NCAE: SMB/Samba Service Defense
Troubleshoot and secure the highest-weight competition service
SMB/Samba Service Defense
SMB (Server Message Block) is the protocol Windows uses for file sharing. When you open a shared folder on a Windows network — \server\share — your computer is speaking SMB. On Linux, the software that implements the SMB protocol is called Samba. It lets a Linux server act as a Windows file server.
This page teaches you how SMB works, how to configure Samba on Linux, how to troubleshoot it when it breaks, and how to get it scoring in competition. SMB carries the highest scoring weight in NCAE CyberGames, so mastering it is not optional.
Prerequisites: You should be comfortable with file permissions, service management, and basic shell commands from Weeks 1-2.
1. What is SMB?
SMB is a network protocol for sharing files and printers over a network. It works like this:
- A server exports a share — a directory that remote users can access
- A client connects to the share using a username and password
- The client can read, write, and list files in the share as if they were local
SMB runs on port 445 (TCP). Older versions also used port 139 (NetBIOS over TCP), but modern SMB uses 445 exclusively.
# List shares on a server (from a client)
smbclient -L //10.0.5.2 -U admin
# Connect to a specific share
smbclient //10.0.5.2/documents -U admin
Inside the smbclient prompt, you get an FTP-like interface:
smb: \> ls # List files
smb: \> get report.pdf # Download a file
smb: \> put notes.txt # Upload a file
smb: \> exit # Disconnect
Checkpoint: You run smbclient -L //server -U admin and get "Connection to server failed (Error NT_STATUS_HOST_UNREACHABLE)". What does this tell you?
The client cannot reach the server at all. This is a network-level problem, not an SMB problem. Check: (1) Can you ping the server? (2) Is there a firewall blocking port 445? (3) Is the server on a different subnet? Fix the network first, then try SMB again.
2. Why SMB Matters in Competition
In NCAE CyberGames, each service is scored at regular intervals. The scoring engine connects, authenticates, and verifies the service is working. Each check earns or loses points.
SMB Login carries a 3x weight — the highest of any service. That means:
| Service | Weight | Points per check |
|---|---|---|
| Most services | 1x | Base points |
| SSH | 2x | Double |
| DNS | 2x | Double |
| SMB Login | 3x | Triple |
If your SMB is down for 30 minutes, you lose three times as many points as a 1x service being down for the same period. In a close competition, this is the difference between winning and losing.
The scoring engine tests SMB by:
- Connecting to a specified share on port 445
- Authenticating with a test username and password
- Listing files in the share (or reading a specific file)
If any step fails, you lose points. Your job is to make sure every step succeeds, every time.
3. smb.conf — The Configuration File
Samba’s configuration lives at /etc/samba/smb.conf. It has two parts: a [global] section (server-wide settings) and one or more share sections (one per shared directory).
Minimal working configuration
[global]
workgroup = WORKGROUP
server string = File Server
security = user
map to guest = never
log file = /var/log/samba/%m.log
max log size = 50
[documents]
path = /srv/samba/documents
browseable = yes
read only = no
valid users = admin, scorer
create mask = 0644
directory mask = 0755
Key directives explained
[global] section:
| Directive | Value | Purpose |
|---|---|---|
workgroup |
WORKGROUP |
Windows workgroup name. Must match what clients expect. |
security |
user |
Require username/password authentication. Always use user in competition. |
map to guest |
never |
Don’t allow anonymous access. Set to bad user only if the scoring engine uses guest. |
server role |
standalone server |
This machine is a standalone file server, not a domain controller. |
Share sections:
| Directive | Value | Purpose |
|---|---|---|
path |
/srv/samba/documents |
The directory on disk being shared. Must exist. |
browseable |
yes |
Show this share in the share list. |
read only |
no |
Allow writes. Set yes for read-only shares. |
valid users |
admin, scorer |
Only these users can access the share. |
create mask |
0644 |
Permissions for new files created via SMB. |
directory mask |
0755 |
Permissions for new directories created via SMB. |
After editing, always validate:
testparm # Check smb.conf syntax and show effective config
testparm -s # Same, but suppress the "press enter" prompt
Checkpoint: testparm shows "Loaded services file OK" but warns "WARNING: The 'security' parameter is deprecated". What should you do?
