03fc35ss Posted December 13, 2021 Share Posted December 13, 2021 Hi, I've been trying to harden the Samba/SMB configuration of Unraid 6.9.2. I've attempted to modify the /etc/samba/*conf files directly but that appears to get wiped. I attempted to add the options I wanted to include: server min protocol = SMB3_11 null passwords = No client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required Into the 'Samba Extra Configuration' field but this also did not seem to apply. What I want to do is: - Enable SMB3_11 - Have both encryption and SMB signing as mandatory. - Disable Null sessions Does anyone have any advice on how I can do this through either the config or the web interface I'd be very grateful. Thanks! Quote Link to comment
Frank1940 Posted December 13, 2021 Share Posted December 13, 2021 (edited) A point of disclosure: It has been years since I did any real serious work in configuring SMB through its control files and things may have changed... First, you have to specify where these new parameters are going to apply. Globally or to a specific share. If they are to apply Globally. you should (probably) use the [global] label before your list of parameters. If they apply to specific shares, you have to list them under the [Share_name] label. However this presents a problem with the current way Unraid is configured. See here for details: https://forums.unraid.net/topic/116507-how-to-add-additional-values-to-smb-sharesconf-during-array-startup/?tab=comments#comment-1059789 If this second issue is the problem for you, you might consider posting up a 'bug' report about this situation and why including 'smb-extra.conf' needs to be the last file for inclusion in smb.conf. Edited December 13, 2021 by Frank1940 1 Quote Link to comment
03fc35ss Posted December 13, 2021 Author Share Posted December 13, 2021 Thanks Frank1940. Should I be making changes in the conf files directly or via the web GUI 'Samba Extra Configuration' field? As the issue appears to only be with the single share I've configured/exposed, does that mean I just need to use this then? [share_name] server min protocol = SMB3_11 null passwords = No client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required Quote Link to comment
trurl Posted December 13, 2021 Share Posted December 13, 2021 23 minutes ago, 03fc35ss said: the conf files The OS is in RAM, unpacked fresh from the archives on flash at each boot. Any modifications are not persistent. 20 minutes ago, 03fc35ss said: via the web GUI 'Samba Extra Configuration' field These are reapplied at boot. Quote Link to comment
03fc35ss Posted December 13, 2021 Author Share Posted December 13, 2021 So I stopped the array, modifed the config as per the following screenshot and applied it: Then started the array. When browsing to \\server\ I can no longer see the share Additionally, I am still not seeing SMB3 traffic, but rather SMB2 (viewing the traffic in wireshark) Curiously, if I change the label from [Share] to [global] I can once again see \\server\share\ but alas, that's still being accessed via SMB2 as well 12 minutes ago, trurl said: The OS is in RAM, unpacked fresh from the archives on flash at each boot. Any modifications are not persistent. Out of interest, can I shut the server down and then modify config from another machine so that it will persist at boot? Quote Link to comment
itimpi Posted December 13, 2021 Share Posted December 13, 2021 15 minutes ago, 03fc35ss said: Out of interest, can I shut the server down and then modify config from another machine so that it will persist at boot? No Quote Link to comment
Frank1940 Posted December 13, 2021 Share Posted December 13, 2021 If I remember correctly you must copy ALL of the parameters for the share from the smb-shares.conf and add those parameters before your parameters for it to work. (Please understand that there are very few folks on this forum who work with Samba at the Linux level. You would be much better off going to a forum that deals more with these types of questions. (Google "samba forum linux" as a pointer to where you might find such a group of folks.) Quote Link to comment
Frank1940 Posted December 13, 2021 Share Posted December 13, 2021 4 hours ago, 03fc35ss said: server min protocol = SMB3_11 I believe this is a global parameter not a share parameter. Again, Google is your friend in these situations... Quote Link to comment
03fc35ss Posted December 14, 2021 Author Share Posted December 14, 2021 (edited) The confusing part isn't so much the SAMBA configuration itself. I can muddle through that until it sticks. It's that I can't edit the config files directly and that the parameters/format etc that 'SMB Extras' configuration setting wants does not appear to be well documented. I assumed that basic hardening of SMB configurations for unRAID would have already been well documented and that I was just having trouble finding that information. In a perfect world, users shouldn't need to be setting all these config options manually, they should be readily available dropdown options that should be able to be selected as needed (the same as 'Enable NetBIOS' is currently for example. Edit: I've lodged this as a feature request. Edited December 14, 2021 by 03fc35ss Quote Link to comment
