Last month, I was asked to setup a Samba/SMB server that is accessible over the Internet. Because it will only be used temporarily, I decided to use an Azure Virtual Machine (VM) instead of buying a dedicated VPS.

In the end the server was not used though, but I’ll share my documentation about it.

Before proceeding further, I will state that:

Exposing an SMB Server directly to the Internet is not recommended, or not considered to be ‘best practice’. The safest way to make it accessible over the Internet is by setting up a VPN server and putting the SMB inside the VPN network.

Goals and Outcomes

The goals here are exactly the same as what’s written in the title, but by the end of this post, you should be able to:

  • Deploy an Ubuntu server in Azure
  • Setup and Configure a Samba server
  • Exposing Samba server over Internet (but don’t)

Prerequisites

The one and only prerequisite is:

  • Azure Account

Also, since this post won’t be detailed step by step, I’ll assume that you have:

  • Basic knowledge of Azure, at least menu navigation and creating a resource group.
  • Basic knowledge of Linux

Let’s jump in!

VM Configuration & Deploy

At this step, I already have a resource group called IAMF_SMB-TEST and I’ll be creating a VM instance inside this resource. It’s a small server used by 4-5 users, so B1s will be enough. You’re free to customize the VM.

The VM details of mine can be seen in the following image:

image-20210513170545346

For authentication to the server, I’ll be using an SSH public key here instead of a password. The account for server administration is called azure-smb. Since the authentication is SSH, this VM will have an SSH port open publicly (internet).

image-20210513170638603

In the following section, I’ll use a standard SSD and leave the other settings at their defaults.

image-20210513170710958

In the Networking section, I’ll just create a new virtual network. See the following image for details:

image-20210513170824172

In the Management section, because it will be temporary, I’ll just disable the boot diagnostics.

image-20210513171009570

I’ll leave the Advanced with the default settings and skip the Tags section.

The last section is Review + Create, which basically reviews the VM configuration. After I finish the review, I’ll press the Create button.

image-20210513171153896

When the Create button is clicked, the VM will be automatically deployed.

image-20210513171501031

Test SSH Login

The next step is to login to the deployed VM instance via SSH using the previously created username and key/password. The public IP of the VM instance can be found at the Dashboard > RESOURCE_GROUP_NAME > PUBLIC_IP_NAME. In my case, it is Dashboard > IAMF_SMB-TEST > smb-server-ip.

$ ssh -i private_key azure-smb@PUBLIC_IP_ADDRESS

image-20210513171606268

Samba Configuration

Installation and Initial Setup

First thing first, let’s update the repository list.

azure-smb@smb-server:~$ sudo apt update

After that, install Samba with the following command.

azure-smb@smb-server:~$ sudo apt install samba

Once the installation is done, check the Samba service daemon status.

azure-smb@smb-server:~$ sudo systemctl status smbd
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-05-13 10:17:45 UTC; 3min 48s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 2098 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 4 (limit: 1056)
   CGroup: /system.slice/smbd.service
           ├─2098 /usr/sbin/smbd --foreground --no-process-group
           ├─2123 /usr/sbin/smbd --foreground --no-process-group
           ├─2124 /usr/sbin/smbd --foreground --no-process-group
           └─2129 /usr/sbin/smbd --foreground --no-process-group

May 13 10:17:44 smb-server systemd[1]: Starting Samba SMB Daemon...
May 13 10:17:45 smb-server systemd[1]: Started Samba SMB Daemon.

Samba is ready, and now let’s configure the share folder.

Shares Configuration

First, let’s create a backup file of the original configuration, so we can reset it to the default configuration, just in case something goes wrong.

azure-smb@smb-server:~$ sudo cp /etc/samba/smb.conf{,.backup}

Now create a share folder name it sambashare.

azure-smb@smb-server:~$ mkdir sambashare

Then open the samba configuration file with a text editor like nano.

azure-smb@smb-server:~$ sudo nano /etc/samba/smb.conf

Go straight to the bottom of the file and add the following lines.

[sambashare]
    comment = Samba Share
    path = /home/azure-smb/sambashare
    read only = no
    browsable = yes

Details for configuring share can be read here or here.

Save the file and restart the SMB daemon with the following command:

azure-smb@smb-server:~$ sudo service smbd restart

Lastly, update the firewall to allow network traffic for Samba/SMB.

azure-smb@smb-server:~$ sudo ufw allow samba

This is the basic configuration of creating a Samba share, but from here you can create another share with more complex configuration. Here are my references:

Add Samba User

Currently, our Linux account for administering the server is azure-smb and we can’t use this account password to access the SMB shares yet. Instead, we need to create a password and bind it to azure-smb.

But now, let’s just create a dedicated user for SMB called user1.

azure-smb@smb-server:~$ sudo useradd --system -s /usr/sbin/nologin user1

Assign user1 to be the owner of the share

azure-smb@smb-server:~$ sudo chown user1 /home/azure-smb/sambashare

After that, create a Samba password for user1.

azure-smb@smb-server:~$ sudo smbpasswd -a user1
New SMB password: 
Retype new SMB password: 
Added user user1.

Finally, enable the user.

azure-smb@smb-server:~$ sudo smbpasswd -e user1
Enabled user user1.

Expose to Internet

Allow Inbound Connection

Now if we want to make it available on the Internet, we have to go back to the Azure Portal to open the SMB port (445) on the NIC Public IP and allow inbound connection through that port. The connection is then forwarded to our SMB port on the NIC Private IP.

PUBLIC_IP:445 --> PRIVATE_IP:445

To do that open up the Networking settings of the SMB VM and click on Add inbound port rule button.

image-20210513173838694

On the new Windows, configure the rule to allow any source (incoming IP) and any source port (incoming port) to connect to the SMB port (445). The details configuration is as follows:

image-20210513173858659

At the bottom, the configuration is as follows:

image-20210513173929271

When you’re done, click on the Add button and the new rule should listed in the Inbound port rules section.

image-20210513174018895

Test Access

We can use Nmap to see if the SMB port has been opened.

$ nmap -p445 -sV VM_PUBLIC_IP

image-20210513174227862

To interact with the SMB server via CLI, you can use smbclient. Install it with:

$ sudo apt install smbclient

Once it installed, connect to the share with following command:

$ smbclient //[IP]/[sharename] 

Adding -N -L can list all the available shares.

image-20210513174416250

You can also provide the password directly in the terminal:

$ smbclient //[IP]/[sharename] -U [username] [password]
$ smbclient //[IP]/[sharename] -U 'username%password'

And that’s all. It is not that detailed, but I hope you will find it useful.