Solved

What are my security options with Samba?

Posted on 2003-12-05
5
632 Views
Last Modified: 2010-04-11
Setting a linux file server and I'm in need of info as it pertains to the security settings and my configuration options with Samba. I need to make sure that only the users I want accessing files will be the only ones able to. Thanks in advance for all of your suggestions.
0
Comment
Question by:whomee
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 250 total points
ID: 9885245
How you setup your security with Samba is going to depend on the type of access you need to have. Of all the security setting available the most important one is going to be the “security” option. It defines the type of security used to give access to the shared file systems and printers to the client computers. You have 4 options for this setting (user, share, server and domain) and the default for pre 2.0 versions is share and for later versions it’s user.

If you are going to have to give Windows clients access I would recommend that you use user. This is best especially if you are going to be doing mostly file sharing and a little printing maybe. It does require that you use a username and password.

Share works best for just print sharing or for providing file access that is more public or used by guests. No account\password is needed however guests will still have to be given permissions to access and change files.

Server is pretty much the same as user with one little twist. The account\pass is sent to another SMB server for validation. If it fails Samba will try to validate the client using user security. Domain is used only when you have to add your Samba server to a NT\2000 domain, other then that it is also the same as user.

You can also choose to encrypt passwords, obey PAM restrictions, sync with any UNIX passwords, hosts allow and deny as well as add your logging options.

The more I play with Linux the more I’m convinced it just kicks Windows a** when it comes to security. I’m wanting to install Linux servers for my more critical servers however I don’t get to choose that option unfortunately.
0
 

Author Comment

by:whomee
ID: 9886007
Thanks for the quick info.

When you say PAM restrictions what exactly do you mean?

I have this server along side Win2k servers but not in the same domain. I don't think I'm going to need to give them access to it as this is going to be a test thing with a linux network and if works well might be put in place. So then you would recommend that I don't use any guest accounts?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9886318
PAM is used for account and session management. However if you turn it on it won’t work if you have encrypted passwords on. You can manage password changes with PAM by using the change control flag for Samba. If you turn this on SMB clients will use PAM instead of the program listed in the password program value (/usr/bin/passwd - by default) for changing SMB passwords.

I never said not to use guests’ accounts.

Samba always assigns the permissions level of a valid user on the RH Linux system to clients who use the server. In the case of share security, the user is assigned a guest account and by default it's the "nobody" account. If the guest account value isn't set, Samba goes through some complex rules to determine which user account to use. So you wont be able to determine which permissions will be assigned in each case. This is why you should use "user" security if you want to provide more specific user access to the server.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9891702
sounds like you need to get used to Samba's configuration:
  man smb.conf
there have a look at following directives:
  secuirty
  encrypt passwords
  valid users
  invalid users
  username map
  map to guest
  browseable
  hosts allow
  hosts deny
  create mode
  create mask
  directory mask
understanding this is essential for building a secure Samba server.
0
 

Author Comment

by:whomee
ID: 9896273
Thanks again!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now