确保 SAMBA smb.conf 最佳参数

tag-icon tag-icon security samba samba4 fips
确保 SAMBA smb.conf 最佳参数

给定今天的日期,运行Windows 10 或更高版本并连接到RHEL 8.8 或更高版本Linux系统目前有samba-4.17.5-3.el8_8哪些是最佳实践对于参数应该有/etc/samba/smb.conf以确保最安全可靠的连接通过该协议?

下面是我正在使用的。任何人都可以修改或添加它以使其更好吗?我正在使用security=userpassdb backend = tdbsam创建的简单本地密码进行简单的 samba 设置smbpasswd -a。如果您有一个smb.conf要共享的模板,涉及 Windows 域加入和 Active Directory 以及其他更复杂的事情,那也很酷。

我正在展示我几乎总是做的两个基本共享(家庭和数据),是否也应该有一些参数来提高安全性?

注意:不太关心日志记录部分,但如果您可以改进它或提供解释,以便管理员可以阅读并就如何配置做出合理决定,我们将不胜感激。

# /etc/samba/smb.conf template, RHEL 8.8

[global]
    workgroup = SAMBA
    security = user

    passdb backend = tdbsam

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    log level = 0 vfs:10

    log file = /var/log/samba/sambavfs.log

    max log size = 0

    smb encrypt = required
    client min protocol = SMB3
    client max protocol = SMB3
    client signing = mandatory
    server signing = mandatory

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes
    vfs objects = extd_audit

[data]
    comment = data
    inherit acls = Yes
    read only = No
    path = /data
    directory mask = 770
    create mask = 660
    vfs objects = extd_audit

笔记:刚刚还发现FIPS=1in GRUB_CMDLINE_LINUXin /etc/default/grub(或fips-mode-setup --enableRHEL-8 中可用的操作)会终止来自 Windows 的 samba 连接。看https://access.redhat.com/discussions/7022626。在 RHEL-7.9 中执行 FIPS=1 时不存在这种情况。

答案1

对于任何感兴趣的人,在浏览完 samba 的当前手册页后,我从中提取了似乎相关的内容。通过下面定义的全局部分,我可以从 Windows 10 到 RHEL-7.9 系统(我假设是 rhel 8.8+)进行 samba 连接。根据手册页描述,我认为其中大部分是默认设置,但了解实际效果是很漂亮的。

# /etc/samba/smb.conf
# https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

[global]
    server role = standalone
    security = user
    passdb backend = tdbsam
    map to guest = Bad User

#   turn off print stuff
    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

#   default deadtime to disconnect after N minutes of inactivity is 10080
    deadtime = 5

    server min prototcol = SMB3_11
    server smb encrypt = required
    server signing = mandatory
#   server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM
#   server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256
    server smb3 encryption algorithms = AES-256-GCM
    server smb3 signing algorithms = AES-128-GMAC

    client min protocol = SMB3_11
    client smb encrypt = required
    client signing = required
    client ipc signing  = required
    client protection = encrypt
#   client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM
#   client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256
    client smb3 encryption algorithms = AES-256-GCM
    client smb3 signing algorithms = AES-128-GMAC
    
#   client use kerberos = < off | desired | required >
#   kerberos encryption types = < all | strong | legacy >

#   hosts allow = 192.168.1.0/255.255.255.0
    
    max log size = 0
    log level = 0 vfs:10
    log file = /var/log/samba/sambavfs.log

相关内容