Create the HaasGroup and users
The Installation script creates the HaasGroup and users that are in the users.csv and initial_users.csv files. The instructions are included here to clarify how the installation script works.
Linux uses groups to manage permissions for users. For this project, all users will be in the same group. That isn't a security best practice since a disgruntled employee could delete everything. If you have compliance requirements or other concerns, just repeat this process to create multiple groups. For example, create a user and group for each machine. Then add the user to the machine's share and use it as the username when setting up the account on the machine.
Does this seem like a lot of extra work? Yes, but I actually had a disgruntled employee delete the configuration for the DNC system for a neighboring cell one time. Of course, he was a night shift employee, and did it at midnight on Friday. I got called on Saturday morning and had to drive an hour to the plant and restore it. So it depends on your determination of the risk in your shop.
Create the HaasGroup group
There is no output from this command.
Set permissions on the folders
You need to be in the root of your home director to review the current permissions. Use the following to verify that you are in the correct location:
We can see the Haas_Data_collect folder, so we are in the correct location. Note that the Haas_Data_collect directory has haas haas listed. We need to change that to haas HaasGroup
Now run:
# Allow traversal into /home/haas (needed to reach Haas subdirectory)
sudo chmod 774 /home/haas
# Set ownership for everything under Haas
sudo chown -R haas:HaasGroup /home/haas/Haas_Data_Collect
# View the changes
ls -l
Note the Haas_Data_collect directory had changed from haas haas to haas HaasGroup. That means haas is the owner and HaasGroup is the group that will be applied.
Set the file permissions
Run the following:
# Set permissions: directories get execute, files don't
sudo find /home/haas/Haas_Data_Collect -type d -exec chmod 2775 {} +
sudo find /home/haas/Haas_Data_Collect -type f -exec chmod 664 {} +
chmod +x /home/$USER/Haas_Data_collect/lshare.sh
chmod +x /home/$USER/Haas_Data_collect/smb_verify.sh
chmod +x /home/$USER/Haas_Data_collect/manage_users.sh
chmod +x /home/$USER/Haas_Data_collect/tspin_setup.sh
chmod +x /home/$USER/Haas_Data_collect/tspin_alias.sh
chmod +x /home/$USER/Haas_Data_collect/rollback_csv.sh
chmod +x /home/$USER/Haas_Data_collect/ssh_port.sh
chmod +x /home/$USER/Haas_Data_collect/ssh_validate.sh
chmod +x /home/$USER/Haas_Data_collect/haas_firewall_install.sh
There is no output from these commands.
Note
The 2 in 2775 sets the setgid bit, basically set group ID, which ensures that all locally created files also inherit the HaasGroup. Without this bit set, files created locally on the appliance would get owner and group IDs of the user that created the file. The setgid bit is located in the fourth character of the permissions string (the execute position of the group permissions).
Run a directory listing to see the results:
Now the account haas has rwx (read/write/execute) and and the group HaasGroup has rws (read\write\setgid) to directories. The other group has r-- (read only). Files will have rw-, read/write.
The bash scripts in Haas_Data_collect:
~/Haas_Data_collect ‹main●›
╰─$ ls -l *.sh
-rwxrwsr-- 1 haas HaasGroup 45830 Mar 24 15:19 haas_firewall_install.sh
-rwxrwsr-- 1 haas HaasGroup 2679 Feb 15 20:50 haas_firewall_uninstall.sh
-rwxrwsr-- 1 haas HaasGroup 582 Feb 15 20:50 lshares.sh
-rwxrwsr-- 1 haas HaasGroup 4366 Mar 22 18:36 manage_users.sh
-rwxrwsr-- 1 haas HaasGroup 1897 Feb 15 20:50 rollback_csv.sh
-rwxrwsr-- 1 haas HaasGroup 2732 Mar 17 18:19 setup_user.sh
-rwxrwsr-- 1 haas HaasGroup 2620 Feb 15 20:50 smb_verify.sh
-rwxrwsr-- 1 haas HaasGroup 3467 Feb 21 21:19 ssh_port.sh
-rwxrwsr-- 1 haas HaasGroup 860 Mar 22 18:36 ssh_validate.sh
-rwxrwsr-- 1 haas HaasGroup 1000 Feb 21 21:19 tspin_alias.sh
-rwxrwsr-- 1 haas HaasGroup 1863 Feb 21 21:19 tspin_setup.sh
-rwxrwsr-- 1 haas HaasGroup 4540 Feb 15 20:50 validate_users_csv.sh
Have eXecute so that you can run them.
Create the users
All users, whether they are a machine tool, a CNC programmer, or the Operations personnel, need a Linux and a Samba account. The installation script reads the file initial_users.csv and creates both the Linux and Samba users during the installation.
