All investigations
Case 04 Network & Detection SMB Service Recovery

Samba

An internal SMB service at Oxfredy University was failing silently — lecturers could not upload, students could not access. Three layered misconfigurations in smb.conf were operating against each other. The restrictive protocol floor looked like the obvious suspect, but was not the cause. The real failure was a deprecated authentication mode still active in the runtime configuration, combined with an orphaned valid users declaration that had been commented out of the share block.

Executive Summary

Lecturers reported they could not upload to the [lessons] SMB share. The assigned role was system administrator, not incident responder — the objective was to identify the misconfiguration, correct it, and restore access under appropriate user authentication.

Review of /etc/samba/smb.conf surfaced three separate problems: server min protocol = SMB3 set an unusually high floor; security = share (deprecated, anonymous-access style) was still active in the global section; and the [lessons] share's valid users directive had been commented out, leaving no explicit user authentication for the share. The fix required resolving all three, but only one of them was actually the root cause of the upload failure — and the triage sequence mattered for that reason.

After corrections and a service restart, the share accepted per-user authenticated access, and the lesson file in the share was recovered and validated.

Findings & Analysis

Deprecated auth mode active
security = share
Share-level security was removed from mainline Samba years ago. Its presence in the runtime config permitted anonymous-style share access patterns and made per-user enforcement ambiguous. Root cause of the failure when combined with the next finding.
Orphaned user directive
[lessons] — valid users
commented out
The share block declared valid users = %S but the line was commented. With security = share active globally and no explicit per-share user list, the share had no meaningful authentication enforcement path.
Restrictive protocol floor
server min protocol = SMB3
Unusually high floor. Red-herring-looking at first — too restrictive for legacy clients, and the most visually obvious misconfig in the file. Ruled out as the cause of the upload failure during triage.
Privileged service control
smbadmin NOPASSWD on
service smbd
Confirmed via sudo -l. The assigned user could start, stop, restart, and query the smbd service without a password, which was required to apply the configuration fix and validate the repair.
Recovered lesson file
lessons-11.txt →
33e2bb43ea4e40fa8259
b203c46e418a
Retrieved from /home/smbuser/share/ after corrected configuration and service restart. File contents validated against the expected submission flag.
Configuration reference
  • Config file: /etc/samba/smb.conf
  • Share path: /home/smbuser/share/
  • Service: smbd (managed via service smbd restart)
  • Authentication target: smbuser (per-user auth, least privilege)
  • Recovered file: lessons-11.txt

Tools & Technologies

sudo -l
Privilege enumeration. Confirmed the scope of allowed commands for the assigned user before attempting any service-level action. The NOPASSWD rule for service smbd was the only privileged path available — knowing that up front shaped what the fix could look like.
nano + /etc/samba/smb.conf
Direct configuration analysis and editing. The three findings all live in this one file; reading it in full was the difference between fixing the surface-level symptom and fixing the cause.
service smbd
Service control for applying and validating the configuration change. Restart was required for smb.conf changes to take effect; a failed restart would have indicated a syntax error in the edits before any functional test was run.
Linux filesystem navigation
Standard cd / ls / cat to validate the corrected share path was reachable, the target file was present, and the lesson content was readable under the new authentication rules.

Investigation Process

Five steps. The defining move was not any of the fixes — it was deciding, during configuration review, which of three visible misconfigurations was actually responsible for the failure and which were noise.

Step 01 Verify user privileges NOPASSWD on smbd
sudo -l

Why: Establish what the assigned user can actually do before touching anything. Response: (root) NOPASSWD: /usr/sbin/service smbd start|stop|restart|status. This defines the scope of the repair — the user can restart the service, but cannot install packages or escalate further.

Step 02 Analyze Samba configuration Three issues, one cause
nano /etc/samba/smb.conf

Why: Read the config in full. Three candidate issues surfaced: server min protocol = SMB3 (restrictive floor), security = share (deprecated auth mode, still active), and [lessons] with valid users = %S commented out. Rather than patching all three as equally suspect, triage which one actually caused the failure.

Triage — ruling out the obvious

The restrictive protocol floor was the most visually conspicuous misconfig and therefore the easy suspect. But a protocol floor that's too high produces a different failure mode — clients unable to negotiate a session at all — not the silent upload-permission failure that was reported. The actual failure pattern matched authentication resolution: security = share was still active globally, which meant share-level (not user-level) enforcement, while the [lessons] share's valid users line was commented out. The share had no per-user authentication path to enforce. That was the cause. The protocol floor still needed to be fixed, but it was not why the lecturer could not upload.

Step 03 Apply targeted fixes in smb.conf Three corrections
# Lower the protocol floor for legacy client compatibility server min protocol = lanman1 # Disable the deprecated auth mode # security = share # Restore explicit per-user authentication on the share valid users = smbuser # Corrected [lessons] share block [lessons] path = /home/smbuser/share/ read only = no

Why: Three discrete edits to the same file. Lower the protocol floor so legacy clients can negotiate; remove the deprecated security = share from the runtime path; uncomment valid users so the share has an explicit authentication enforcement target. All three are required for a clean configuration — but only the second and third are required for the reported failure to resolve.

Step 04 Restart the SMB service No errors
sudo service smbd restart

Why: Configuration changes to smb.conf do not take effect until smbd reloads. A failed restart at this point would indicate a syntax error in the edits and catch the problem before a functional test; the restart succeeded cleanly, which is the first positive signal that the configuration is valid.

Step 05 Validate file access Lesson file readable
cd /home/smbuser/share/ ls cat lessons-11.txt

Why: Functional validation. If the configuration fix actually resolved the authentication path, the share directory is reachable and the target file is readable. Contents confirmed the expected flag, closing the case. The upload permission that the lecturer originally reported would now resolve on the same authentication path.

Recommendations

Remove deprecated directives from runtime configs
Directives like security = share that have been removed from mainline Samba should be stripped out during any config audit, not left commented or hanging. An active deprecated directive is worse than one that's been explicitly deleted — it ambiguates the authentication model and creates exactly the layered-misconfiguration failure mode seen here.
Enforce explicit per-user authentication on every share
Every share block should declare valid users explicitly, not rely on global defaults or on placeholder values like %S that require a particular interplay with other directives to behave. Least-privilege authentication works only when it is stated at the share level.
Triage before patching when multiple misconfigurations are present
When a configuration file contains several visible issues, patching all of them at once resolves the symptom but loses the diagnostic signal. Identifying which specific misconfiguration caused the reported failure — before making the correction — builds the operational knowledge needed to prevent the same class of failure elsewhere.
Set protocol floors deliberately, not defensively
A protocol floor of SMB3 is appropriate for environments where every client supports modern SMB; it is not a default-on hardening measure. Setting the floor higher than the deployed client base can negotiate creates a different class of failure (session cannot be established at all) that can look similar to an authentication problem from the user's perspective. Align the floor to the actual client base.

Technical Note

Layered misconfiguration — why the obvious answer was wrong

Three misconfigurations were visible in smb.conf, but only two of them were causally linked to the reported failure. The restrictive protocol floor (server min protocol = SMB3) was the most conspicuous — it looks wrong at first read, and fixing it feels productive. But a protocol-floor mismatch produces a negotiation-level failure: clients cannot establish a session at all, and the failure surfaces before authentication. The reported failure was specifically at the authentication stage: lecturers could reach the share but could not upload. That pattern pointed away from protocol and toward the combination of security = share (deprecated, ambiguous authentication model) with valid users commented out of the share block (no enforcement target).

The operational value of distinguishing these before patching is that the next SMB incident in the same environment will be triaged on the same symptom-to-cause mapping, not by reflexively patching whichever directive looks most wrong.

References

  1. Samba smb.conf man page. Authoritative reference for share-level directives, authentication modes, and protocol negotiation options. samba.org
  2. Deprecation of security = share. Share-level security was removed from mainline Samba; the directive persists in legacy configurations but no longer has the behavior the original design intended. Samba release notes and documentation cover the history.
  3. CIS Benchmark — SMB/Samba hardening. Baseline hardening guidance for SMB services in Linux environments, including protocol floors appropriate to the client population. cisecurity.org