In newer Samba versions (4.15+), the security = user line is the default and the keyword is deprecated. You can safely remove the line — user mode is the default. The warning is cosmetic and doesn’t break anything, but clean configs produce clean output.
4. The SMB Dependency Chain
SMB doesn’t just need Samba running. It needs nine things in sequence, and if any one breaks, the service fails. This is the dependency chain:
Network → Firewall → smbd running → smb.conf valid → Share directory exists
→ Directory permissions → Samba user exists → Samba password set → Client authenticates
When SMB is broken, you troubleshoot by checking each link in order. Don’t skip ahead — fix the first broken link, then test again.
Link-by-link diagnostic
| # | Link | Check Command | Fix |
|---|---|---|---|
| 1 | Network reachable | ping server_ip |
Fix routing, check cables/VMs |
| 2 | Firewall allows 445 | sudo iptables -L -n \| grep 445 |
sudo iptables -A INPUT -p tcp --dport 445 -j ACCEPT |
| 3 | smbd is running | systemctl status smbd |
sudo systemctl start smbd |
| 4 | smb.conf is valid | testparm |
Fix syntax errors shown in output |
| 5 | Share directory exists | ls -la /srv/samba/documents |
sudo mkdir -p /srv/samba/documents |
| 6 | Directory permissions | ls -la /srv/samba/ |
sudo chown admin:admin /srv/samba/documents && sudo chmod 755 /srv/samba/documents |
| 7 | Samba user exists | pdbedit -L |
sudo smbpasswd -a username |
| 8 | Samba password set | pdbedit -L -v (check flags) |
sudo smbpasswd username (set password) |
| 9 | Client can authenticate | smbclient //localhost/documents -U admin |
Fix user/password/permissions |
Critical detail: Samba users vs Linux users
Samba maintains its own password database, separate from /etc/shadow. A Linux user and a Samba user can have the same username but different passwords. To create a Samba user:
- The Linux user must exist first:
sudo useradd -m username - Then add them to Samba’s database:
sudo smbpasswd -a username - Set their Samba password (can differ from the Linux password)
If the scoring engine expects user scorer with password competition2026, you need:
sudo useradd -m scorer # Create Linux user
sudo smbpasswd -a scorer # Add to Samba + set password
# Enter: competition2026 (when prompted)
Checkpoint: pdbedit -L shows the user exists, but smbclient authentication fails with NT_STATUS_LOGON_FAILURE. The password is correct. What else could be wrong?
Check if the account is disabled. Run pdbedit -L -v | grep -A5 username and look for Account Flags. If it shows [DU] (Disabled User) instead of [U], the account is disabled. Enable it with sudo smbpasswd -e username. Also verify you’re using the Samba password, not the Linux password — they’re independent.
5. Common Error Codes
When SMB fails, the error messages tell you exactly which link in the chain is broken:
| Error | Meaning | Where the Chain Breaks |
|---|---|---|
Errno 113 (Host unreachable) |
Cannot reach the server at all | Link 1: Network or Link 2: Firewall |
Errno 111 (Connection refused) |
Server reachable but nothing listening on 445 | Link 3: smbd not running |
NT_STATUS_LOGON_FAILURE |
Connected but authentication failed | Link 7-8: Wrong user, wrong password, or user doesn’t exist in Samba |
NT_STATUS_ACCESS_DENIED |
Authenticated but can’t access the share | Link 6: Directory permissions, or user not in valid users |
NT_STATUS_BAD_NETWORK_NAME |
The share name doesn’t exist | Link 4-5: Share not defined in smb.conf or path doesn’t exist |
NT_STATUS_CONNECTION_DISCONNECTED |
Connection dropped mid-session | Server crashed or firewall timeout |
Reading error codes systematically
When you see an error, map it to the dependency chain. If you get Errno 111, don’t waste time checking Samba users — the service isn’t even running. If you get NT_STATUS_LOGON_FAILURE, don’t check the firewall — you already connected successfully.
