samba: Compatibility mode & upgrades (#1244)

* samba: Compatibility mode & upgrades

* samba: Add missing newline to nmbd service

* Update build.json

Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch>

samba/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 9.2.0
+
+- Pin base image version
+- Rewrite add-on onto S6 Overlay
+- Use default configuration location
+- Add support for running in compatibility mode (SMB1/NT1)
+- Add dummy files to reduce number of errors/warnings in log output
+
 ## 9.1.0
 
 - Allow IPv6 link-local hosts by default, consistent with IPv4

samba/Dockerfile

@@ -5,12 +5,17 @@ FROM $BUILD_FROM
 ENV LANG C.UTF-8
 
 # Setup base
-RUN apk add --no-cache \
+RUN \
+    apk add --no-cache \
         samba-common-tools \
-        samba-server
+        samba-server \
+    \
+    && mkdir -p /var/lib/samba \
+    && touch \
+        /etc/samba/lmhosts \
+        /var/lib/samba/account_policy.tdb \
+        /var/lib/samba/registry.tdb \
+        /var/lib/samba/winbindd_idmap.tdb
 
 # Copy data
-COPY data/run.sh /
+COPY rootfs /
-COPY data/smb.conf /etc/
-
-CMD [ "/run.sh" ]

samba/README.md

@@ -42,6 +42,7 @@ veto_files:
   - "._*"
   - ".DS_Store"
   - Thumbs.db
+compatibility_mode: false
 ```
 
 ### Option: `workgroup` (required)
@@ -72,6 +73,15 @@ List of files that are neither visible nor accessible. Useful to stop clients
 from littering the share with temporary hidden files
 (e.g., macOS `.DS_Store` or Windows `Thumbs.db` files)
 
+### Option: `compatibility_mode`
+
+Setting this option to `true` will enable old legacy Samba protocols
+on the Samba add-on. This might solve issues with some clients that cannot
+handle the newer protocols, however, it lowers security. Only use this
+when you absolutely need it and understand the possible consequences.
+
+Defaults to `false`.
+
 ## Support
 
 Got questions?

samba/build.json

@@ -0,0 +1,9 @@
+{
+  "build_from": {
+    "aarch64": "homeassistant/aarch64-base:3.11",
+    "amd64": "homeassistant/amd64-base:3.11",
+    "armhf": "homeassistant/armhf-base:3.11",
+    "armv7": "homeassistant/armv7-base:3.11",
+    "i386": "homeassistant/i386-base:3.11"
+  }
+}

samba/config.json

@@ -1,6 +1,6 @@
 {
   "name": "Samba share",
-  "version": "9.1.0",
+  "version": "9.2.0",
   "slug": "samba",
   "description": "Expose Home Assistant folders with SMB/CIFS",
   "url": "https://github.com/home-assistant/hassio-addons/tree/master/samba",
@@ -15,8 +15,14 @@
     "username": "homeassistant",
     "password": null,
     "interface": "",
-    "allow_hosts": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fe80::/10"],
+    "allow_hosts": [
-    "veto_files": ["._*", ".DS_Store", "Thumbs.db", "icon?", ".Trashes"]
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16",
+      "fe80::/10"
+    ],
+    "veto_files": ["._*", ".DS_Store", "Thumbs.db", "icon?", ".Trashes"],
+    "compatibility_mode": false
   },
   "schema": {
     "workgroup": "str",
@@ -24,7 +30,8 @@
     "password": "str",
     "interface": "str",
     "allow_hosts": ["str"],
-    "veto_files": ["str"]
+    "veto_files": ["str"],
+    "compatibility_mode": "bool"
   },
   "image": "homeassistant/{arch}-addon-samba"
 }

samba/data/run.sh

@@ -1,62 +0,0 @@
-#!/usr/bin/env bashio
-
-WORKGROUP=$(bashio::config 'workgroup')
-INTERFACE=$(bashio::config 'interface')
-ALLOW_HOSTS=$(bashio::config "allow_hosts | join(\" \")")
-USERNAME=$(bashio::config 'username')
-PASSWORD=$(bashio::config 'password')
-DELETE_VETO_FILES="no"
-VETO_FILES=$(bashio::config "veto_files | join(\"/\")")
-if bashio::config.has_value 'veto_files'; then
-    VETO_FILES="/$VETO_FILES/"
-    DELETE_VETO_FILES="yes"
-fi
-
-WAIT_PIDS=()
-
-# Check Login data
-if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password'; then
-    bashio::exit.nok "No valid login data inside options!"
-fi
-
-# Read hostname from API or setting default "hassio"
-NAME=$(bashio::info.hostname)
-if bashio::var.is_empty "${NAME}"; then
-    bashio::log.warning "Can't read hostname, using default."
-    NAME="hassio"
-fi
-bashio::log.info "Hostname: ${NAME}"
-
-# Setup config
-sed -i "s|%%WORKGROUP%%|${WORKGROUP}|g" /etc/smb.conf
-sed -i "s|%%NAME%%|${NAME}|g" /etc/smb.conf
-sed -i "s|%%INTERFACE%%|${INTERFACE}|g" /etc/smb.conf
-sed -i "s|%%USERNAME%%|${USERNAME}|g" /etc/smb.conf
-sed -i "s#%%ALLOW_HOSTS%%#${ALLOW_HOSTS}#g" /etc/smb.conf
