Solved

What are my security options with Samba?

Posted on 2003-12-05
5
636 Views
Last Modified: 2010-04-11
Setting a linux file server and I'm in need of info as it pertains to the security settings and my configuration options with Samba. I need to make sure that only the users I want accessing files will be the only ones able to. Thanks in advance for all of your suggestions.
0
Comment
Question by:whomee
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 250 total points
ID: 9885245
How you setup your security with Samba is going to depend on the type of access you need to have. Of all the security setting available the most important one is going to be the “security” option. It defines the type of security used to give access to the shared file systems and printers to the client computers. You have 4 options for this setting (user, share, server and domain) and the default for pre 2.0 versions is share and for later versions it’s user.

If you are going to have to give Windows clients access I would recommend that you use user. This is best especially if you are going to be doing mostly file sharing and a little printing maybe. It does require that you use a username and password.

Share works best for just print sharing or for providing file access that is more public or used by guests. No account\password is needed however guests will still have to be given permissions to access and change files.

Server is pretty much the same as user with one little twist. The account\pass is sent to another SMB server for validation. If it fails Samba will try to validate the client using user security. Domain is used only when you have to add your Samba server to a NT\2000 domain, other then that it is also the same as user.

You can also choose to encrypt passwords, obey PAM restrictions, sync with any UNIX passwords, hosts allow and deny as well as add your logging options.

The more I play with Linux the more I’m convinced it just kicks Windows a** when it comes to security. I’m wanting to install Linux servers for my more critical servers however I don’t get to choose that option unfortunately.
0
 

Author Comment

by:whomee
ID: 9886007
Thanks for the quick info.

When you say PAM restrictions what exactly do you mean?

I have this server along side Win2k servers but not in the same domain. I don't think I'm going to need to give them access to it as this is going to be a test thing with a linux network and if works well might be put in place. So then you would recommend that I don't use any guest accounts?
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9886318
PAM is used for account and session management. However if you turn it on it won’t work if you have encrypted passwords on. You can manage password changes with PAM by using the change control flag for Samba. If you turn this on SMB clients will use PAM instead of the program listed in the password program value (/usr/bin/passwd - by default) for changing SMB passwords.

I never said not to use guests’ accounts.

Samba always assigns the permissions level of a valid user on the RH Linux system to clients who use the server. In the case of share security, the user is assigned a guest account and by default it's the "nobody" account. If the guest account value isn't set, Samba goes through some complex rules to determine which user account to use. So you wont be able to determine which permissions will be assigned in each case. This is why you should use "user" security if you want to provide more specific user access to the server.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9891702
sounds like you need to get used to Samba's configuration:
  man smb.conf
there have a look at following directives:
  secuirty
  encrypt passwords
  valid users
  invalid users
  username map
  map to guest
  browseable
  hosts allow
  hosts deny
  create mode
  create mask
  directory mask
understanding this is essential for building a secure Samba server.
0
 

Author Comment

by:whomee
ID: 9896273
Thanks again!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question