Solved

disabling NULL sessions to samba shares

Posted on 2013-10-30
3
3,957 Views
Last Modified: 2013-10-31
Hi,

I have several shares on a linux server which I want to make sure are not enabling null session login, how do I do that? is it via the smb.conf file or via the Samba Server Configuration (system-config-samba) ?

Thank you.
0
Comment
Question by:iNc0g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 400 total points
ID: 39611889
Hello,

I do not know what you exactly mean by NULL sessions; guest access?

In any case, the primary place to configure sama is /etc/samba/smb.conf. In the security model is configured in the [global] section under security = <model> - as well as guest access:
map to guest = Never

Open in new window

But this is already the default, if you use >= Samba 3.

Also, access is handled per share. Even if you map guest, then you would need to explicitly configure guest access in the share definition:
[myshare]
...
guest ok = yes
...

Open in new window


PS: IMHO it is better to map guest from bad uids, so you can handle them if you need guest access, if you are running in ADS mode:
map to guest = bad uid

Open in new window


The four settings are :

Never - Means user login requests with an invalid password are rejected. This is the default.

Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.

Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-).

Bad Uid - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.

Please also see,
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
0
 

Author Comment

by:iNc0g
ID: 39613464
I've added the "map to guest = Never" under the global section.
my intention here is to disallow unauthenticated users from accessing the shares.

if someone has direct access to the server itself then it's alright, but if someone is connected to the LAN without an authenticated user and starts scanning the network and enumerating shares - he should not have access obviously.

smb.conf
0
 
LVL 13

Assisted Solution

by:Daniel Helgenberger
Daniel Helgenberger earned 400 total points
ID: 39613545
True; even with a valid account scanning / browsing would not work for the
browsable = no
shares. Note, 'yes' is the default here; even if you comment out your share definition option.
Also, you can achieve the same thing with the share option:
access based share enum = yes
But check you samba version, I am not sure when support for this option started. It is definitely there in samba3.
Consider the map to guest = never would have been default anyway. If you are not sure which options are used, run testparm -v on your samba server; this will tell you not only what options are used but also the defaults.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question