• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5165
  • Last Modified:

disabling NULL sessions to samba shares

Hi,

I have several shares on a linux server which I want to make sure are not enabling null session login, how do I do that? is it via the smb.conf file or via the Samba Server Configuration (system-config-samba) ?

Thank you.
0
iNc0g
Asked:
iNc0g
  • 2
2 Solutions
 
Daniel HelgenbergerCommented:
Hello,

I do not know what you exactly mean by NULL sessions; guest access?

In any case, the primary place to configure sama is /etc/samba/smb.conf. In the security model is configured in the [global] section under security = <model> - as well as guest access:
map to guest = Never

Open in new window

But this is already the default, if you use >= Samba 3.

Also, access is handled per share. Even if you map guest, then you would need to explicitly configure guest access in the share definition:
[myshare]
...
guest ok = yes
...

Open in new window


PS: IMHO it is better to map guest from bad uids, so you can handle them if you need guest access, if you are running in ADS mode:
map to guest = bad uid

Open in new window


The four settings are :

Never - Means user login requests with an invalid password are rejected. This is the default.

Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.

Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-).

Bad Uid - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.

Please also see,
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
0
 
iNc0gAuthor Commented:
I've added the "map to guest = Never" under the global section.
my intention here is to disallow unauthenticated users from accessing the shares.

if someone has direct access to the server itself then it's alright, but if someone is connected to the LAN without an authenticated user and starts scanning the network and enumerating shares - he should not have access obviously.

smb.conf
0
 
Daniel HelgenbergerCommented:
True; even with a valid account scanning / browsing would not work for the
browsable = no
shares. Note, 'yes' is the default here; even if you comment out your share definition option.
Also, you can achieve the same thing with the share option:
access based share enum = yes
But check you samba version, I am not sure when support for this option started. It is definitely there in samba3.
Consider the map to guest = never would have been default anyway. If you are not sure which options are used, run testparm -v on your samba server; this will tell you not only what options are used but also the defaults.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now