hosts allow/deny question
dqpr10 at canal-plus.fr
dqpr10 at canal-plus.fr
Fri Aug 25 12:43:59 GMT 2000
Heh, thanks for answering but I found what's
wrong.
In fact I'm using an hybrid samba configuration
using the include=smb.conf.%L parameter and I wanted to
restrict acces depending on the network that the Samba
machine is accessed from. Unfortunately, it works perfect
if I set hosts allow/deny in the main configuration file
but that's not what I want. In fact, the Samba server in
my case tries to authenticate the user BEFORE granting/denying
access depeding on this parameter.
Here's the workaround:
My machine has 3 names, 2 public names and one "secret"
name.
Its real (secret) hostname is SUN8194
Two aliases: GW1 and GW2
It serves as a file gateway between 2 networks, one secured
with only WinNT machines using NTLMv2 authentification, and
one other with all otehr kind of unsecure operationg systems
(Win9x, Linux, WinNT+NTLMv1)
GW1 is accessed from the secured network,
GW2 from the unsecured (let's say less secured) network.
When users use GW1 from the secure net, they may access their
Unix files and a public directory. When users use GW2 from the
unsecure net, they may only use the public share.
Of course, only the samba machine is accessible from both
networks as they are totally independent (filtered through a
SSR+firewall)
This is a test configuration to see if Samba is viable to serve
as this kind of server.
Of course, only Samba makes it possible, rock on!
I find that kinda ironic to secure NT networks using an Unix+Samba
machine =)
Laters,
Ben.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smb.conf:
[global]
workgroup = TELENUM
netbios name = SUN8194
netbios aliases = GW1 GW2
server string = Serveur passerelle
announce as = NT
security = server
allow trusted domains = yes
encrypt passwords = yes
username map = /usr/local/samba/lib/smbusers
restrict anonymous = false
log level = 0
max log size = 50
timestamp logs = no
time server = no
shared mem size = 5242880
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
character set = ISO8859-1
os level = 20
lm announce = true
local master = no
preferred master = no
dns proxy = no
name resolve order = host wins
wins server = 172.20.8.144
NIS homedir = no
oplocks = yes
level2 oplocks = true
fstype = NTFS
wide links = no
;getwd cache = yes
include = /usr/local/samba/lib/smb.conf.%L
[public]
comment = R\351pertoire public
path = /tmp
public = yes
writeable = yes
printable = no
browseable = yes
force user = nobody
force group = nobody
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smb.conf.gw1:
[global]
hosts allow = ALL EXCEPT 192.168.242./255.255.255.0
password server = DOCSERVER, DATASERVER2
NIS homedir = yes
[homes]
comment = Répertoire personnel Unix sur TVNUM
public = no
writeable = yes
printable = no
browseable = no
[id_users]
comment = Répertoires personnels Unix
path = /home/users
public = no
writeable = yes
printable = no
browseable = yes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smb.conf.gw2:
[global]
hosts deny = ALL EXCEPT 192.168.242./255.255.255.0
workgroup = TESTSECUR
password server = PC4023
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smb.conf.sun8194:
[global]
hosts deny = ALL
Robert.Dahlem at gmx.net wrote:
>
> Ben,
>
> On Thu, 24 Aug 2000 12:09:54 +0200, dqpr10 at canal-plus.fr wrote:
>
> >I would like to do something like this at Samba level:
> >
> > hosts allow = subnet1/mask1 subnet2/mask2 etc
> > hosts deny = *
> >
> >But this doesn't seem to work (machine that are not in subnet1 and
> >not in subnet2 still have access)
>
> Try "hosts deny 0.0.0.0/0 EXCEPT subnet1/mask1 subnet2/mask2".
>
> Regards,
> Robert
>
> --
> ---------------------------------------------------------------
> Robert.Dahlem at gmx.net Fax +49-69-432647
> ---------------------------------------------------------------
More information about the samba
mailing list