SMB/CIFS¹

The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.²

Workgroup

A workgroup in SMB (the Windows file-sharing protocol) is essentially a logical grouping of computers that helps Windows clients discover and browse file shares on a local network. It's just a label that doesn't actually affect any of the authorization. Most of the time it's left as WORKGROUP.

Server

Samba

Samba is the most feature-rich Open Source implementation of the SMB and Active Directory protocols for Linux and UNIX-like systems.

Samba became a popular free software implementation of a compatible SMB client and server to allow non-Windows operating systems, such as Unix-like operating systems, to interoperate with Windows.³

apt update && apt install -y samba

Configure⁴

/etc/samba/smb.conf

[appdaemon]
path = /etc/appdaemon
browseable = yes
read only = no
writable = yes
guest ok = yes

If guest ok is enabled, then no password is required to connect to the service.

The guest account is a username which will be used for access to services which are specified as guest ok. Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.⁵

Add SMB password for user

smbpasswd -a root

smbpasswd

Restart the services

systemctl restart smbd

Synology SMB

The SMB (Server Message Block) protocol allows Windows, Mac, and Linux clients with SMB/CIFS support to access data stored on the Synology NAS. If you would like to browse files on the Synology NAS via Windows Explorer or mount shared folders as network drives, please enable this option at Control Panel > File Services > SMB/AFP/NFS.

Home Assistant SMB

Home Assistant can expose its config files through the Samba Add-on

Debug

Check status of share

smbstatus

List configured shares

smbclient -L //localhost

Client

Values used in this example that will probably change per implementation.

Variable	Description
192.168.1.100	IP address of the SMB server
/root/.smbcredentials	Path of the SMB credentials
mymount	Name of the SMB share on the server
/mnt/smb-test	Local mount point directory
smb_username	Username for SMB authentication
smb_password	Password for SMB authentication
uid=1000	User ID that will own the mounted files
gid=100	Group ID that will own the mounted files

Configure

The best practice is to use the /etc/fstab file to set up a systemd.automount.

sudo apt update && sudo apt install -y cifs-utils smbclient

The credentials file should only be readable by its owner, which is usually root.

Create credentials file

touch /root/.smbcredentials && \
chmod 400 /root/.smbcredentials && \
nano /root/.smbcredentials

/root/.smbcredentials

username=smb_username
password=smb_password

Avoid using quotations for the username and password

/etc/fstab

//192.168.1.100/mymount /mnt/smb-test cifs credentials=/root/.smbcredentials,vers=3.1.1,sec=ntlmssp,seal,uid=1000,gid=100,_netdev,x-systemd.automount,x-systemd.idle-timeout=1min,noauto,noatime 0 0

/etc/fstab entries cannot be broken up across multiple lines

fstab options explained

sec=ntlmssp,seal

Uses NTLMv2 password hashing with packet signing and encryption for secure authentication and data transfer.

uid=1000,gid=100

Sets the user and group of the files as they will appear in the mount.

_netdev

Indicates that the filesystem resides on a device that requires network access (used to prevent the system from attempting to mount these filesystems until the network has been enabled on the system).

x-systemd.idle-timeout=1min

Sets the timeout for when to unmount.

x-systemd.automount

Creates the mount using systemd.automount, which only actually does the mount on demand.

noauto

Prevents the entry from getting mounted during boot or mount -a

noatime

Prevents the access time from getting updated by reads.

0 0

The first 0 excludes the entry from dump backups, and the second excludes it from fsck

Reload

systemctl daemon-reload

Debug

List configured shares

smbclient -L //192.168.1.100 -U smb_username

List loaded automounts

systemctl list-units --all --type=automount --no-pager

Check automount status

systemctl list-automounts --all

Show information about a mounted directory

findmnt /mnt/smb-test

Test mounting manually

sudo mount -t cifs //192.168.1.100/mymount /mnt/smb-test -o credentials=/root/.smbcredentials,vers=3.1.1

Secure SMB

Over SSH

TCP forwarding has to be allowed on the server side. This config allows only the backup-tunnel user to use TCP forwarding, and only allows it to forward on port 445 on the loopback interface.

/etc/ssh/sshd_config

AllowTcpForwarding no
Match User backup-tunnel
    AllowTcpForwarding yes
    PermitOpen 127.0.0.1:445

Restart sshd

sudo systemctl restart sshd

Create the tunnel key on the client:

ssh-keygen -t ed25519 -f ~/.ssh/tunnel -N "" -C "backup-tunnel-client"

Make the comment something specifically informative about what owns this private key

Copy to the server:

ssh-copy-id -i ~/.ssh/tunnel.pub [email protected]

Extra security on the key

Add this before the key in the

~/.ssh/authorized_keys

from="192.168.1.130",command="/bin/false",no-pty,no-user-rc,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA...

from="192.168.1.130"

Restricts the key to only work from the specified IP address.

command="/bin/false"

Forces execution of /bin/false instead of any requested command, preventing command execution.

no-pty

Prevents allocation of a pseudo-terminal, disabling interactive shell sessions.

no-user-rc

Prevents execution of the user's ~/.ssh/rc file.

no-X11-forwarding

Disables X11 forwarding, preventing GUI application forwarding.

no-agent-forwarding

Disables SSH agent forwarding, preventing the forwarding of authentication credentials.

Start the tunnel from the client:

Single shot tunnel

ssh -nNT -L 127.0.0.1:1445:127.0.0.1:445 -i ~/.ssh/synology-tunnel [email protected]

Add the fstab entry

/etc/fstab

//127.0.0.1/restic /mnt/smb-test -o credentials=/root/.smbcredentials,vers=3.1.1,port=1445,uid=1000,gid=100,_netdev,x-systemd.automount,x-systemd.idle-timeout=1min,noauto,noatime

Debug

Test mount through SSH tunnel

sudo mount -t cifs //127.0.0.1/mymount /mnt/smb-test -o credentials=/root/.smbcredentials,vers=3.1.1,port=1445

Over STunnel

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code...Stunnel uses the OpenSSL library for cryptography, so it supports whatever cryptographic algorithms are compiled into the library.

Generate private key

openssl ecparam -name prime256v1 -genkey -noout -out server.key

Generate certificate (10 years)

openssl req -new -x509 -key server.key -out server.crt -days 3650 -subj "/CN=smb-stunnel-server"

Reference

Not all of these were used for the notes, but were quality resources

• Tutorial: Unprivileged LXCs - Mount CIFS shares
• Encrypting NFSv4 with Stunnel TLS
• Impregnable NAS: hardening and protecting Synology

---

1. CIFS vs SAMBA, What are the differences ↩

2. What is Microsoft SMB Protocol and CIFS Protocol? ↩

3. Server Message Block - Samba ↩

4. Man page ↩

5. guest account (G) ↩