Results 1 to 10 of 12
I've got a Linux box with samba as Domain Controller for four other boxes. On my (personal) computer I have some shares; mp3s and the like so other members of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 03-01-2006 #1
- Join Date
- Dec 2004
Local users require login to access shares (Samba)
However I noticed that when logged in as the local Administrator from any of these machines, I cannot access other shares without being prompted for a username/password. It is true that simply entering "Guest" without a password gets me past this, however it do find it to be an inconvenience.
When logged in from one of the samba accounts using a roaming profile, I can access shared files without any prompt at all...
I know it sounds petty, but I am a perfectionist. Anyone know why I'm having this problem and how to fix it?
- 03-02-2006 #2
- Join Date
- Dec 2004
By the way, wanted to add;
I thought it might have something to do with Guest accounts, so I made sure to enable them, deny that they log in locally, but allow them to log on via network. This did not alleviate the problem for the most part. Strangely I notice one computer can access all shares when logged in locally (which is my intention.) One of them can access specific shares but not all of them. There seems to be a great deal of inconsistency around the board; but I cannot pinpoint what it is or don't even know how to.
- 03-02-2006 #3
Is the solution to this as simple as putting 'administrator' in your 'nobody' list rather than your 'root' list in /etc/samba/smbusers file? I know this opens a whole can of security worms, but should do what you need, and would work nicely for a home setup.
- 03-03-2006 #4
- Join Date
- Dec 2004
Didn't seem to work. The Samba official documentation and the preexisting smbusers file have a slightly different syntax. The documentation insists on:
While the preexisting smbusers file looked like
username = WindowsUsername
Didn't know which one to go with, but I tried both. I figured the offocial documentation would be more accurate. Then there's a chance it's a simply out of date.
Nevertheless, I uncommented the nobody line and added Administrator and Guest. Didn't work. Still have the same inconsitencies:
Computer A (Windows XP Pro) -> can access any share
Computer B (Windows 2000) -> can access computer C's share, but nothing else
Computer C (Windows XP Pro)-> can access Computer B's share, but nothing else
Computer D (Windows XP Pro) -> can access any share
Computer E (SuSE 10) -> Is the domain controller; nothing should be accessed without root user/pass anyway
Does samba generate some kind of log? Maybe I can find out what's going wrong and when?
EDIT: Oh I see what you mean. Sorry, I misunderstood you. Yes, adding an Administrator as a nobody made it work fine. I realized this after I saw that I could access shares fine if I was logged in as any user besides Administrator. It seems to be based on the name, not the actual status. I can make another Administrator account and access shares fine so long as the name of the user isn't "Administrator".
Why is this a security worm, though? I mean, why is it so bad to authenticate an Administrator as an even lower-level user? (Unless some kind of bug in samba can be exploited because of it.)
What if I don't have Administrator on any list? Other usernames don't have to be on the nobody list to access shares without a user/pass prompt? Or is this insecure as well?
- 03-03-2006 #5Originally Posted by Eleo
As I said, if you have a simple home network, then there is nothing much wrong with this, it works, so dont worry. If you're sharing with a few friends who have enough networking knowledge to be dangerous, but not enough to be useful, however, I'd be seriously tempted to clamp the security down.
With samba, this means making sure everyone has a proper unix account, turning on encrypted passwords, and setting the passwords at the Linux server to be the same as their windows logon password. Finally you turn off the guest password access on samba, and then you can enforce directory permissions and control access by group to all users on your Linux system. Your control and flexibility of the system increases too.
- 03-03-2006 #6
- Join Date
- Dec 2004
Ideally, that's what I'd want... I like perfection, even if this is a home network.
I still don't get why there'd be any kind of security whole making an Admin into a guest, that in fact seems safer (than say, giving an Admin root privileges).
I'd like to have the samba server set up 100% correctly, but at the same time I am apprehensive. I've always known samba to be, well, volatile. Blame it on a lack of Linux experience (I was born and bred on Windows 3.1-Vista) but it seems like every time I want to just play around with the smallest setting, whole server goes KABOOM.
Then I have my family members going "Hey, I can't log on to my f*cking computer".
But I'm going to ask:
1. Everyone having a proper unix account
I don't understand this. Windows has a local Administrator account by default, how could it have a unix account? Besides, I don't want all accounts to be stored on the server. I have two users with roaming profiles because they frequently switch computers. I and other family members stick to one box, so it's unnecessary (plus, the volume of files that can be stored in My Documents/ could make logging in take quite a while)
2. Encrypted passwords
Looking at smbpasswd, it would appear that the passwords are encrypted, but I wouldn't know which method was used to encrypt them. All I know is that they're 48 characters of hashed-looking gobbledygook. Perhaps there's stronger encryption to use?
