How do you configure Samba Samba for secure file sharing between Linux and Windows?

Some Linux users seek to achieve secure file sharing between their Linux machines and Windows machines. That ultimately gives rise to the need for Samba configurations.

User mapping can be really tasking sometimes with ACLs looking like puzzles that can’t be decoded, with various encryption options. Which tools do you find most efficient for mapping Linux users to Windows accounts? Which of the Samba encryption options between SMBv3 and GSSAPI do you use? What performance tradeoffs are common with each?

Please share your experiences. Could be very valuable.

I use Samba on my home server with Docker. I have no extra security configuration, but I only use it at home after all and it’s not open to public internet.

If anyone is curious, here is my docker configuration:

    image         : dperson/samba
    container_name: samba
    restart       : unless-stopped
    stdin_open    : true
    tty           : true
    read_only     : false
      - /tmp
      - "139:139/tcp"
      - "445:445/tcp"
      TZ        : '${TZ}'
      NMBD      : "true"
      USER      : "${SAMBA_USER};${SAMBA_PASS}"
      USERID    : "0"
      GROUPID   : "0"
      SHARE     : "${SAMBA_SHARENAME};/mnt/share;yes;no;no;${SAMBA_USER};'none';'none';'WG'"
      RECYCLE   : ""
      - ${SHARE_PATH}:/mnt/share:z

I work in a design firm and we use Samba to share files accross the Linux workstation and the different departments. The departments have windows machines all through. We leverage the superior capacity of GSSAPI’s centralized management to run control the access users have. That is why everyone within the IT set up is very proficient with Kerberos.

I have a small question. If you are connected using Wifi at home means other family members could see your samba files? Or it could represent a security issue? Is not the files encrypted or protected with password? Your clarification is much appreciated.

If other family members share the same network and have a little bit of tech savinness, they would see your samba files undoubtedly. You can mitigate against that by having strong passwords, setting up user permissions, possibly restricting guest access to deny anonymous connections.

For encryption, SMBv3 offers a robust structure on that but might come at a cost of inefficient hardware performance. GSSAPI on the other hand has steeper configurations and compatibility challenges.

1 Like

I agree with @Slys.

If your question is related to the Dockerfile I shared, you can create multiple users and multiple shared directories. You can do something like this:

/mnt/shared/       --> admin:pass
/mnt/shared/user1  --> user1:pass1
/mnt/shared/user2  --> user2:pass2

With this configuration, the admin can see the whole files, but the users only see their directories.

1 Like