Solved

disabling NULL sessions to samba shares

Posted on 2013-10-30
3
3,076 Views
Last Modified: 2013-10-31
Hi,

I have several shares on a linux server which I want to make sure are not enabling null session login, how do I do that? is it via the smb.conf file or via the Samba Server Configuration (system-config-samba) ?

Thank you.
0
Comment
Question by:iNc0g
  • 2
3 Comments
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 400 total points
ID: 39611889
Hello,

I do not know what you exactly mean by NULL sessions; guest access?

In any case, the primary place to configure sama is /etc/samba/smb.conf. In the security model is configured in the [global] section under security = <model> - as well as guest access:
map to guest = Never

Open in new window

But this is already the default, if you use >= Samba 3.

Also, access is handled per share. Even if you map guest, then you would need to explicitly configure guest access in the share definition:
[myshare]
...
guest ok = yes
...

Open in new window


PS: IMHO it is better to map guest from bad uids, so you can handle them if you need guest access, if you are running in ADS mode:
map to guest = bad uid

Open in new window


The four settings are :

Never - Means user login requests with an invalid password are rejected. This is the default.

Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.

Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-).

Bad Uid - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.

Please also see,
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
0
 

Author Comment

by:iNc0g
ID: 39613464
I've added the "map to guest = Never" under the global section.
my intention here is to disallow unauthenticated users from accessing the shares.

if someone has direct access to the server itself then it's alright, but if someone is connected to the LAN without an authenticated user and starts scanning the network and enumerating shares - he should not have access obviously.

smb.conf
0
 
LVL 13

Assisted Solution

by:Daniel Helgenberger
Daniel Helgenberger earned 400 total points
ID: 39613545
True; even with a valid account scanning / browsing would not work for the
browsable = no
shares. Note, 'yes' is the default here; even if you comment out your share definition option.
Also, you can achieve the same thing with the share option:
access based share enum = yes
But check you samba version, I am not sure when support for this option started. It is definitely there in samba3.
Consider the map to guest = never would have been default anyway. If you are not sure which options are used, run testparm -v on your samba server; this will tell you not only what options are used but also the defaults.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now