Note
You cannot create users that can log in over ssh using the initial_users.csv file. Use the manage_users.sh script - Manage users by script to create users with ssh capability.
To add users later you can follow these instructions or run the manage_users.sh script that is in the Haas_Data_collect directory. See Manage users by script for instructions for the Manager Users script.
In this example I have:
| Username | Role and Responsibility |
|:---------------:|-------------------------------------------------------------------------------------------------------------|
| haassvc | The limited permission account used on the Haas CNC control |
| mspadmin | An account for an MSP to manage the appliance |
| haas | The administrator for the appliance |
| Manuel Chavez | CNC Setup technician. Needs to review the CNC Programs from his Windows desktop and review the spreadsheets |
| Robert Goodwin | Operations. Needs access to the `cnc_logs` directory to move files |
Run for each user:
The first command creates the user haassvc.
- The
-Mskips creating a userhomedirectory.. - The
-s /usr/sbin/nologindisables shell login (good for service accounts that only need SMB access)
The second command creates the Samba Server user. You will be prompted to enter and confirm a password. Here is the output for the haassvc user:
```bash title='Command Output New SMB password: Retype new SMB password: Added user haassvc.
Add the haassvc User account to the HaasGroup group:
There is no output from this command.
List all users in the HaasGroup
Verify the haassvc user settings
Manage users by script
All users, whether they are a machine tool, a CNC programmer, or the Operations personnel, need a Linux and a Samba account. The installation script reads the file initial_users.csv and creates both the Linux and Samba users during the installation.
If you need to add or remove users after the initial installation use the manage_users.sh script that is located in the Haas_Data_collect directory. The script creates users that can map drives. The script DOES NOT add a user to the sudoers file so they cannot run Linux commands or log in over SSH.
It's fairly simple to create a user manually from the instructions above, but it's a lot of individual commands which leaves room for errors. If you need to add or remove users after the initial installation, use the manage_users.sh script that is located in the Haas_Data_collect directory instead. The script creates users that can map drives. The script DOES NOT add a user to the sudoers file so they cannot run Linux commands or log in over SSH.
The script has the following optional arguments:
| Argument | Description |
|----------------------------|-------------------------------------------------|
| Username | The user to add, no -- in front of it |
| --set-password | Update password for an existing user |
| --delete-user | Delete an existing user with prompting |
| --delete-user --force | Delete an existing user without prompting |
| --dry-run | Show what would happen, no changes |
| --admin-user | Create a user with `sudo` and `ssh` permissions |
| --ssh-key="ssh-ed25519..." | for an admin-user, add a public ssh key |
To use the script, first run the following commands to make it executable:
There is no output from these commands.
Verify the script permissions:
How the script works
- You will be asked for your password to activate
sudo(the haas user password). - You will be asked for the password to use for the new Linux username.
- You will be asked for the smbuser password. It MUST be the same as the Linux user!
- It will then create and enable the smb user, add it to the
HaasGroupand display the result.
Examples
# To add a user
sudo ./manage_users.sh bob
# Reset passwords
sudo ./manage_users.sh bob --set-password
# Delete user (with prompt)
sudo ./manage_users.sh bob --delete-user
# Combine for safe automation testing
sudo ./manage_users.sh bob --delete-user --dry-run
# Delete user silently (automation safe)
sudo ./manage_users.sh bob --delete-user --force
# Show what would happen (no changes made)
sudo ./manage_users.sh bob --dry-run
# To Add an admin user
sudo ./manage_users.sh mspadmin --admin-user
#To add an admin user and an SSH public key
sudo ./manage_users.sh mspadmin --admin-user --ssh-key="ssh-ed25519 AAAAC3Nza...)
Script outputs
Before adding a new user, list the existing users in case it already exists:
Linux users
Display the Samba users
Add a user
sudo ./manage_users.sh bob
==== Wed Mar 18 14:19:45 PDT 2026 ====
Log file: /var/log/user_mgmt_20260318_141945.log
Processing user: bob
Creating system user
New password:
Retype new password:
passwd: password updated successfully
Creating Samba user
New SMB password:
Retype new SMB password:
Added user bob.
Enabled user bob.
Final user info:
uid=1006(bob) gid=1010(bob) groups=1010(bob),1004(HaasGroup)
Done.
Update user's password on Linux and Samba
sudo ./manage_users.sh bob --set-password
==== Wed Mar 18 14:29:20 PDT 2026 ====
Log file: /var/log/user_mgmt_20260318_142920.log
Processing user: bob
User bob already exists.
Updating system password
New password:
Retype new password:
passwd: password updated successfully
Samba user exists
Updating Samba password
New SMB password:
Retype new SMB password:
Enabled user bob.
Final user info:
uid=1006(bob) gid=1010(bob) groups=1010(bob),1004(HaasGroup)
Done.
