Using SambaRobert Eckstein, David Collier-Brown, Peter Kelly1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 |
6.2 Controlling Access to Shares
Often you will need to restrict the users who can access a specific share for security reasons. This is very easy to do with Samba since it contains a wealth of options for creating practically any security configuration. Let's introduce a few configurations that you might want to use in your own Samba setup.
WARNING: Again, if you are connecting with Windows 98 or NT 4.0 with Service Pack 3 (or above), those clients will send encrypted passwords to the Samba server. If Samba is not configured for this, it will continually refuse the connection. This chapter describes how to set up Samba for encrypted passwords. See the Section 6.4, Passwords" section.
We've seen what happens when you specify valid users. However, you are also allowed to specify a list of invalid users - users who should never be allowed access to Samba or its shares. This is done with the
invalid
users
option. We hinted at one frequent use of this option earlier: a global default with the[homes]
section to ensure that various system users and superusers cannot be forged for access. For example:[global] invalid users = root bin daemon adm sync shutdown \ halt mail news uucp operator gopher auto services = dave peter bob [homes] browsable = no writeable = yesThe
invalid
users
option, likevalid
users
, can take group names as well as usernames. In the event that a user or group appears in both lists, theinvalid
users
option takes precedence and the user or group will be denied access to the share.At the other end of the spectrum, you can explicitly specify users who will be allowed superuser (root) access to a share with the
admin
users
option. An example follows:[sales] path = /home/sales comment = Fiction Corp Sales Data writeable = yes valid users = tom dick harry admin users = mikeThis option takes both group names and usernames. In addition, you can specify NIS netgroups by preceding them with an
@
as well; if the netgroup is not found, Samba will assume that you are referring to a standard Unix group.Be careful if you assign an entire group administrative privileges to a share. The Samba team highly recommends you avoid using this option, as it essentially gives root access to the specified users or groups for that share.
If you wish to force read-only or read-write access to users who access a share, you can do so with the
read
list
andwrite
list
options, respectively. These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively. For example:[sales] path = /home/sales comment = Fiction Corp Sales Data read only = yes write list = tom dickThe
write
list
option cannot override Unix permissions. If you've created the share without giving the write-list user write permission on the Unix system, he or she will be denied write access regardless of the setting ofwrite
list
.6.2.1 Guest Access
As mentioned earlier, you can specify users who have guest access to a share. The options that control guest access are easy to work with. The first option,
guest
account
, specifies the Unix account that guest users should be assigned when connecting to the Samba server. The default value for this is set during compilation, and is typicallynobody
. However, you may want to reset the guest user toftp
if you have trouble accessing various system services.If you wish to restrict access in a share only to guests - in other words, all clients connect as the guest account when accessing the share - you can use the
guest
only
option in conjunction with theguest ok
option, as shown in the following example:[sales] path = /home/sales comment = Fiction Corp Sales Data writeable = yes guest ok = yes guest account = ftp guest only = yesMake sure you specify
yes
for bothguest only
andguest ok
in this scenario; otherwise, Samba will not use the guest acount that you specify.6.2.2 Access Control Options
Table 6.1 summarizes the options that you can use to control access to shares.
Table 6.1: Share-level Access Options Option
Parameters
Function
Default
Scope
admin users
string (list of usernames)
Specifies a list of users who can perform operations as root.
None
Share
valid users
string (list of usernames)
Specifies a list of users that can connect to a share.
None
Share
invalid users
string (list of usernames)
Specifies a list of users that will be denied access to a share.
None
Share
read list
string (list of usernames)
Specifies a list of users that have read-only access to a writable share.
None
Share
write list
string (list of usernames)
Specifies a list of users that have read-write access to a read-only share.
None
Share
max connections
numerical
Indicates the maximum number of connections for a share at a given time.
