ES Explorer. ...
The documentation for our ancient version of Samba is here (use the "raw" link to get a page for reading; go back to the directory listing to follow links to other pages in the collection). Unfortunately general web searching will mostly give answers relevant to more recent Samba versions.

It seems that the smb.conf may need to have something like this:
Code:
[global]
	netbios name = <NetBIOS name to connect to, or omit to use the first component of the DNS name>
	server string = <whatever>
	workgroup = <whatever^n>

[<your share identifier>]
	path = <your Humax path to be shared>
	comment = <whatever>
	volume = <name of share (\\netbios name\volume) to be made available on your Humax>
	valid users = settop
	writeable = yes
	guest ok = no
Supposedly, the guest account maps to the local username nobody (which exists!), so if the guest account is enabled ("guest ok = yes") a client with guest access should only be able access files with a:r or a:rw permissions and only be able to navigate directories with a:rx permission. By default recordings seem to have o:rw,g:r,a:r, with owner and group root:root. Obviously I would test this if I actually had Samba running on any of my Humaxen.
 
Thanks for the reply @/df ... @mr-b did /df's reply help you do a little more testing? VLC for android still won't connect so I'm still trying to get this working. I'm a little out of my comfort zone when amending the smb.cfg file but maybe together we can get this working. Couple of questions I'm still trying to work out: 1) How do you turn off anonymous access, 2) will turning off anonymous access be just to do with SAMBA or will it impact other things that the Humax does (compacting, youtube-dl, nicesplice etc.).

If I can figure this out, then at first I will keep anonymous access open as ultimately the purpose of setting up a user with password account is to try and get VLC for android working! :)

Thanks

Rodp
 
Unless (most unusually) you have another Humax HD/R CF box carrying out operations via SMB on the target Humax HD/R CF box, not having anonymous SMB access won't affect other CF operations (so yes, "just to do with SAMBA").

I expect that @mr-b's anonymous access might have disappeared from the Windows machine after restarting it.
 
So I've had a little play but can't get it to work... this is what I did.

In telnet:

Code:
smbpasswd -a settop
<entered a password>
<retyped the password>
Password changed for user settop

So nothing untoward there but not sure if there is anyway to check if it's actually done something?!

I then loaded up mod/etc/smb.conf and added in a new share at the bottom which I've called Media2. I saved the file and then restarted the Samba service via webif.

This is the full /mod/etc/smb.conf file. Scroll to the bottom to find the additional Meda2 share I created.

Code:
[global]
   coding system = utf8
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   guest account = root
   guest ok = yes
   security = share
   encrypt passwords = yes
   null passwords = yes
   server string = Samba HDR-Fox-T2
   workgroup = WORKGROUP
   netbios name = %h
   client code page=850
   character set = iso8859-1
   case sensitive = yes
   preserve case = yes
   short preserve case = yes
   interfaces = %h/24
   hosts allow = 10.0.0.0/255.0.0.0 192.168.0.0/255.255.0.0 172.16.0.0/255.240.0.0 127.0.0.0/255.0.0.0

# The directories under /media are auto-generated and added to the included
# file. Any additional shares which are not under /media should be added 
# to this file (/mod/etc/smb.conf).

include = /mod/etc/smb-hotplug.conf

# Retained for compatibility - this may appear as a small disk on the client
[Media]
   comment = Media
   path = /media
   public = yes
   writable = yes
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no

[Media2]
   comment = Media2
   path = /media/My Music
   public = yes
   writable = yes
   guest ok = no
   browsable = yes
   create mask = 0644
   directory mask = 0755
   hide dot files = no
   valid users = settop

On my android (8) phone using X-plore I then tried to connect using the username 'settop' with a password. I could see 'Media2' in the share list but could not access it. I then tried removing the 'valid uses' line, saved, restarted the Samba service via webif and I found that I could then access the share Media2.

So it doesn't seem as if the user 'settop' is working properly / as expected.

I then also tried resetting the settop password to blank (by just pressing enter when prompted), the message: 'Password changed for user settop' appeared again so I assume it worked. However, again that made no difference to accessing the share Media2 when trying to access it and leaving the password field empty in either X-plore or Windows.

The windows PC did prompt for a username and password so at least that was a sign that it was expecting some credentials to be entered but it wouldn't accept the password whether it was blank or not.

Any thoughts? What have I missed out doing?

Thanks

Rodp

ps can someone explain what the 'hosts allow' line does / controls?
 
Has anyone successfully shared a path with spaces (say, /media/My Music) using the CF Samba? Is it necessary to put such paths in "", or to make a symlink and share that instead?
 
Has anyone successfully shared a path with spaces (say, /media/My Music) using the CF Samba? Is it necessary to put such paths in "", or to make a symlink and share that instead?
I just checked smb.conf on four machines, and none of my path = lines match your query. Don't the usual strategies (enclose string-containing-spaces in delimiters ' or ", or escape spaces with \) work?
 
Back
Top