Delete a User with prompts
sudo ./manage_users.sh bob --delete-user --dry-run
==== Wed Mar 18 14:25:53 PDT 2026 ====
Log file: /var/log/user_mgmt_20260318_142553.log
Processing user: bob
DELETE MODE ENABLED for bob
Are you sure you want to delete user 'bob'? (y/N): N
Aborting.
Silently delete a user
Use the --force in a script to delete users without being prompted
sudo ./manage_users.sh bob --delete-user --force
==== Wed Mar 18 14:42:23 PDT 2026 ====
Log file: /var/log/user_mgmt_20260318_144223.log
Processing user: bob
DELETE MODE ENABLED for bob
[FORCE] Skipping confirmation
Deleting Samba user bob
Deleted user bob.
Deleting Linux user bob
Deletion complete for bob
Add a user with dry run
These arguments don't create the user, they show you what commands would be used.
Add an admin user
Add an admin user with ssh key
To view the code in the manage_users.sh script:
Troubleshooting
Samba includes a utility called testparm that reads the /etc/samba/smb.conf file. The -s argument reads the file and reports any errors at the top of the output. It displays the entire smb/conf file so you will have to scroll up to see any errors.
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
# Global parameters
[global]
client max protocol = SMB3
client min protocol = SMB2
disable netbios = Yes
disable spoolss = Yes
load printers = No
log file = /var/log/samba/log.%m
logging = file
max log size = 10000
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
server min protocol = SMB2
server role = standalone server
server string = Haas Data Collector (Samba, Ubuntu)
socket options = TCP_NODELAY IPTOS_LOWDELAY
idmap config * : backend = tdb
printing = bsd
[Haas]
comment = Haas Data Collection Share
create mask = 0664
uid=1000(haas) gid=1003(haas) groups=1003(haas),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),995(input),992(render),107(netdev),1000(gpio),1001(spi),1002(i2c),1004(HaasGroup)
Password for [WORKGROUP\haas]:
Sharename Type Comment
--------- ---- -------
Haas Disk Haas Data Collection Share
st40 Disk Logger for ST40
st30 Disk Logger for ST30
st30l Disk Logger for ST30L
IPC$ IPC IPC Service (Haas Data Collector (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
List only shares:
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
Haas 531619 192.168.10.113 Tue Mar 24 16:38:21 2026 PDT
List locked files
Locked files:
Pid User(ID) DenyMode Access R/W Oplock SharePath Name Time
--------------------------------------------------------------------------------------------------
531619 1000 DENY_NONE 0x20081 RDONLY LEASE(RH) /home/haas/Haas_Data_collect ._.DS_Store Tue Mar 24 16:38:27 2026
531619 1000 DENY_NONE 0x20081 RDONLY LEASE() /home/haas/Haas_Data_collect ._.DS_Store Tue Mar 24 16:38:21 2026
531619 1000 DENY_NONE 0x100081 RDONLY NONE /home/haas/Haas_Data_collect . Tue Mar 24 16:38:27 2026
531619 1000 DENY_NONE 0x100081 RDONLY NONE /home/haas/Haas_Data_collect . Tue Mar 24 16:38:27 2026
Managing Locked Files If a file is inappropriately locked (e.g., a client disconnected improperly), you can identify the process and kill it:
Run smbstatus to find the PID of the process that has the lock on the file. Verify the user and hostname associated with that PID in the output. Kill the specific smbd process using the PID:
This action should release the lock.
Wireshark
The Samba server was configured with ntlm auth = ntlmv2-only and lanman auth = no, ensuring that legacy NTLMv1 and LANMAN authentication mechanisms are disabled. If an auditor wants proof that LANMAN and MTLMv1 are not being used you can run the following in the terminal of the appliance to capture packets.
Once the tcpdump is running disconnect and reconnect a mapped drive from a Windows machine or one of the machine tools. Copy the capture to you laptop using SCP
[sudo] password for haas:
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
^C715 packets captured
716 packets received by filter
0 packets dropped by kernel
In this example I connected to the appliance's Haas share. The tcpdump captured 715 packets. It shows ^C715 packets captured because I used ctrl+c to end the capture
Copy the file to your laptop using SCP:
Where 192.168.10.143 is my laptop and the file we captured is smb_ntlm_test.pcap. If you are on Windows use Putty SCP
In Wireshark
Once you have smb_ntlm_test.pcap open in Wireshark, click the edit menu and select Find Packet..., type ntlmssp and press enter.
Look for the packets that are protocol SMB and info Negotiate Protocol Response. The source will be the IP Address of the appliance, the destination will be the IP of your laptop. Click the arrows to expand the data in each section.
The small rectangle shows that the appliance accepted SMB 3..1.1 and the large rectangle show the ciphers are:
SHA-512AES-128-GCMAES-GMAC.