Speaking of smbpasswd; I don't like it. It seems clunky to have it separate from whatever directory maintains user accounts normally in Linux. Any way to validate users against whatever database stores usernames/passwords in Linux itself? Unless of course smbpasswd is there fore security purpose or if it's ultimately more convenient to use it. (Sorry for stating this question so dumbly.)
3. Directory permissions.
Since the shares are set up on the Windows box, I figured samba was just the guy in the middle make sure that the users accessing the share are allowed to do so. Also, again, the question of local accounts comes up; accessing directories with permissions enforced by samba confuses me since samba would natively be unaware of local accounts; even if I set it up to recognize SOME I could always make another local machine account tht samba wouldn't recognize. It wouldn't be dynamic; or at least I'm coming to this conclusion by the best of my logic/knowledge.
Basically this relationship between what appears to be a file server created for Linux but capable of Windows confuses me.
- 03-03-2006 #7
Security wise, think about what is happening. You're granting access to your linux box using account credentials authenticated by another computer, over which you have no control. This is a security hole. Admittedly it's not a major one, but it is there.
On to your questions.
1. I mean, by a proper unix account, an account on the Linux machine as well as on their own windows machine. You should also investigate LDAP if your Linux machine is on all the time - it is possible to set up LDAP-based accounts on your linux box, and let each windows machine log on using the LDAP account info (this is something I'm planning to implement on my lan soon).
2. Encrypted passwords, looks like you already have encrypted passwords, this is good news. Just make sure each user on the Linux machine has set thier password to the same as their windows machine.
As far as smbpasswd goes, see my comments on LDAP above. I'm not sure about keeping smb passwords and system account passwords in sync, however, I've not looked that deeply into LDAP yet. smbpasswd is there because the encryption method used by the SMB system for passwords is different to the methods used by Linux for its own passwords.
3. Directory permissions are enforced at a unix level - they're more flexible than windows ones. You can set up each users home directory to be read/write for themselves, read for everyone in their user group, and unreadable by everyone else. For shares, you can make the underlying unix directory owned by the user and group 'users' (chown users:users [directory_name]), give read/write access to the group, and make sure all your users are listed in /etc/group for the group 'users'. On my server, I have one or two extra groups I added for flexibility; there is a group named 'adultuser' where the grown-ups are listed, this allows us to keep stuff like spreadsheets and letters to the bank/gas co/electricity/school/whatever private from the kids. I also have my music collection (ogg, mp3 and flac) on the server, everyone has read-access to that, but I have read-write access so I can add to my collection if I buy new CD's.
- 03-04-2006 #8
- Join Date
- Dec 2004
Where do I go to learn about this stuff. The official Samba documentation, like a lot of documentation, isn't exactly user-friendly, and I'm not really a linux expert.
I noticed that because I added Administrator to the nobody list, anyone can log onto the domain as nobdoy with "Administrator/blankpassword." They also get access to a "nobody" folder share, which isn't really a problem but it still bothers me.
- 03-06-2006 #9
If you really want to learn this stuff, then you're already going about it the right way - you're running your own server, trying stuff out, searching google, and asking questions on here. Keep going, it'll come; before you know it, you'll be answering questions on here rather than asking them.
I've found the man pages to be helpful with samba, and despite the offical docs being a tough going, it's worth the perseverance.
Now, have a crack at fixing your security issue (you will learn plenty by doing this... Good luck!) Dont forget to back up your /etc/samba directory (including your smb.conf file) before you start.
- 03-08-2006 #10
- Join Date
- Dec 2004
I'm having the problem again. Basically any machine can access any share but mine. I don't actually have a share but in windows, you can click on any computer in the domain and it will show Printers and Scheduled tasks, even if you don't have any of those. But anyway, trying to access my PC brings up a password prompt.
Entering anything will get one past he prompt. The letter A and no password will one past it. But it's there, and it bugs me. Guest accounts are enabled; and "Everyone" can access the computer from the network.
I've looked through a lot of stuff, the default Windows administrative shares. I've looked through Local Security Policy. I've left and joined the domain several times over. I've rebooted all of the domain members several times over. I can't figure out what's wrong with this computer in particular; it seems like I've gone through everything it would logically be.