03fc35ss Posted December 26, 2021 Author Share Posted December 26, 2021 I have tried a number of configuration options in SMB Extras and have had no luck so far. As far as I can tell unRAID does not respect the configuration included in the Sambe extra configuration field. Now. If I try to apply the configuration to just a single share (that I've created through the web interface), for example: #disable SMB1 for security reasons [Share_name] min protocol = SMB2 I am no longer able to access the share at all. If I try the same thing with a whole new share + configuration and create the share path manually like so: [New_Share] path = /mnt/user/New_Share comment = browseable = yes # Private writeable = no read list = write list = admin valid users = admin case sensitive = auto preserve case = yes short preserve case = yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required The share appears, but is still negotiated via SMB1 and then communicates via SMB2 as before. I try this config as well: #disable SMB1 for security reasons [global] # configurable identification netbios name = Server server string = Media server hide dot files = no multicast dns register = No disable netbios = yes security = USER workgroup = WORKGROUP map to guest = Bad User passdb backend = smbpasswd null passwords = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 map archive = No map hidden = No map system = No map readonly = Yes create mask = 0777 directory mask = 0777 # log stuff only to syslog logging = syslog@0 # we don't do printers show add printer wizard = No disable spoolss = Yes load printers = No printing = bsd printcap name = /dev/null # disable aio by default aio read size = 0 aio write size = 0 # misc. invalid users = root unix extensions = No wide links = Yes use sendfile = Yes # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required [Share] path = /mnt/user/Share comment = browseable = yes # Private writeable = no read list = write list = admin valid users = admin case sensitive = auto preserve case = yes short preserve case = yes server min protocol = SMB3_11 client min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required client protection = encrypt server signing = mandatory server smb encrypt = required client ipc signing = required And still no luck. I realise that it's not possible to directly and permanently edit smb.conf or other files in /etc/samba/ but I'm also entirely at a loss on how to configure these options correctly via the web-gui since it doesn't seem to respect the configuration that is stored in /boot/config/smb-extra.conf I am using this: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html as the guide for setting the options. I'm unsure if unRAID configures this options in a non-standard way or if it doesn't support them for some reason. Please, if anyone can help me _actually_ harden this configuration or point out somewhere I can learn how to configure this correctly I would be crazy grateful. If no-one is able to help then it seems likely this is a bug and I'll try report it as such. Quote Link to comment
Frank1940 Posted December 26, 2021 Share Posted December 26, 2021 53 minutes ago, 03fc35ss said: realise that it's not possible to directly and permanently edit smb.conf or other files in /etc/samba/ but I'm also entirely at a loss on how to configure these options correctly via the web-gui since it doesn't seem to respect the configuration that is stored in /boot/config/smb-extra.conf See here; On 12/13/2021 at 7:31 AM, Frank1940 said: If they apply to specific shares, you have to list them under the [Share_name] label. However this presents a problem with the current way Unraid is configured. See here for details: https://forums.unraid.net/topic/116507-how-to-add-additional-values-to-smb-sharesconf-during-array-startup/?tab=comments#comment-1059789 If this second issue is the problem for you, you might consider posting up a 'bug' report about this situation and why including 'smb-extra.conf' needs to be the last file for inclusion in smb.conf. You should really consider starting a 'bug' report. You have the problem-and, thus, are a logical one to make a report of this issue. It really needs to be fixed and you could be the one to see that it is properly addressed. ('Bug' reports by users that are directly impacted by it are addressed much quicker than those that merely point out that something does not meet standard recommendations.) Quote Link to comment
03fc35ss Posted January 28, 2022 Author Share Posted January 28, 2022 Hey @Frank1940 I got it sorted out in the end after chatting with Tom, there are two issues. 1) The config has to be applied globally (fine with me, but potentially an issue for other users) 2) The version of Samba that Unraid uses is not the latest, and the latest version has significantly different flags for the settings I wanted to apply. Thus those settings broke the config or otherwise didn't apply when I set them. I wrote up a quick guide on how to best configure the hardening options for SMB (in my opinion): Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.