[Samba] restrict shares listings in domain to authenticated users

John H Terpstra jht at samba.org
Thu Mar 6 22:19:11 GMT 2003 

On Thu, 6 Mar 2003, unolinuxguru wrote:

> I'm setting up a samba primary domain controller in Debian woody and the
> users are logging into the domain fine and can access their shares. I
> would like to restrict the listings of available shares to only
> authenticated users of the samba domain. I know this works in a win NT4
> domain, how does one do it with samba?
>
> This is the listing I get from an nt4 pdc (belongs to a different domain
> than this system 'WS-072') without supplying a username or password...
>
> root at WS-072:/etc/samba# smbclient -L //nt4pdc
> added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0
> Got a positive name query response from 192.168.2.5 ( 192.168.2.5 )
> Password:
> Anonymous login successful
> Domain=[HMS] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
>
> Sharename Type Comment
> --------- ---- -------
> Error returning browse list: NT_STATUS_ACCESS_DENIED
> <snip>
>
> If I do supply a username (with the -U option) and the proper password, I
> do get a listing of the available shares.
>
> Now if I try the same listing without a username or password on the samba
> primary domain controller of the workgroup this system belongs too... I
> should get the same "NT_STATUS_ACCESS_DENIED" for guest user share
> listings, but I don't - it shows all of them.
>
> root at WS-072:/etc/samba# smbclient -L //debianpdc
> added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0
> Password:
> Anonymous login successful
> Domain=[LINUXTEST] OS=[Unix] Server=[Samba 2.2.3a-12 for Debian]
>
> Sharename Type Comment
> --------- ---- -------
> tmp Disk temporary files
> IPC$ IPC IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian))
> ADMIN$ Disk IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian))
>
>
> thoughts, suggestions, and of course solutions greatly appreciated. thanks.

If you want to prevent anonymous access to the IPC$ share then in your
smb.conf [globals] put:

	restrict anonymous = Yes

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list