My file setup » History » Version 3
Gareth Eaton, 12/18/2023 01:33 AM
| 1 | 1 | Gareth Eaton | h1. My file setup |
|---|---|---|---|
| 2 | |||
| 3 | <pre> |
||
| 4 | [global] |
||
| 5 | server min protocol = SMB3 |
||
| 6 | server max protocol = SMB3 |
||
| 7 | ntlm auth = ntlmv2-only |
||
| 8 | |||
| 9 | |||
| 10 | server role = standalone server |
||
| 11 | obey pam restrictions = yes |
||
| 12 | unix password sync = yes |
||
| 13 | passwd program = /usr/bin/passwd %u |
||
| 14 | passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . |
||
| 15 | pam password change = yes |
||
| 16 | map to guest = bad user |
||
| 17 | ; Consider the security implications of this setting |
||
| 18 | |||
| 19 | |||
| 20 | [SHARE_NAME] |
||
| 21 | path = /srv/data |
||
| 22 | browseable = yes |
||
| 23 | read only = no |
||
| 24 | smb encrypt = mandatory |
||
| 25 | ; Enforces encryption for the share (requires SMB3 clients) |
||
| 26 | </pre> |
||
| 27 | |||
| 28 | This is a solid for a secure and functional setup. Key points include: |
||
| 29 | |||
| 30 | 1. **Strong Protocols and Authentication**: |
||
| 31 | - Enforcing SMB3 and NTLMv2-only authentication enhances security. |
||
| 32 | |||
| 33 | 2. **Server Role and User Management**: |
||
| 34 | - Configured as a standalone server with PAM (Pluggable Authentication Modules) restrictions and UNIX password synchronization. |
||
| 35 | |||
| 36 | 3. **Security Considerations**: |
||
| 37 | - `map to guest = bad user` is set, which maps failed user authentications to a guest account. Be aware of its security implications. |
||
| 38 | |||
| 39 | 4. **Share Configuration**: |
||
| 40 | 3 | Gareth Eaton | - The share is well-configured with mandatory SMB encryption, making it secure for SMB3 clients. |
| 41 | 1 | Gareth Eaton | |
| 42 | Overall, this configuration promotes strong security practices while ensuring functionality. Just ensure that your network environment and all clients are compatible with these settings. |