Solved

What are my security options with Samba?

Posted on 2003-12-05
5
641 Views
Last Modified: 2010-04-11
Setting a linux file server and I'm in need of info as it pertains to the security settings and my configuration options with Samba. I need to make sure that only the users I want accessing files will be the only ones able to. Thanks in advance for all of your suggestions.
0
Comment
Question by:whomee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 250 total points
ID: 9885245
How you setup your security with Samba is going to depend on the type of access you need to have. Of all the security setting available the most important one is going to be the “security” option. It defines the type of security used to give access to the shared file systems and printers to the client computers. You have 4 options for this setting (user, share, server and domain) and the default for pre 2.0 versions is share and for later versions it’s user.

If you are going to have to give Windows clients access I would recommend that you use user. This is best especially if you are going to be doing mostly file sharing and a little printing maybe. It does require that you use a username and password.

Share works best for just print sharing or for providing file access that is more public or used by guests. No account\password is needed however guests will still have to be given permissions to access and change files.

Server is pretty much the same as user with one little twist. The account\pass is sent to another SMB server for validation. If it fails Samba will try to validate the client using user security. Domain is used only when you have to add your Samba server to a NT\2000 domain, other then that it is also the same as user.

You can also choose to encrypt passwords, obey PAM restrictions, sync with any UNIX passwords, hosts allow and deny as well as add your logging options.

The more I play with Linux the more I’m convinced it just kicks Windows a** when it comes to security. I’m wanting to install Linux servers for my more critical servers however I don’t get to choose that option unfortunately.
0
 

Author Comment

by:whomee
ID: 9886007
Thanks for the quick info.

When you say PAM restrictions what exactly do you mean?

I have this server along side Win2k servers but not in the same domain. I don't think I'm going to need to give them access to it as this is going to be a test thing with a linux network and if works well might be put in place. So then you would recommend that I don't use any guest accounts?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9886318
PAM is used for account and session management. However if you turn it on it won’t work if you have encrypted passwords on. You can manage password changes with PAM by using the change control flag for Samba. If you turn this on SMB clients will use PAM instead of the program listed in the password program value (/usr/bin/passwd - by default) for changing SMB passwords.

I never said not to use guests’ accounts.

Samba always assigns the permissions level of a valid user on the RH Linux system to clients who use the server. In the case of share security, the user is assigned a guest account and by default it's the "nobody" account. If the guest account value isn't set, Samba goes through some complex rules to determine which user account to use. So you wont be able to determine which permissions will be assigned in each case. This is why you should use "user" security if you want to provide more specific user access to the server.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9891702
sounds like you need to get used to Samba's configuration:
  man smb.conf
there have a look at following directives:
  secuirty
  encrypt passwords
  valid users
  invalid users
  username map
  map to guest
  browseable
  hosts allow
  hosts deny
  create mode
  create mask
  directory mask
understanding this is essential for building a secure Samba server.
0
 

Author Comment

by:whomee
ID: 9896273
Thanks again!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question