-sed -i "s|%%VETO_FILES%%|${VETO_FILES}|g" /etc/smb.conf
-sed -i "s|%%DELETE_VETO_FILES%%|${DELETE_VETO_FILES}|g" /etc/smb.conf
-
-# Init users
-addgroup "${USERNAME}"
-adduser -D -H -G "${USERNAME}" -s /bin/false "${USERNAME}"
-# shellcheck disable=SC1117
-echo -e "${PASSWORD}\n${PASSWORD}" | smbpasswd -a -s -c /etc/smb.conf "${USERNAME}"
-
-# Start samba
-nmbd -F -S -s /etc/smb.conf &
-WAIT_PIDS+=($!)
-
-smbd -F -S -s /etc/smb.conf &
-WAIT_PIDS+=($!)
-
-# Register stop
-function stop_samba() {
-    bashio::log.info "Kill Processes..."
-    kill -15 "${WAIT_PIDS[@]}"
-    wait "${WAIT_PIDS[@]}"
-    bashio::log.info "Done."
-}
-trap "stop_samba" SIGTERM SIGHUP
-
-# Wait until all is done
-wait "${WAIT_PIDS[@]}"

samba/rootfs/etc/cont-init.d/samba.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Prepare the Samba service for running
+# ==============================================================================
+readonly CONF="/etc/samba/smb.conf"
+declare allow_hosts
+declare compatibility_mode
+declare delete_veto_files
+declare name
+declare password
+declare username
+declare veto_files
+
+# Check Login data
+if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password'; then
+    bashio::exit.nok "Setting a username and password is required!"
+fi
+
+# Workgroup and interface
+sed -i "s|%%WORKGROUP%%|$(bashio::config 'workgroup')|g" "${CONF}"
+sed -i "s|%%INTERFACE%%|$(bashio::config 'interface')|g" "${CONF}"
+
+# Veto files
+veto_files=""
+delete_veto_files="no"
+if bashio::config.has_value 'veto_files'; then
+    veto_files=$(bashio::config "veto_files | join(\"/\")")
+    veto_files="/${veto_files}/"
+    delete_veto_files="yes"
+fi
+sed -i "s|%%VETO_FILES%%|${veto_files}|g" "${CONF}"
+sed -i "s|%%DELETE_VETO_FILES%%|${delete_veto_files}|g" "${CONF}"
+
+# Read hostname from API or setting default "hassio"
+name=$(bashio::info.hostname)
+if bashio::var.is_empty "${name}"; then
+    bashio::log.warning "Can't read hostname, using default."
+    name="hassio"
+fi
+bashio::log.info "Hostname: ${name}"
+sed -i "s|%%NAME%%|${name}|g" "${CONF}"
+
+# Allowed hosts
+allow_hosts=$(bashio::config "allow_hosts | join(\" \")")
+sed -i "s#%%ALLOW_HOSTS%%#${allow_hosts}#g" "${CONF}"
+
+# Compatibility mode, enables the use of the legacy SMB1 protocol
+compatibility_mode=""
+if bashio::config.true "compatibility_mode"; then
+    compatibility_mode+="   client min protocol = NT1\n"
+    compatibility_mode+="   server min protocol = NT1\n"
+fi
+sed -i "s#%%COMPATIBILITY_MODE%%#${compatibility_mode}#g" "${CONF}"
+
+# Init user
+username=$(bashio::config 'username')
+password=$(bashio::config 'password')
+
+addgroup "${username}"
+adduser -D -H -G "${username}" -s /bin/false "${username}"
+
+sed -i "s|%%USERNAME%%|${username}|g" "${CONF}"
+# shellcheck disable=SC1117
+echo -e "${password}\n${password}" \
+    | smbpasswd -a -s -c "${CONF}" "${username}"

samba/rootfs/etc/samba/smb.conf

@@ -1,7 +1,7 @@
 [global]
    netbios name = %%NAME%%
    workgroup = %%WORKGROUP%%
-   server string = Samba HomeAssistant config share
+   server string = Samba Home Assistant
 
    security = user
    ntlm auth = yes
@@ -15,6 +15,7 @@
    interfaces = %%INTERFACE%%
    hosts allow = %%ALLOW_HOSTS%%
 
+%%COMPATIBILITY_MODE%%
 [config]
    browseable = yes
    writeable = yes

samba/rootfs/etc/services.d/nmbd/finish

@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree based on service exit code
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services

samba/rootfs/etc/services.d/nmbd/run

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# ==============================================================================
+# Start nmbd service
+# ==============================================================================
+exec nmbd \
+  --foreground \
+  --log-stdout \
+  --no-process-group

samba/rootfs/etc/services.d/smbd/finish

@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree based on service exit code
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services

samba/rootfs/etc/services.d/smbd/run

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# ==============================================================================
+# Start smbd service
+# ==============================================================================
+exec smbd \
+  --foreground \
+  --log-stdout \
+  --no-process-group