samba: Compatibility mode & upgrades (home-assistant#1244)

* samba: Compatibility mode & upgrades * samba: Add missing newline to nmbd service * Update build.json Co-authored-by: Pascal Vizeli <[email protected]>
micst · Apr 23, 2020 · 77e088e · 77e088e
1 parent 623a9be
commit 77e088e
Show file tree

Hide file tree

Showing 12 changed files with 148 additions and 73 deletions.
diff --git a/samba/CHANGELOG.md b/samba/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 9.2.0
+
+- Pin base image version
+- Rewrite add-on onto S6 Overlay
+- Use default configuration location
+- Add support for running in compatibility mode (SMB1/NT1)
+- Add dummy files to reduce number of errors/warnings in log output
+
 ## 9.1.0
 
 - Allow IPv6 link-local hosts by default, consistent with IPv4

diff --git a/samba/Dockerfile b/samba/Dockerfile
@@ -5,12 +5,17 @@ FROM $BUILD_FROM
 ENV LANG C.UTF-8
 
 # Setup base
-RUN apk add --no-cache \
+RUN \
+    apk add --no-cache \
         samba-common-tools \
-        samba-server
+        samba-server \
+    \
+    && mkdir -p /var/lib/samba \
+    && touch \
+        /etc/samba/lmhosts \
+        /var/lib/samba/account_policy.tdb \
+        /var/lib/samba/registry.tdb \
+        /var/lib/samba/winbindd_idmap.tdb
 
