non-root smb share

nas/Dockerfile

@@ -6,11 +6,15 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y samba
 
+# create required files and user
 RUN groupadd -g 2003 me && useradd -u 2003 -g 2003 -m me
 USER me
 WORKDIR /home/me
-
-# TODO copy config files
 RUN mkdir share samba samba/log samba/lock samba/state samba/cache samba/pid samba/private samba/ncalrpc
-COPY --chown=me:me smb.conf ./
-COPY --chown=me:me entry.sh ./
+COPY --chown=me:me smb.conf entry.sh ./
+
+# create additional users
+USER root
+COPY users.sh ./
+RUN /bin/sh users.sh && rm users.sh
+USER me

nas/entry.sh

@@ -1,4 +1,6 @@
 #!/bin/sh
 
-# TODO sigterm?
-smbd -s smb.conf -l=/home/me/samba/log --foreground --no-process-group
+smbd -s smb.conf -l=/home/me/samba/log
+trap 'echo "stopping smbd..."' TERM
+tail -f /dev/null &
+wait $!

nas/smb.conf

@@ -1,7 +1,26 @@
 [global]
 workgroup = WORKGROUP
-min protocol = SMB3
 smb ports = 8445
+load printers = no
+disable spoolss = yes
+
+server role = standalone
+security = user
+passdb backend = tdbsam
+map to guest = Never
+
+server min protocol = SMB3
+server smb encrypt = required
+server smb3 encryption algorithms = AES-256-GCM
+server smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+server signing = mandatory
+
+client min protocol = SMB3
+client smb encrypt = required
+client smb3 encryption algorithms = AES-256-GCM
+client smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+client signing = required
+client ipc signing = required
 
 lock directory = /home/me/samba/lock
 state directory = /home/me/samba/state
@@ -17,8 +36,5 @@ directory mask = 0770
 force user = me
 force group = me
 
-# TODO auth + encrypt
-guest ok = yes
-
 [share]
 path = /home/me/share