Setting up Linux Samba server (general problems): No permission

Question

For my setup I would like to create a Samba server that only allows access from certain IP addresses.

I used this configuration - you might notice I am a bit overwhelmed by the options and used keys from tutorials:

[global]
security=user
workgroup=TEST
map to guest = Bad User
# hosts allow = <allowed IP addresses> # will activate later, but want to have an open server running first
Debugging/Accounting
log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
[data]
comment= Public data
path = /home/x6/Documents/sharedFolder
read only = no
guest ok = yes

and changed the file permission of .../sharedFolder to 777:

drwxrwxrwx  2 x6   x6   4096 Jun  9 19:19 sharedFolder

Access attempts got logged in log.winhostname:

[2023/06/10 07:06:34.875024, 0, pid=1702, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/home/x6/Documents/sharedFolder) failed: Permission denied. Current token: uid=65534, gid=65534, 1 groups: 65534

[2023/06/10 07:06:34.875064, 3, pid=1702, effective(65534, 65534), real(65534, 0), class=smb2] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3246

I think that it's something with the user, but I am not that familiar with Samba yet. I tried following https://en.wikibooks.org/wiki/Samba/Configuring_a_Workgroup_from_the_Shell_with_Samba but the command smbpasswd -a guest wasn't "accepted" (just printed the smbpasswd help message again).

Additional information

What I have tried

I read a little bit into: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#GUESTACCOUNT but it wasn't clear to me what to do.

I read this article, but it mentions the sudo smbpasswd -a name command that wasn't helpful in a tutorial before that one: https://www.ionos.de/digitalguide/server/konfiguration/samba-server-plattformuebergreifendes-netzwerk/

I tried this configuration here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server but got the same error.

I tried accessing the samba server over smbclient both from the samba server computer and from a remote computer (running linux). While the general connection seems possible, because smbclient \\\\ip\\data results in a password prompt and then a smb:\ prompt where I can write additional commands, even simple commands like dir or ls fail with NT_STATUS_ACCESS_DENIED. Increasing the log level using -d didn't result in any valuable information - in my opinion. Logs are a bit too long to share.

My suspicion

Since configuration files from multiple tutorials have failed, I think it might be something outside of the configuration files, but I am unsure what might be the issue.

Later

Later I will use Windows Credential Manager to store the login information peristently Windows 10 forgets mapped drive's credentials after reboot

Regarding my setup

All computers are connected to a single router. Some are connected via WLAN others over LAN. A subset of these computers are "trusted" in the sense that they are allowed to access the folder. Therefore, I need to limit the access to those computers.

The router is assigning static ips to those computers. I think that's enough to prevent people from assigning themself a fitting IP and accessing the folder without being allowed to.

Answer 1

"The hosts allow or allow hosts parameter is one of the key advantages of Samba. It allows access control of shares on the ip-address level. To allow only specific hosts to access a share, list the hosts, separated by comma's. Allowing entire subnets is done by ending the range with a dot."

Samba doesn't allow access control with this option on layer 2, only layer 3.

If you want to white list mac addresses you'll have to find another option to prevent network traffic from reaching the service.

Or if you reallllllly want to take some time doing this, you might see if its possible to modify the code and recompile.

I also would check if samba still has the big security vulnerability advertised years ago.

The additional tagging or qualifying that was added last time will be left out, but while showering it occurred to me that I forgot some things.

I apologize for this.

Before the rest is touched on lets analyze the response I gave and your setup:

1. If your network setup is not tightly controlling ip leasing and network membership, IP access control will not work.

2. If your samba server is not on the same network segment as the client machines, MAC white listing will not work.

3. If your not authenticating to the server as well, neither of these solutions will work.

4. MAC addresses can be spoofed. Its easier these days. If someone can see what the hardware IDs of your devices, by say sniffing the airways in the case of a wifi lan, once they get the key to connect to your network, or even in the case of a wired one where they can plug in somehow, this will not prevent anyone determined enough from getting into your server.

Now lets consider application.

If you're storing something vital, REALLLLLY heed what I'm saying. If you're just sharing movies or video files, not a big deal.

If you're storing executables and people will be running them, restrict write access or you're gonna have some trouble potentially and make sure these executables come from trusted sources and are not altered.

In general, SMB cannot be hardened if the network setup sucks. If I can just plug my computer into the wall and set a static ip address, or mod my MAC address and the dhcpd assigns a specific IP address, instant access.

Also if the password hashing isn't good, or a challenge isn't being sent and the password is even being even being sent in two-way encrypted form across the network, it is potentially possible to access the server.

Also. Don't trust ANY operating system you have not at the very least built yourself and then do not trust it completely. Don't trust any operating system who's code has not been hardened by people you trust or yourself, and then never completely trust an OS that people you trust have modded, because they may not be trustworthy.

But like I said, consider application and making sure people have to authenticate somehow to some network service to be granted access, and you're probably fine.

About the only way to protect data is to keep it in an isolated physically read only form and keep it in your possession or locked up these days. These are the times we live in where bad people did bad things, and tried to do even worse bad things and create our current mess and now everyone is suffering for their idiocy and the original offenders are laughing in hades, in between their pitchfork enema.