Samba in Debian 13 with WS-Discovery working properly in Windows 11 without compromising security

Recently, a buddy asked me to help him configure a linux machine with a shared folder that would work on MacOS and Windows 10. Everything work in MacOS without issues. The trouble came when trying to access the share in Windows 10. After a bunch of research, I learned that Windows 10 has a new way of discovering computers on the network and needs to be told in advance what credentials to use.
 

Samba Configuration

Below is what I did to get it all working without compromising security I used this smb.conf file. There is a bunch of stuff to make the Mac clients play nicely and 3 lines to make it work properly with Windows 10/11.

[global]

   workgroup = WORKGROUP
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = bad user


# This will help with Mac clients
vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = no
fruit:nfs_aces = no

fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:posix_rename = yes
ea support = yes

# This is required for Windows 10/11
min protocol = SMB3
encrypt passwords = yes
server signing = required

#============Share Definitions===========
[media]
   comment = Debian Media
   path = /srv/samba/media
   browseable = yes
   read only = no
   guest ok = no
   public = yes
   directory mask = 0755
   create mask = 0644


Windows Service Discovery

In order to make the new server show up in the Windows network view, I had to install the wsdd2 package. This is required because Microsoft changed the way that Windows discovers computers on the network. There is no configuration required after you install it.

sudo apt install wsdd2

User and Permissions

Then I created a new linux user named media that cannot log in and has no password. This is so we can assign it a password in samba and not have to give out the real password for the main linux user.

sudo adduser --no-create-home --disabled-password --disabled-login media 

 I pressed enter several times to accept all the default values when prompted. Then I assigned a samba password to the new user. This is the password that the Windows, Mac, and other clients will use to connect to the shared folder.

sudo smbpasswd -a media 

 Next, I changed the ownership of the shared folder shown in the path line of smb.conf and all its contents to the new user named media.

sudo chown -R media:media /srv/samba/media

Te last thing on the linux side is to restart the samba service.

sudo systemctl restart smbd.service

Connecting to the Shared Folder

At this point, the server and share will show up and work properly on the Mac computers, but there will still be problems on the Windows computers. In order to make everything work on Windows without compromising security, we just need to add a credential for this server in Windows Credential Manager. Run Credential Manager, then click on Windows Credentials, then Add a Windows credential. My linux server is called bigdell so for "Internet or network address" and  the samba username I created is media.  Assuming my password is 1234ABCD,   I filled out the form for the new credential as follows:
Internet or network address: bigdell
User name: media
Password: 1234ABCD

Now I can see my linux server in the Network section of Windows Explorer and connect to it successfully.

Comments

Post a Comment

Popular posts from this blog

Transparent xmonad

Image
It seems that tiling window managers suit me as I am back to Xmonad with GNOME. This time I added xcompmgr to the mix and got a nice config that fades all non-focused windows (except rdesktop for some reason. Perhaps because it is on the other screen). I also have some window shadows which are nice for floating dialog boxes. See the screenshot below:
Read more

Convert WebVTT file to SRT format (VTT to SRT)

Lately, I have been creating lots of how-to videos for my colleagues at work.  I like to include subtitles since some people may prefer to read the words I am saying.  We use Microsoft Stream to host the videos since it is part of our Office 365 subscription. One of the great things about Microsoft Stream is that it will automatically generate captions (subtitles) from the audio in the video file.  You can edit the captions right in the web interface as you watch the video.  Microsoft did a great job on this user experience. Today, I needed to burn the subtitles into the video because of limitations of the customers computers.    Handbrake does this well, but it does not understand the WebVTT format.  There are several online converters, but I do not like giving my content to unknown internet services, so I starting learning about the difference between the formats.  JBI Studios have a very helpful explanation about the differences.  I w...
Read more