Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What are my security options with Samba?

Posted on 2003-12-05
5
Medium Priority
?
661 Views
Last Modified: 2010-04-11
Setting a linux file server and I'm in need of info as it pertains to the security settings and my configuration options with Samba. I need to make sure that only the users I want accessing files will be the only ones able to. Thanks in advance for all of your suggestions.
0
Comment
Question by:whomee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 1000 total points
ID: 9885245
How you setup your security with Samba is going to depend on the type of access you need to have. Of all the security setting available the most important one is going to be the “security” option. It defines the type of security used to give access to the shared file systems and printers to the client computers. You have 4 options for this setting (user, share, server and domain) and the default for pre 2.0 versions is share and for later versions it’s user.

If you are going to have to give Windows clients access I would recommend that you use user. This is best especially if you are going to be doing mostly file sharing and a little printing maybe. It does require that you use a username and password.

Share works best for just print sharing or for providing file access that is more public or used by guests. No account\password is needed however guests will still have to be given permissions to access and change files.

Server is pretty much the same as user with one little twist. The account\pass is sent to another SMB server for validation. If it fails Samba will try to validate the client using user security. Domain is used only when you have to add your Samba server to a NT\2000 domain, other then that it is also the same as user.

You can also choose to encrypt passwords, obey PAM restrictions, sync with any UNIX passwords, hosts allow and deny as well as add your logging options.

The more I play with Linux the more I’m convinced it just kicks Windows a** when it comes to security. I’m wanting to install Linux servers for my more critical servers however I don’t get to choose that option unfortunately.
0
 

Author Comment

by:whomee
ID: 9886007
Thanks for the quick info.

When you say PAM restrictions what exactly do you mean?

I have this server along side Win2k servers but not in the same domain. I don't think I'm going to need to give them access to it as this is going to be a test thing with a linux network and if works well might be put in place. So then you would recommend that I don't use any guest accounts?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9886318
PAM is used for account and session management. However if you turn it on it won’t work if you have encrypted passwords on. You can manage password changes with PAM by using the change control flag for Samba. If you turn this on SMB clients will use PAM instead of the program listed in the password program value (/usr/bin/passwd - by default) for changing SMB passwords.

I never said not to use guests’ accounts.

Samba always assigns the permissions level of a valid user on the RH Linux system to clients who use the server. In the case of share security, the user is assigned a guest account and by default it's the "nobody" account. If the guest account value isn't set, Samba goes through some complex rules to determine which user account to use. So you wont be able to determine which permissions will be assigned in each case. This is why you should use "user" security if you want to provide more specific user access to the server.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9891702
sounds like you need to get used to Samba's configuration:
  man smb.conf
there have a look at following directives:
  secuirty
  encrypt passwords
  valid users
  invalid users
  username map
  map to guest
  browseable
  hosts allow
  hosts deny
  create mode
  create mask
  directory mask
understanding this is essential for building a secure Samba server.
0
 

Author Comment

by:whomee
ID: 9896273
Thanks again!
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question