Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

What are my security options with Samba?

Posted on 2003-12-05
5
Medium Priority
?
666 Views
Last Modified: 2010-04-11
Setting a linux file server and I'm in need of info as it pertains to the security settings and my configuration options with Samba. I need to make sure that only the users I want accessing files will be the only ones able to. Thanks in advance for all of your suggestions.
0
Comment
Question by:whomee
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 1000 total points
ID: 9885245
How you setup your security with Samba is going to depend on the type of access you need to have. Of all the security setting available the most important one is going to be the “security” option. It defines the type of security used to give access to the shared file systems and printers to the client computers. You have 4 options for this setting (user, share, server and domain) and the default for pre 2.0 versions is share and for later versions it’s user.

If you are going to have to give Windows clients access I would recommend that you use user. This is best especially if you are going to be doing mostly file sharing and a little printing maybe. It does require that you use a username and password.

Share works best for just print sharing or for providing file access that is more public or used by guests. No account\password is needed however guests will still have to be given permissions to access and change files.

Server is pretty much the same as user with one little twist. The account\pass is sent to another SMB server for validation. If it fails Samba will try to validate the client using user security. Domain is used only when you have to add your Samba server to a NT\2000 domain, other then that it is also the same as user.

You can also choose to encrypt passwords, obey PAM restrictions, sync with any UNIX passwords, hosts allow and deny as well as add your logging options.

The more I play with Linux the more I’m convinced it just kicks Windows a** when it comes to security. I’m wanting to install Linux servers for my more critical servers however I don’t get to choose that option unfortunately.
0
 

Author Comment

by:whomee
ID: 9886007
Thanks for the quick info.

When you say PAM restrictions what exactly do you mean?

I have this server along side Win2k servers but not in the same domain. I don't think I'm going to need to give them access to it as this is going to be a test thing with a linux network and if works well might be put in place. So then you would recommend that I don't use any guest accounts?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9886318
PAM is used for account and session management. However if you turn it on it won’t work if you have encrypted passwords on. You can manage password changes with PAM by using the change control flag for Samba. If you turn this on SMB clients will use PAM instead of the program listed in the password program value (/usr/bin/passwd - by default) for changing SMB passwords.

I never said not to use guests’ accounts.

Samba always assigns the permissions level of a valid user on the RH Linux system to clients who use the server. In the case of share security, the user is assigned a guest account and by default it's the "nobody" account. If the guest account value isn't set, Samba goes through some complex rules to determine which user account to use. So you wont be able to determine which permissions will be assigned in each case. This is why you should use "user" security if you want to provide more specific user access to the server.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9891702
sounds like you need to get used to Samba's configuration:
  man smb.conf
there have a look at following directives:
  secuirty
  encrypt passwords
  valid users
  invalid users
  username map
  map to guest
  browseable
  hosts allow
  hosts deny
  create mode
  create mask
  directory mask
understanding this is essential for building a secure Samba server.
0
 

Author Comment

by:whomee
ID: 9896273
Thanks again!
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question