6. Diagnostic Commands
These six commands form your complete SMB diagnostic toolkit:
# Validate smb.conf (shows errors and effective configuration)
testparm
# List all shares visible on the server
smbclient -L localhost -U admin
# List all Samba users and their status
pdbedit -L
# Detailed user info (account flags, password age)
pdbedit -L -v
# Check if smbd is running and on which port
systemctl status smbd
ss -tulnp | grep 445
# Test authentication + share access from localhost
smbclient //localhost/sharename -U admin -c 'ls'
Log files
Samba logs to /var/log/samba/. Each connecting client gets its own log file:
# View the most recent Samba log entries
ls -lt /var/log/samba/ | head
tail -50 /var/log/samba/log.smbd
# Search for errors across all logs
grep -r "error\|denied\|failure" /var/log/samba/
Checkpoint: You run testparm and it says "Loaded services file OK" and shows your shares. But smbclient -L localhost still shows "Connection refused". What's happening?
testparm only checks the config file syntax — it doesn’t check whether smbd is actually running. Run systemctl status smbd. If it’s not running, start it: sudo systemctl start smbd. If it fails to start, check the journal: journalctl -u smbd -e.
7. Quick Recovery Procedure
SMB is down. The clock is ticking. Follow this sequence to get it scoring in under 5 minutes:
Step 1: Check the service (30 seconds)
systemctl status smbd
# Not running? Start it:
sudo systemctl start smbd
sudo systemctl enable smbd
Step 2: Check the firewall (30 seconds)
ss -tulnp | grep 445
# Nothing? Check firewall:
sudo iptables -L -n | grep 445
# Not allowed? Open it:
sudo iptables -A INPUT -p tcp --dport 445 -j ACCEPT
Step 3: Validate config (30 seconds)
testparm -s
# Fix any errors shown. Common: missing semicolons, wrong paths.
Step 4: Verify the share path exists (30 seconds)
ls -la /srv/samba/documents # or whatever path smb.conf specifies
# Doesn't exist? Create it:
sudo mkdir -p /srv/samba/documents
sudo chmod 755 /srv/samba/documents
Step 5: Verify the Samba user (60 seconds)
pdbedit -L # List Samba users
# User missing? Create them:
sudo useradd -m scorer # Linux user first
sudo smbpasswd -a scorer # Then Samba user + password
Step 6: Test from localhost (60 seconds)
smbclient //localhost/documents -U scorer -c 'ls'
# Should show directory listing. If this works, the scoring engine should pass.
Step 7: Test from another machine (60 seconds)
# From a different machine on the network:
smbclient //server_ip/documents -U scorer -c 'ls'
# If localhost works but remote doesn't, it's a firewall or routing issue.
Total: Under 5 minutes from “SMB is down” to “SMB is scoring.”
Exercises
-
Dependency Chain Drill: Set up Samba on a practice VM. Then intentionally break one link (delete the share directory, disable the user, stop smbd). Have a partner diagnose which link is broken using only the diagnostic commands.
-
Speed Recovery: Configure a working SMB share. Have someone break it (change the password, stop the service, firewall port 445). Time yourself fixing it. Target: under 3 minutes.
-
Multi-Share Setup: Create three shares with different access controls: one public (guest OK), one for a specific user, and one read-only. Verify each from a client.
-
Error Code Mapping: Run
smbclientagainst a server with each of these conditions: service stopped, user doesn’t exist, wrong password, share doesn’t exist. Record the exact error message for each. Build your own error-to-cause reference card.
Resources
Practice: TryHackMe — Network Services (search “SMB”) · HackTheBox — Windows machines (real SMB to enumerate)
Reference: Samba Wiki · smb.conf man page
Video: NCAE CyberGames prep guides · Samba file server setup