m/mDMS
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2aa532e71736377c44a98743c5b879c36946a314
mDMS/infra/samba-canon/README.md
m 2aa532e717 chore: initial commit — spinout from m/otto 
Spun out mDMS strategy + tooling from m/otto into its own repo on 2026-05-15.

Migrated:
- docs/strategy.md (was: m/otto:docs/mdms-strategy.md)
- infra/paperless/ (config + audit + migrate scripts)
- infra/samba-canon/ (Canon MB5100 SMB1 bridge container)

History in m/otto: issues #429–#438. Going forward, all mDMS issues
file here. Sibling m/paperless (separate repo) remains the bare
Docker Compose for Paperless-ngx itself.
2026-05-15 17:31:20 +02:00

5.3 KiB
Raw Blame History

samba-canon — SMB bridge for the Canon MAXIFY MB5100

Old-Samba container on mDock that gives the Canon MB5100 (2014, SMB1 + NTLMv1 only) a writable share. Scans land in /mnt/mdms/inbox/ and are picked up by Paperless within 60s via the existing consume-folder poll.

Why this exists

The Canon MAXIFY MB5100 only supports SMB Shared Folder as a scan destination (no FTP, no WebDAV — see the official manual). It speaks SMB1 with NTLMv1 auth.

Direct scan-to-TrueNAS fails reproducibly even with enable_smb1=true + ntlmv1_auth=true flipped on TrueNAS Core: the TrueNAS-Samba (4.19+) ships extra SMB1 hardening that breaks the printer's handshake. smb1_process.c:502 logs NT_STATUS_CONNECTION_RESET — the printer closes the TCP socket before the first SMB packet is processed.

Rather than fight TrueNAS hardening, this container runs a deliberately old Samba (4.13.17 on Alpine 3.13) on mDock, bound to mDock's LAN interface only, and writes received files straight to the NFS-mounted Paperless inbox.

The TrueNAS SMB stack stays untouched — mBreeze and mPebble keep mounting mDMS directly from TrueNAS as before.

Layout

File Purpose
Dockerfile alpine:3.13 + samba 4.13.17, ~46 MiB image
smb.conf NT1 server, NTLMv1 + LANMAN enabled, single [inbox] share
entrypoint.sh Creates canon user at UID 1000, sets pw from env, runs smbd
docker-compose.yml Binds 445/139 on the LAN IP only, mounts /mnt/mdms/inbox

These files are a traceable copy of what lives in ~/samba-canon/ on mDock (same convention as infra/paperless/). If you change the live config on mDock, sync the change here in the same commit.

Deploy

scp infra/samba-canon/{Dockerfile,smb.conf,entrypoint.sh,docker-compose.yml} \
    mdock:~/samba-canon/
ssh mdock 'cd ~/samba-canon && docker compose up -d --build'

The real CANON_PASSWORD lives in ~/samba-canon/.env on mDock (chmod 600, not committed). Rotate by editing .env and docker compose restartentrypoint.sh re-applies the password to the Samba TDB on every boot.

Canon Quick Utility Toolbox values

Use these exact values in the printer's "Destination Settings → Folder" entry (Canon Drucker Quick Utility Toolbox → Destination Folder Settings):

Field Value
Display name mDock Inbox (any label)
SMB server name 192.168.178.131 (mDock LAN IP — not mdock, the printer does no DNS)
Shared folder inbox
Domain / Workgroup leave blank, or WORKGROUP
User canon
Password (from ~/samba-canon/.env on mDock — CANON_PASSWORD)
Port leave default (445) — non-standard ports are not supported by the printer

The printer's connection-test should report success.

Verification (replayed during deploy)

  1. smbclient listing from a known-good client. From mBreeze:

    smbutil view -A "//canon:<pw>@192.168.178.131"
# → "Authenticate successfully with //canon:…@192.168.178.131"

  2. Mount + write from mBreeze.

    mkdir -p /tmp/canon-test
mount -t smbfs "//canon:<pw>@192.168.178.131/inbox" /tmp/canon-test
touch /tmp/canon-test/probe.txt
ls -la /mnt/mdms/inbox/probe.txt   # on mDock — should show m:m, mode 0664
umount /tmp/canon-test

  3. Toolbox connection test — green tick (m runs this once during setup).

  4. Real scan from the ADF — PDF lands in /mnt/mdms/inbox/, Paperless polls within 60 s, OCR + AI-typing run, file moves to <year>/<type>/... (existing Paperless pipeline, see infra/paperless/).

  5. Survives mDock reboot. docker compose up -d sets restart: unless-stopped. Verified via docker restart samba-canon — container comes back up and shares are reachable within ~5 s.

Security notes

  • LAN-only. The compose binds 192.168.178.131:445 and 192.168.178.131:139, not 0.0.0.0. The container is not reachable from Tailscale or the internet.
  • SMB1 + NTLMv1 are insecure by design. Acceptable here because the threat model is "untrusted devices on the home LAN", and the only client is the printer. Do not expose this share to anything except the Canon.
  • The canon user is a Samba-only account (/sbin/nologin, no system password, no shell). It maps to UID 1000 inside the container so that files written through SMB land as m:m on the host NFS mount.
  • If CANON_PASSWORD leaks, rotate it: edit ~/samba-canon/.env on mDock, docker compose restart samba-canon, and re-enter the new password in the Canon Toolbox.

Out of scope

  • TLS / encrypted SMB — incompatible with the printer; LAN-only mitigates.
  • Multi-user — only the printer needs to write here.
  • Replacing the TrueNAS SMB stack mBreeze/mPebble already use.
  • Replacing the printer — m wants to keep the MB5100 working.