Access Samba share on Ubuntu 20.04 from Windows 10 without SMB V1?

Hey guys;
I spent hours trying to figure out why my Windows 10 Pro (latest build) box could not access Samba shares on my Ubuntu 20.04 box.
Then I finally found that I needed to enable SMB V1 on Windows 10.
This works fine, but I understand there is a huge security risk with using SMB V1.

So I tried removing SMB V1 on Windows 10 again, and can confirm that SMB V2 is running.
On the Ubuntu box, I added a couple lines to the smb.conf file:

Code:

[global]

        server role = standalone server
        map to guest = Bad User
        usershare allow guests = yes
        hosts allow = 192.168.0.0/16
        hosts deny = 0.0.0.0/0
# Add the following line to disable SMB V1 and allow SMB V2 or higher
        min protocol = SMB2
        max protocol = SMB3
        client min protocol = SMB2
        client max protocol = SMB3
        client ipc min protocol = SMB2

If I check the version of smbd on the Ubuntu box, it reports version 4.11.6-Ubuntu

I don't understand why, if Ubuntu 20.04 is running SMB V3 (or V2) why I cannot access the shared files from Windows, which is also running SMB V3 (or V2), but when SMB V1 is enabled on Windows, I can access those shares even though the min protocol is set to V2.

In addition to not having access to my Ubuntu shares when SMB V1 is disabled on Windows, I cannot see the other Windows machines on my LAN. Once SMB V1 is enabled, I see those computers as well as the Ubuntu shares.

As far as security goes, I am running this LAN at home, and it is connected to the internet through an Optimum Altice router which has its own firewall.
I am also running ESET internet security on my Windows 10 box.
Should I be worried about running SMB V1?

Thanks for your help
Ultrarunner

You haven't added localhost on the hosts allow line, just your private network. You need to add 127.0.0.1 at the beginning. You also don't need to have SMBv1 to use on Windows. It is insecure and therefore it's not enabled by default in Windows 10. The WannaCry ransomware explosion that occured was replicated through SMB vulnerabilities in SMBv1. Also allowing guests is a bad idea. You should set a deny all policy for users except your own. You can also add encryption, mandatory server signing. I would also disable NetBIOS as well. SMB runs over TCP and port 445 so you don't need NetBIOS and port 139.

Thanks guys;
So far, I don't see any way to get Windows 10 to see the Ubuntu shares without enabling SMB V1.
However, I have just stumbled upon "The Official Samba How to and Reference Guide", which appears to be a very comprehensive manual for Samba V3.
I will read through the sections I need, to get a better understanding of what Samba is, and the many configuration options.
Because I jumped into the deep end of the Samba pool without really understanding what it is and how to use it, I have spent much time going in circles until I finally got things working. Reading through the book should help me a great deal.

As for my Optimum router: I do not see any wifi hotspot when I scan with my phone. I do recall that Verizon FIOS did have that feature, but so far I haven't seen it with Optimum, although I have noticed it on my phone while walking around town. It seems to be available only at public buildings such as the library and bus or train stations. I think there's a public wifi near the High School as well - for obvious reasons - but I'm not sure if it's Optimum or FIOS, as both have cables in my area.

My router info:
Sagemcom F@st 5260CV
Sagemcom P/N: 253536653

ultrarunner2020 said:

Thanks guys;
So far, I don't see any way to get Windows 10 to see the Ubuntu shares without enabling SMB V1.
However, I have just stumbled upon "The Official Samba How to and Reference Guide", which appears to be a very comprehensive manual for Samba V3.
I will read through the sections I need, to get a better understanding of what Samba is, and the many configuration options.
Because I jumped into the deep end of the Samba pool without really understanding what it is and how to use it, I have spent much time going in circles until I finally got things working. Reading through the book should help me a great deal.

As for my Optimum router: I do not see any wifi hotspot when I scan with my phone. I do recall that Verizon FIOS did have that feature, but so far I haven't seen it with Optimum, although I have noticed it on my phone while walking around town. It seems to be available only at public buildings such as the library and bus or train stations. I think there's a public wifi near the High School as well - for obvious reasons - but I'm not sure if it's Optimum or FIOS, as both have cables in my area.

Yes, you need to have a basic understanding of these things before committing yourself to going further.
Samba is actually pretty easy to understand and most Linux distros have baked it into their distros in such an easy to understand way because SMB is still what keeps people connected to networks be it at work at home or anywhere else. And because most people who want to get connected to shares on their network are not sysadmins or anybody with particularly technical backgrounds. In Ubuntu you can actually enable file sharing (SMB) by right-clicking the folder you want to share and click 'Local Network Share'. Ubuntu will do the configuring itself. That is if you want a simple automated way of sharing things.