0
Share
guest only (only guest)
boolean
Specifies that this share allows only guest access.
no
Share
guest account
string (name of account)
Names the Unix account that will be used for guest access.
nobody
Share
6.2.2.1 admin users
This option specifies a list of users that perform file operations as if they were
root
. This means that they can modify or destroy any other user's work, no matter what the permissions. Any files that they create will have root ownership and will use the default group of the admin user. Theadmin
users
option is used to allow PC users to act as administrators for particular shares. We urge you to avoid this option.6.2.2.2 valid users and invalid users
These two options let you enumerate the users and groups who are granted or denied access to a particular share. You can enter a list of comma-delimited users, or indicate an NIS or Unix group name by prefixing the name with an at-sign (
@
).The important rule to remember with these options is that any name or group in the
invalid
users
list will always be denied access, even if it is included (in any form) in thevalid
users
list. By default, neither option has a value associated with it. If both options have no value, any user is allowed to access the share.6.2.2.3 read list and write list
Like the
valid
users
and
invalid
users
options, this pair of options specifies which users have read-only access to a writeable share and read-write access to a read-only share, respectively. The value of either options is a list of users.read
list
overrides any other Samba permissions granted - as well as Unix file permissions on the server system - to deny users write access.write
list
overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system. You can specify NIS or Unix group names by prefixing the name with an at sign (such as@users
). Neither configuration option has a default value associated with it.6.2.2.4 max connections
This option specifies the maximum number of client connections that a share can have at any given time. Any connections that are attempted after the maximum is reached will be rejected. The default value is
0
, which means that an unlimited number of connections are allowed. You can override it per share as follows:[accounting] max connections = 30This option is useful in the event that you need to limit the number of users who are accessing a licensed program or piece of data concurrently.
6.2.2.5 guest only
This share-level option (sometimes called
only
guest
) forces a connection to a share to be performed with the user specified by theguest
account
option. The share to which this is applied must explicitly specifyguest
ok
=
yes
in order for this option to be recognized by Samba. The default value for this option isno
.6.2.2.6 guest account
This option specifies the name of account to be used for guest access to shares in Samba. The default for this option varies from system to system, but it is often set to
nobody
. Some default user accounts have trouble connecting as guest users. If that occurs on your system, the Samba team recommends using the ftp account as the guest user.6.2.3 Username Options
Table 6.2 shows two additional options that Samba can use to correct for incompatibilities in usernames between Windows and Unix.
Table 6.2: Username Options Option
Parameters
Function
Default
Scope
username map
string (fully-qualified pathname)
Sets the name of the username mapping file.
None
Global
username level
numerical
Indicates the number of capital letters to use when trying to match a username.
0
Global
6.2.3.1 username map
Client usernames on an SMB network can be relatively large (up to 255 characters), while usernames on a Unix network often cannot be larger than eight characters. This means that an individual user may have one username on a client and another (shorter) one on the Samba server. You can get past this issue by mapping a free-form client username to a Unix username of eight or fewer characters. It is placed in a standard text file, using a format that we'll describe shortly. You can then specify the pathname to Samba with the global
username
map
option. Be sure to restrict access to this file; make the root user the file's owner and deny write access to others. Otherwise, an untrusted user who can access the file can easily map their client username to the root user of the Samba server.You can specify this option as follows:
[global] username map = /etc/samba/usermap.txtEach of the entries in the username map file should be listed as follows: the Unix username, followed by an equal sign (
=
), followed by one or more whitespace-separated SMB client usernames. Note that unless instructed otherwise, (i.e., a guest connection), Samba will expect both the client and the server user to have the same password. You can also map NT groups to one or more specific Unix groups using the@
sign. Here are some examples:jarwin = JosephArwin manderso = MarkAnderson users = @accountAlso, you can use the asterisk to specify a wildcard that matches any free-form client username as an entry in the username map file:
nobody = *Comments in the file can be specified as lines beginning with (
#
) and (;
).Note that you can also use this file to redirect one Unix user to another user. Be careful if you do so because Samba and your client may not notify the user that the mapping has been made and Samba may be expecting a different password.
6.2.3.2 username level
SMB clients (such as Windows) will often send usernames in SMB connection requests entirely in capital letters; in other words, client usernames are not necessarily case sensitive. On a Unix server, however, usernames are case sensitive: the user
ANDY
is different from the userandy
. By default, Samba attacks this problem by doing the following:
Checking for a user account with the exact name sent by the client
Testing the username in lowercase letters with only the first letter capitalized
If you wish to have Samba attempt more combinations of uppercase and lowercase letters, you can use the
username
level
global configuration option. This option takes an integer value that specifies how many letters in the username should be capitalized when attempting to connect to a share. You can specify this options as follows:[global] username level = 3In this case, Samba will then attempt all permutations of usernames it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the username and the longer the authentication will take.
Back to: Using Samba
© 2001, O'Reilly & Associates, Inc.