 # Copy data
-COPY data/run.sh /
-COPY data/smb.conf /etc/
-
-CMD [ "/run.sh" ]
+COPY rootfs /
diff --git a/samba/README.md b/samba/README.md
@@ -42,6 +42,7 @@ veto_files:
   - "._*"
   - ".DS_Store"
   - Thumbs.db
+compatibility_mode: false
 ```
 
 ### Option: `workgroup` (required)
@@ -72,6 +73,15 @@ List of files that are neither visible nor accessible. Useful to stop clients
 from littering the share with temporary hidden files
 (e.g., macOS `.DS_Store` or Windows `Thumbs.db` files)
 
+### Option: `compatibility_mode`
+
+Setting this option to `true` will enable old legacy Samba protocols
+on the Samba add-on. This might solve issues with some clients that cannot
+handle the newer protocols, however, it lowers security. Only use this
+when you absolutely need it and understand the possible consequences.
+
+Defaults to `false`.
+
 ## Support
 
 Got questions?

diff --git a/samba/build.json b/samba/build.json
@@ -0,0 +1,9 @@
+{
+  "build_from": {
+    "aarch64": "homeassistant/aarch64-base:3.11",
+    "amd64": "homeassistant/amd64-base:3.11",
+    "armhf": "homeassistant/armhf-base:3.11",
+    "armv7": "homeassistant/armv7-base:3.11",
+    "i386": "homeassistant/i386-base:3.11"
+  }
+}
diff --git a/samba/config.json b/samba/config.json
@@ -1,6 +1,6 @@
 {
   "name": "Samba share",
-  "version": "9.1.0",
+  "version": "9.2.0",
   "slug": "samba",
   "description": "Expose Home Assistant folders with SMB/CIFS",
   "url": "https://github.com/home-assistant/hassio-addons/tree/master/samba",
@@ -15,16 +15,23 @@
     "username": "homeassistant",
     "password": null,
     "interface": "",
-    "allow_hosts": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fe80::/10"],
-    "veto_files": ["._*", ".DS_Store", "Thumbs.db", "icon?", ".Trashes"]
+    "allow_hosts": [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16",
+      "fe80::/10"
+    ],
+    "veto_files": ["._*", ".DS_Store", "Thumbs.db", "icon?", ".Trashes"],
+    "compatibility_mode": false
   },
   "schema": {
     "workgroup": "str",
     "username": "str",
     "password": "str",
     "interface": "str",
     "allow_hosts": ["str"],
-    "veto_files": ["str"]
+    "veto_files": ["str"],
+    "compatibility_mode": "bool"
   },
   "image": "homeassistant/{arch}-addon-samba"
 }
diff --git a/samba/data/run.sh b/samba/data/run.sh
diff --git a/samba/rootfs/etc/cont-init.d/samba.sh b/samba/rootfs/etc/cont-init.d/samba.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Prepare the Samba service for running
+# ==============================================================================
+readonly CONF="/etc/samba/smb.conf"
+declare allow_hosts
+declare compatibility_mode
+declare delete_veto_files
+declare name
+declare password
+declare username
+declare veto_files
+
+# Check Login data
+if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password'; then
+    bashio::exit.nok "Setting a username and password is required!"
+fi
+
+# Workgroup and interface
+sed -i "s|%%WORKGROUP%%|$(bashio::config 'workgroup')|g" "${CONF}"
+sed -i "s|%%INTERFACE%%|$(bashio::config 'interface')|g" "${CONF}"
+
+# Veto files
+veto_files=""
+delete_veto_files="no"
+if bashio::config.has_value 'veto_files'; then
+    veto_files=$(bashio::config "veto_files | join(\"/\")")
+    veto_files="/${veto_files}/"
+    delete_veto_files="yes"
+fi
+sed -i "s|%%VETO_FILES%%|${veto_files}|g" "${CONF}"
+sed -i "s|%%DELETE_VETO_FILES%%|${delete_veto_files}|g" "${CONF}"
+
+# Read hostname from API or setting default "hassio"
+name=$(bashio::info.hostname)
+if bashio::var.is_empty "${name}"; then
+    bashio::log.warning "Can't read hostname, using default."
+    name="hassio"
+fi
+bashio::log.info "Hostname: ${name}"
+sed -i "s|%%NAME%%|${name}|g" "${CONF}"
+
+# Allowed hosts
+allow_hosts=$(bashio::config "allow_hosts | join(\" \")")
+sed -i "s#%%ALLOW_HOSTS%%#${allow_hosts}#g" "${CONF}"
+
+# Compatibility mode, enables the use of the legacy SMB1 protocol
+compatibility_mode=""
+if bashio::config.true "compatibility_mode"; then
+    compatibility_mode+="   client min protocol = NT1\n"
+    compatibility_mode+="   server min protocol = NT1\n"
+fi
+sed -i "s#%%COMPATIBILITY_MODE%%#${compatibility_mode}#g" "${CONF}"
+
+# Init user
+username=$(bashio::config 'username')
+password=$(bashio::config 'password')
+
+addgroup "${username}"
+adduser -D -H -G "${username}" -s /bin/false "${username}"
+
+sed -i "s|%%USERNAME%%|${username}|g" "${CONF}"
+# shellcheck disable=SC1117
+echo -e "${password}\n${password}" \
+    | smbpasswd -a -s -c "${CONF}" "${username}"
diff --git a/samba/data/smb.conf → samba/rootfs/etc/samba/smb.conf b/samba/data/smb.conf → samba/rootfs/etc/samba/smb.conf
@@ -1,7 +1,7 @@
 [global]
    netbios name = %%NAME%%
    workgroup = %%WORKGROUP%%
-   server string = Samba HomeAssistant config share
+   server string = Samba Home Assistant
 
    security = user
    ntlm auth = yes
@@ -15,6 +15,7 @@
    interfaces = %%INTERFACE%%
    hosts allow = %%ALLOW_HOSTS%%
 
+%%COMPATIBILITY_MODE%%
 [config]
    browseable = yes
    writeable = yes

diff --git a/samba/rootfs/etc/services.d/nmbd/finish b/samba/rootfs/etc/services.d/nmbd/finish
@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree based on service exit code
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services
diff --git a/samba/rootfs/etc/services.d/nmbd/run b/samba/rootfs/etc/services.d/nmbd/run
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# ==============================================================================
+# Start nmbd service
+# ==============================================================================
+exec nmbd \
+  --foreground \
+  --log-stdout \
+  --no-process-group
diff --git a/samba/rootfs/etc/services.d/smbd/finish b/samba/rootfs/etc/services.d/smbd/finish
@@ -0,0 +1,8 @@
+#!/usr/bin/execlineb -S1
+# ==============================================================================
+# Take down the S6 supervision tree based on service exit code
+# ==============================================================================
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services
diff --git a/samba/rootfs/etc/services.d/smbd/run b/samba/rootfs/etc/services.d/smbd/run
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# ==============================================================================
+# Start smbd service
+# ==============================================================================
+exec smbd \
+  --foreground \
+  --log-stdout \
+  --no-process-group