File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_secure_samba_with_stunnel.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Sun Feb 5 07:14:36 2012 UTC (9 years, 11 months ago) by schmonz
Branches: MAIN
CVS tags: HEAD

    1: SMB aka CIFS (common internet file system) is a ubiquitous file sharing mechanism, but unfortunately it is very insecure. All files are sent clear over the line, and if you don't config password encryption, even passwords are sent as cleartext. 
    3: There is currently no built-in encryption or security in the CIFS protocol, nor is there any available as an extension to Samba, so we'll have to resort to external methods. 
    5: One of the nicer ways to secure Samba is by using [stunnel]( This is a little tool which listens on a port on the client machine and forwards all data sent to that port to another port/machine, encrypted via (Open)SSL. 
    7: **Contents**
    9: [[!toc levels=2]]
   11: #  Setting up the server 
   13: #  Configure samba 
   15: You set up the server just as you would normally, as described in [[How to set up a Samba Server]]. 
   17: If you wish to allow _only_ secure traffic, you can let it listen on localhost with the following statement in `smb.conf`: 
   19:     # Only listen on loopback interface
   20:     socket address=
   23: #  Configure stunnel 
   25: You can install [security/stunnel]( from [[pkgsrc/pkgsrc]]. Then you can copy `/usr/pkg/share/examples/stunnel/stunnel.conf-sample` and modify it to your needs. The following will be sufficient if you only need the bare minimum to get a secure samba setup: 
   28: # Simple stunnel configuration for a secure samba setup ####
   29:     # OpenSSL certificate
   30:     cert = /usr/pkg/etc/stunnel/stunnel.pem
   31:     # Run chrooted as nobody
   32:     chroot = /var/run/stunnel
   33:     setuid = nobody
   34:     setgid = nobody
   35:     # This file is created after chrooting
   36:     pid = /stunnel
   38:     # Accept connections on port 800, on any interface
   39:     [smb]
   40:     accept  =
   41:     # instead of port 139, port 445 will also work, unless you're using Mac OS X clients
   42:     connect = localhost:139
   45: As you can see, you'll need an SSL certificate/key. This can be generated like this: 
   47:     # openssl req -new -nodes -x509 -out stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
   50: #  Run stunnel 
   52: Just add `stunnel=yes` to your `/etc/rc.conf`: 
   54:     # echo "stunnel=yes" >> /etc/rc.conf
   55:     # /etc/rc.d/stunnel start
   58: **Warning**: stunnel is very silent. Even if it gets an error it will just fail silently. Check with `pgrep` if it's running. 
   60: #  Configuring your clients 
   62: #  Unix clients 
   64: On a Unix client you simply install and run [security/stunnel]( as described above. You'll need to swap the port numbers and put it in client mode. ie, your `stunnel.conf` should look like this: 
   67: client=yes;
   68:     [smb]
   69:     accept=localhost:139
   70:     connect=servername:800
   73: This makes your client act as a samba server, to which you can connect. As soon as you connect to your machine, the data is encrypted and forwarded to `servername`. You can run stunnel from `rc.conf` just like on the server side. 
   75: Of course you can easily test it by connecting to localhost: 
   77:     # smbclient -U yoda //localhost/myshare
   80: #  Windows clients 
   82: Connecting a Windows client to samba over stunnel is a major hassle. Some background on why this is a problem is in order. 
   84: Apparently, when Windows is booted, the kernel binds a socket to port 445 on every **real** (this is important as we'll see later on) network interface. This means that no other process can ever bind this port. (try it, you'll get a "permission denied" message). This would mean we need to use another port for our fake "shared folder". Unfortunately, the Windows filemanager has no way to specify which port to use when you click "map network drive", so that's not an option. 
   86: Luckily for us, Windows has the following odd behaviour: When you click "map network drive" in the filemanager, it will first try to connect to port 445. When it finds no service listening there, it will try to fall back to port 139. Only when that has no service listening either, it will tell the user it couldn't connect. We will "abuse" this behaviour by tricking it into using this port. 
   88: Simply binding stunnel to port 139 is impossible, because of the Windows behaviour where it binds ports 139 and 445 on every interface, even if no actual files are being shared. It turns out that it doesn't do this on loopback network devices. To install one, follow this set of instructions: 
   90:   1. Open the "add hardware" wizard from the control panel. 
   91:   2. Wait for it to search in vain for new hardware. 
   92:   3. Tell it "yes, I've already connected my hardware" or the wizard will end... 
   93:   4. Pick "add a new device" from the bottom of the list. 
   94:   5. Don't let windows search for the hardware but choose it from a list ("Advanced"). 
   95:   6. Pick the category "Network adapters". 
   96:   7. Choose "Microsoft loopback adapter". 
   98: When our new "hardware" is installed, you need to assign it an IP and disable NetBIOS activity on it: 
  100:   1. Open the "properties" dialog from the contextmenu in the "network connections" overview. 
  101:   2. Deselect all bindings except the TCP/IP ones. Typically you'll need to deselect "client for Microsoft networks" and "File and printer sharing". 
  102:   3. Select "TCP/IP", and then "settings" (or "properties") 
  103:   4. Choose any private network IP address you'll never see in any real network. ( is a good example) 
  104:   5. Click "Advanced..." 
  105:   6. Choose the tab titled "WINS" 
  106:   7. Under "NetBIOS settings", click on "Disable NetBIOS over TCP/IP" 
  108: Finally, we can install stunnel (Windows binaries are available from [[1]]( Put this in the `stunnel.conf` file: 
  110: client=yes
  111:     [smb]
  112:     accept=
  113:     connect=servername:800
  116: It is advisable to install the stunnel service so it will start on system boot, which means it will be (semi-)transparent to the user. 
  118: To connect to the server, just open up the "map network drive" dialog and enter `\\\sharename` in the "computer name" box. To make this process a little more userfriendly, think up a hostname and stick it in `\winnt\system32\drivers\etc\hosts` (windows NT/XP) or `\windows\hosts` (Windows '9x). The format of this file is exactly like `/etc/hosts` on Unix. 
  120: #  References 
  122:   * [stunnel website; how to create an SSL key](
  123:   * [A mail on FreeBSD-questions from some poor guy who found out how to do this after many months](

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb