Create an Encrypted Samba Share

Create a Script for Login to Samba Share
Here is a scenario where you have Windows users who need to log into an encrypted directory that is mounted on a Linux Samba share.  This provides an interesting option for security.
The Linux user, who has sudo access logs in and when they do  are asked to mount the truecrypt volume and also restart samba server because the volume will exist on a Samba share.  It is imperative that the user who mounts the share is in the adm group so they are able to enter the sudo commands to run programs as root.

Verify that the user is in the /etc/group file and listed in the “adm” group.  Here we have two users mike and sue in the adm group.

adm:x:4:mike , sue

Edit the Samba Server
Edit your /etc/samba/smb.conf file to allow the user mike to login to the encrypted directory.  Be sure your workgroup is the same for your Windows machines.  Notice that passwords are encrypted and the more secure tdbsam is used for the database backend.

This is a copy of what you need in your /etc/samba/smb.conf file.
[global]
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
encrypt passwords = yes
passdb backend = tdbsam

[mike]
comment = Truecrypt  Directory
path = /media/truecrypt3
valid users = mike
browsable = no
guest ok = no
read only = no

Create a smbpasswd Account
Be sure that the user you are using has their password on both the Linux system account and also on samba as they are separate databases.

smbpasswd -a mike
New SMB password:
Retype new SMB password:
Added user mike.

Edit the User’s .bashrc File
Each user that logs in to the Linux box has their environment created by the hidden .bashrc file which is in every user home directory.  What you want to do is at the end of the .bashrc file you want to add a line that will execute the script that you create.  Here is the information needed for the user mike to execute the script that will be in the user’s home directory.

#truecrypt
sh /home/mike/truecrypt.sh

Create the truecrypt Script
This simple script will ask for the password of the sudo user (the password for the user mike in this example who has sudo rights), then it will mount the directory and restart samba so the directory is available with Samba.

#!/bin/sh
# Truecrypt Script
truecrypt -k “” –protect-hidden=no –mount /protect/encrypt.tc /media/truecrypt3

sudo /etc/init.d/samba restart

Here is the output.

Last login: Thu Jan  1 06:59:09 2009 from 192.168.5.178
Enter password for /protect/encrypt.tc:
Enter system administrator password:
[sudo] password for mike:
* Stopping Samba daemons                                                [ OK ]
Starting Samba daemons                                                [ OK ]

Verify that the mount is running with this command:

truecrypt -l
3: /protect/encrypt.tc /dev/mapper/truecrypt3 /media/truecrypt3

Login from another Linux box with this command or with samba from a Windows machine, this is the Linux example.

smbclient //192.168.5.102/mike
Enter mike’s password:
Domain=[WK] OS=[Unix] Server=[Samba 3.2.3]
smb: \> ls
.                                   D        0  Fri Dec 26 05:49:43 2008
..                                  D        0  Thu Jan  1 11:39:10 2009
debconf.conf                              2969  Fri Dec 26 05:49:42 2008
sensors.conf                             85602  Fri Dec 26 05:49:43 2008
adduser.conf                              2986  Fri Dec 26 05:49:42 2008
nsswitch.conf                              475  Fri Dec 26 05:49:42 2008
ltrace.conf                              13144  Fri Dec 26 05:49:42 2008
xinetd.conf                                289  Fri Dec 26 05:49:43 2008
host.conf                                   92  Fri Dec 26 05:49:42 2008

47157 blocks of size 2048. 41816 blocks available
smb: \>

Tagged as: encrypted samba share, samba, truecrypt