When setting up administrative shares in Samba similar to Windows' administrative shares (like C$), one significant roadblock is Samba's default security configuration that prevents root access to shares. This security measure exists for good reason - to prevent potential system-wide vulnerabilities.
Before proceeding with configuration changes, it's crucial to understand:
- Samba deliberately restricts root access by default
- Modifying these restrictions increases security risks
- Alternative approaches should be considered where possible
To enable root access for a specific share while maintaining some security precautions, modify your smb.conf:
[global] unix extensions = no security = user [admin_share] path = /path/to/directory browseable = no read only = no writable = yes valid users = root force user = root force group = root create mask = 0770 directory mask = 0770
These additional parameters enhance security while allowing root access:
[admin_share] hosts allow = 192.168.1.100 # Restrict to specific IP hosts deny = ALL strict locking = yes oplocks = no level2 oplocks = no
Ensure the filesystem permissions align with your Samba configuration:
chown -R root:root /path/to/directory chmod -R 770 /path/to/directory
After making changes, test your configuration:
testparm -s # Verify configuration syntax smbclient -U root //localhost/admin_share # Test connection
For better security, consider using sudo instead of direct root access:
[admin_share] path = /path/to/directory write list = @admin force group = admin
Then configure sudo to allow specific users to perform root-level operations.
Implement additional network-level protections:
# iptables example for Samba protection iptables -A INPUT -p tcp --dport 445 -s 192.168.1.100 -j ACCEPT iptables -A INPUT -p tcp --dport 445 -j DROP
When trying to create administrative shares similar to Windows' C$ or ADMIN$ shares, you'll immediately hit Samba's security barrier: root access is denied by default. This design prevents potential security risks but complicates scenarios where you need full filesystem control.
Samba implements several layers of protection against root access:
invalid users = rootis implicit in most configurations- Unix permissions still apply even when authenticated
- Default share definitions include restrictive parameters
Here's how to properly configure a share with root access while maintaining security:
[global]
unix extensions = no
allow insecure wide links = yes
[admin_share]
comment = Root-access share
path = /
valid users = root
read only = no
writable = yes
force user = root
force group = root
wide links = yes
follow symlinks = yes
create mask = 0777
directory mask = 0777
Before implementing this configuration:
- Restrict access at network level (firewalls, VPNs)
- Consider using ACLs for fine-grained control
- Monitor share access through Samba logs
- Never expose such shares to untrusted networks
For better security, consider these alternatives:
# Instead of root access:
[restricted_admin]
path = /admin_area
valid users = @admin_group
admin users = @admin_group
inherit permissions = yes
If root access still fails:
- Check
smbd -b | grep DENYfor implicit denies - Verify SELinux/AppArmor isn't blocking access
- Test with
smbclient -U root //localhost/share - Examine
/var/log/samba/log.smbdfor detailed errors