I have to say that your config file looks a little bit all over the place if I'm honest. My config file for Samba looks completely different. Usually you start with a default example template that comes when you install Samba (smbd, if it's not already installed). Did you run the command

Code:

cp /etc/smb.conf /etc/smb.conf.bak

before editing anything? You should ALWAYS create a backup of the original config file in case you mess something up. That way you can run

Code:

rm -i /etc/smb.conf && mv /etc/smb.conf.bak /etc/smb.conf

to restore the original config file. And then you can do the same copy command to further copy it to your hearts content as many times as you edit the config file.

It seems to me like you have indeed jumped in at the deep end. I would suggest starting from scratch. You could have made an infinite number of changes of which you may not even know you did or how to undo them. Try this:

Code:

sudo apt-get purge samba samba-common
sudo rm -rf /etc/samba/ /etc/default/samba
sudo apt-get install samba

This will purge Samba, remove the leftover folders (if any) and then install it again. You can use && after these commands to tell bash if the last command was successful execute the next one. This way things are pretty much semi-automated to a degree. Oh and you can add

Code:

-y

at the end of the install samba command to assume yes, which basically tells the package installer you're not one for dilly-dallying around waiting for confirmations. I wouldn't put [CODE[-y[/CODE] at the end of every command though as you might find yourself whisking through important stuff but for this scenario it's ideal.

When samba installs you can begin setting up a user;

Code:

useradd samba --shell /bin/false OR /sbin/nologin

The long-form option is to make sure your user doesn't have shell access (for increased security)

Setup the password for the user who will access samba

Code:

smbpasswd -a samba

Set the permissions for the folder you want to share to allow the user assigned to samba to access it

Code:

chown samba:samba /your/samba/share/here

The : indicates the user AND the group which will avoid any potential inaccessibility if the group the user belongs to doesn't have access

Follow the config backup process above BEFORE editing anything in smb.conf

Add to to the end of the file in your fave text editor

Code:

[<folder name here>]
path = /home/<user_name>/<folder_name>
valid users = <user_name>
read only = no

This is of course a very basic configuration for your Samba share but it's enough to get you up and running. Make sure you add the user you want to allow access

Restart the smbd service

Code:

sudo service smbd restart

And now test the parameters set

Code:

testparm

This will check for basic errors

Now try connecting from Windows

Code:

\\IPADDRESS\folder\

You should get a prompt asking you to type in the username you setup followed by the password to access Samba from that user.
This should work. If not it's definetly got something to do with Windows and not your configuration as this is the way to setup Samba and presuming you've not changed a bunch of stuff in Ubuntu should work out of the box.

Reply back with your results

Thanks. That's very useful info.
I did save the original smb.conf file before I created the new one.
The configuration I am using is from this YouTube tutorial: YouTube
I added a couple lines after you guys advised me in this thread.

Since I am the only user of this system (both the Windows and Ubuntu), I don't think I need to restrict access to the share.

Great stuff.
Yeah, Chris Titus Tech videos seem pretty good.
You do need to restrict access to the share. Your bank account has a PIN code. Your online accounts have passwords, some of them probably 10, 20 or more characters long (or should be). The front door to your house has a key. You can be the only user of a car but disabling the airbag won't do much good in a crash. You're thinking entirely in terms of yourself and not the reality of the world in which you live in, especially when discussing server administration.

You should setup an individual user as explained above ideally with it's own group ie UID: samba GID: sharegroup. Then set a decent password. Then restrict users by running a default deny rule so that any user other than listed will not be able to connect. You especially want to do this with users like root. Have you set root to /sbin/nologin on your server? You don't need root unless absolutely necessary and root is what anyone with a clue will search for upon trying to compromise your system. Will that happen? Maybe not. But you're learning how to administer a Linux based server, right? So it makes no sense to sh*t on your own learning progress by doing the opposite of what it takes to run a server properly.

Have you set the create/directory masks for your share so that if anything does happen the permissions set by default will not allow a free-for-all on your share? How about directory masks? You want a mask for directories too. Have you enabled encryption? SMB uses a decent level of encryption in later versions and this will be a requirement if you're allowing guest access because it means not only will other communications to/from SMB be unencrypted but also yours too.

You should do all these things plus more because whether you realize it or not you're doing sysadmin stuff here and no sysadmin on the planet worth his weight in precious metal would skip on these matters. Of course you're probably at home and all this sounds exaggerated and based on attack vectors you may never experience. But we have passwords for the same reason and how many people try to access our accounts? A) We have no idea without holding logs to the server and B) With a password they have to guess or reset it to gain access. It's the rule of thumb regardless of whether anyone can or even wants to gain access to our stuff.

Just trying to help out