Last month, I was asked to setup a Samba/SMB server to be accessible over the Internet. The server will only be used temporarily, which then I decided to deploy an Azure Virtual Machine (VM) using my student subscription instead of buying a new dedicated VPS.
In the end, the server is not being used, tso I will just dump my documentation about it here.
Before proceeding further, I will state that:
Exposing the SMB Server directly to the Internet is not considered a “best practice”. The safest way to make it accessible over the Internet is to set up a VPN server and place the server inside the VPN network.
Goals and Outcomes
The goals here are exactly the same as what’s written in the title, but by the end of this post, you should be able to:
- Deploy an Ubuntu server in Azure
- Setup and Configure a Samba server
- Exposing Samba server over Internet (but don’t)
Prerequisites
The one and only prerequisite is:
- Azure Account
Also, since this post won’t be detailed step by step, I’ll assume that you have:
- Basic knowledge of Azure, at least menu navigation and creating a resource group.
- Basic knowledge of Linux
Let’s jump in!
VM Configuration & Deploy
At this step, I already have a resource group called IAMF_SMB-TEST and I’ll be creating a VM instance inside this resource. It’s a small server used by 4-5 users, so B1s will be enough. You’re free to customize the VM.
The VM details of mine can be seen in the following image:
For authentication to the server, I’ll be using an SSH public key here instead of a password. The account for server administration is called azure-smb. Since the authentication is SSH, this VM will have an SSH port open publicly (internet).
In the following section, I’ll use a standard SSD and leave the other settings at their defaults.
In the Networking section, I’ll just create a new virtual network. See the following image for details:
In the Management section, I’ll just disable the boot diagnostics.
I’ll leave the Advanced with the default settings and skip the Tags section.
The last section is Review + Create, which basically a section to review the VM configuration. After I finish the review, I’ll press the Create button.
When the Create button is clicked, the VM will be deployed automatically.
SSH Login Test
Once the machine or VM has been deployed. Log into it using SSH. The public IP of the VM instance can be found at the Dashboard > RESOURCE_GROUP_NAME > PUBLIC_IP_NAME. In my case, it is Dashboard > IAMF_SMB-TEST > smb-server-ip.
$ ssh -i private_key azure-smb@PUBLIC_IP_ADDRESS
Samba Configuration
Installation and Initial Setup
First thing first, let’s update the repository list.
azure-smb@smb-server:~$ sudo apt update
After that, install Samba with the following command.
azure-smb@smb-server:~$ sudo apt install samba
Once the installation is done, check the Samba service daemon status.
azure-smb@smb-server:~$ sudo systemctl status smbd
● smbd.service - Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-05-13 10:17:45 UTC; 3min 48s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 2098 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 4 (limit: 1056)
CGroup: /system.slice/smbd.service
├─2098 /usr/sbin/smbd --foreground --no-process-group
├─2123 /usr/sbin/smbd --foreground --no-process-group
├─2124 /usr/sbin/smbd --foreground --no-process-group
└─2129 /usr/sbin/smbd --foreground --no-process-group
May 13 10:17:44 smb-server systemd[1]: Starting Samba SMB Daemon...
May 13 10:17:45 smb-server systemd[1]: Started Samba SMB Daemon.
Samba is ready, and now let’s configure the share folder.
Shares Configuration
First, let’s create a backup file of the original configuration, so we can reset it to the default configuration, just in case something goes wrong.
azure-smb@smb-server:~$ sudo cp /etc/samba/smb.conf{,.backup}
Now create a share folder name it sambashare.
azure-smb@smb-server:~$ mkdir sambashare
Then open the samba configuration file with a text editor like nano.
azure-smb@smb-server:~$ sudo nano /etc/samba/smb.conf
Go straight to the bottom of the file and add the following lines.
[sambashare]
comment = Samba Share
path = /home/azure-smb/sambashare
read only = no
browsable = yes
Details for configuring share can be read here or here.
Save the file and restart the SMB daemon with the following command:
azure-smb@smb-server:~$ sudo service smbd restart
Lastly, update the firewall to allow network traffic for Samba/SMB.
azure-smb@smb-server:~$ sudo ufw allow samba
This is the basic configuration of creating a Samba share, but from here you can create another share with more complex configuration. Here are my references:
- https://linuxize.com/post/how-to-install-and-configure-samba-on-ubuntu-18-04/
- https://confluence.jaytaala.com/display/TKB/Create+samba+share+writeable+by+all%2C+group%2C+or+only+a+user
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-samba-share-for-a-small-organization-on-ubuntu-16-04
Add Samba User
Currently, our Linux account for administering the server is azure-smb and we can’t use this account password to access the SMB shares yet. Instead, we need to create a password and bind it to azure-smb.
But now, let’s just create a dedicated user for SMB called user1.
azure-smb@smb-server:~$ sudo useradd --system -s /usr/sbin/nologin user1
Assign user1 to be the owner of the share
azure-smb@smb-server:~$ sudo chown user1 /home/azure-smb/sambashare
After that, create a Samba password for user1.
azure-smb@smb-server:~$ sudo smbpasswd -a user1
New SMB password:
Retype new SMB password:
Added user user1.
Finally, enable the user.
azure-smb@smb-server:~$ sudo smbpasswd -e user1
Enabled user user1.
Expose SMB to the Internet
Allow Inbound Connection
Now if we want to make the SMB server available on the Internet, we have to go back to the Azure Portal to open the SMB port (port 445) on the NIC Public IP and allow inbound connection through that port. The connection is then forwarded to our SMB port on the NIC Private IP.
PUBLIC_IP:445 --> PRIVATE_IP:445
To do that open up the Networking settings of the SMB VM and click on Add inbound port rule button.
On the new Windows, configure the rule to allow any source (incoming IP) and any source port (incoming port) to connect to the SMB port (445). The details configuration is as follows:
At the bottom, the configuration is as follows:
When you’re done, click on the Add button and the new rule should listed in the Inbound port rules section.
SMB Access Test
We can use nmap to see if the SMB port has been opened.
$ nmap -p445 -sV VM_PUBLIC_IP
To interact with the SMB server via CLI, you can use smbclient. Install it with:
$ sudo apt install smbclient
Once it installed, connect to the share with following command:
$ smbclient //[IP]/[sharename]
Adding -N -L can list all the available shares.
You can also provide the password directly in the terminal:
$ smbclient //[IP]/[sharename] -U [username] [password]
$ smbclient //[IP]/[sharename] -U 'username%password'
And that’s all. It is not that detailed, but I hope you will find it useful.