Solved

disabling NULL sessions to samba shares

Posted on 2013-10-30
3
3,645 Views
Last Modified: 2013-10-31
Hi,

I have several shares on a linux server which I want to make sure are not enabling null session login, how do I do that? is it via the smb.conf file or via the Samba Server Configuration (system-config-samba) ?

Thank you.
0
Comment
Question by:iNc0g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 400 total points
ID: 39611889
Hello,

I do not know what you exactly mean by NULL sessions; guest access?

In any case, the primary place to configure sama is /etc/samba/smb.conf. In the security model is configured in the [global] section under security = <model> - as well as guest access:
map to guest = Never

Open in new window

But this is already the default, if you use >= Samba 3.

Also, access is handled per share. Even if you map guest, then you would need to explicitly configure guest access in the share definition:
[myshare]
...
guest ok = yes
...

Open in new window


PS: IMHO it is better to map guest from bad uids, so you can handle them if you need guest access, if you are running in ADS mode:
map to guest = bad uid

Open in new window


The four settings are :

Never - Means user login requests with an invalid password are rejected. This is the default.

Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.

Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-).

Bad Uid - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.

Please also see,
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
0
 

Author Comment

by:iNc0g
ID: 39613464
I've added the "map to guest = Never" under the global section.
my intention here is to disallow unauthenticated users from accessing the shares.

if someone has direct access to the server itself then it's alright, but if someone is connected to the LAN without an authenticated user and starts scanning the network and enumerating shares - he should not have access obviously.

smb.conf
0
 
LVL 13

Assisted Solution

by:Daniel Helgenberger
Daniel Helgenberger earned 400 total points
ID: 39613545
True; even with a valid account scanning / browsing would not work for the
browsable = no
shares. Note, 'yes' is the default here; even if you comment out your share definition option.
Also, you can achieve the same thing with the share option:
access based share enum = yes
But check you samba version, I am not sure when support for this option started. It is definitely there in samba3.
Consider the map to guest = never would have been default anyway. If you are not sure which options are used, run testparm -v on your samba server; this will tell you not only what options are used but also the defaults.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question