Installing and Configuring Samba on Ubuntu: The Complete Guide

Introduction

Samba is an open-source software suite that provides seamless file and print services to SMB/CIFS clients. It is widely used for its compatibility with Windows sharing protocols, making it essential for mixed Windows/Linux environments.

In this guide, we will configure Samba on Ubuntu to listen exclusively on a specific network interface, wg0, used by a WireGuard VPN connection with the IP address 10.8.0.1. This configuration adds a critical layer of security by restricting Samba service access to authorized VPN users only.

Prerequisites

Before starting, ensure you have the following:

• A functional Ubuntu server (tested on Ubuntu 22.04 LTS).
• WireGuard configured and active with the wg0 interface (IP: 10.8.0.1).
• Root access or a user with sudo privileges.
• A Windows or Linux client connected to the same VPN for testing.

Installing Samba

Step 1: Update Your System

sudo apt update && sudo apt upgrade -y

Step 2: Install Samba

sudo apt install samba -y

Verification

Once the installation is complete, verify the installed version:

smbd --version

Network Configuration: Binding Samba to wg0

To harden your server, we will configure Samba to listen only on the wg0 interface. This prevents unauthorized access from other network interfaces (like your public eth0).

Step 1: Edit the Samba Configuration File

Open /etc/samba/smb.conf:

sudo nano /etc/samba/smb.conf

Add or modify the network parameters in the [global] section:

# Specify the network interface and IP address
interfaces = wg0
bind interfaces only = yes

# Limit access to hosts connected to the WireGuard VPN
hosts allow = 10.8.0.0/24

Step 2: Restart Samba

Apply the changes by restarting the Samba services:

sudo systemctl restart smbd nmbd

Basic Configuration: Public Share

A public share allows all VPN users to access files without authentication.

Step 1: Backup the Configuration File

Always backup your configuration before making changes:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

Step 2: Define a Public Share

At the end of /etc/samba/smb.conf, add the following lines:

[Public]
   path = /srv/samba/public
   browsable = yes
   writable = yes
   guest ok = yes
   create mask = 0777
   directory mask = 0777

Step 3: Create the Directory

Create the folder and apply the necessary permissions:

sudo mkdir -p /srv/samba/public
sudo chmod 777 /srv/samba/public

Step 4: Restart and Test

sudo systemctl restart smbd nmbd

From a VPN client, access the share by entering \\10.8.0.1\Public in the File Explorer.

Advanced Configuration: Secure Shares

Secure shares restrict access to authenticated users and specific groups.

Step 1: Create a Samba User

Add a user authorized to access specific shares:

sudo smbpasswd -a samba_user
sudo smbpasswd -e samba_user

Step 2: Configure a Restricted Share

Modify /etc/samba/smb.conf to add a secured section:

[Secure]
   path = /srv/samba/secure
   browsable = yes
   writable = yes
   valid users = @securegroup
   create mask = 0660
   directory mask = 0770

Step 3: Manage Groups and Permissions

sudo groupadd securegroup
sudo mkdir -p /srv/samba/secure
sudo chown :securegroup /srv/samba/secure
sudo chmod 770 /srv/samba/secure

# Add your user to the group
sudo usermod -aG securegroup samba_user

Debugging and Verification

Connectivity Tests

From a client connected to the VPN, list the available shares:

smbclient -L 10.8.0.1 -U samba_user

Monitoring Logs

If you encounter issues, check the Samba logs for errors or denied access:

sudo tail -f /var/log/samba/log.smbd

Verify Interface Binding

Confirm that Samba is only listening on the wg0 interface:

sudo netstat -tuln | grep smbd

Best Practices

1. Verify Isolation: Use tools like nmap from outside the VPN to ensure port 445 is not reachable on your public IP.
2. Secure WireGuard: Keep your VPN configuration private and restrict access to authorized users only.
3. Strong Passwords: Always use robust passwords for Samba accounts.
4. Firewall Rules: Use UFW or iptables to further restrict traffic to port 445 on the wg0 interface.

Conclusion

By limiting Samba to a specific interface like wg0, you significantly improve the security and privacy of your network. This setup is ideal for secure, high-performance file sharing within a remote team or a home lab environment.

For further reading, visit the official Samba and WireGuard documentation.