faq errors

Andrew Tridgell tridge at samba.anu.edu.au
Sun Nov 8 07:10:21 GMT 1998 

I recently went through the FAQ replies in samba-bugs and found some
errors. I am explaining them here as they indicate that samba-team
members don't understand some issues.

    Samba does NOT impose security constraints on your Unix sytsem. If you use
    share mode security you are taking a risk. Share mode security is not
    secure. If security is a concern then PLEASE use in your smb.conf file
    "security = user". This ensures that EVERY SMB client connection is
    authenticated as the user who is logging in. All Unix permissions are
    fully and completely preserved by Samba.

this is quite incorrect (the bit about share level security being
insecure). share level security is just as secure in samba as user
level security is. The difference is the administrative convenience of
the two and what authentication order the client will use, not how
secure they are.

    Warning:Warning:Warning:
    ========================
    Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2.
    The default is 0. If this is set to 1 or 2 then Windows NT machines that DO NOT
    have an account on the Samba server will see the resource list. The down side of this
    is that legitimate users may then be refused access to their legitimate resources.
    Setting this option creates serious security holes. DO NOT DO IT. Samba has the
    value of this option set at 0 - NOT WITHOUT REASON!!!!

setting that option does _not_ create security holes. Setting that
option is bad because of Microsoft client bugs that cause the client
to misbehave, particularly with non-encrypting servers.

    Secondly, if you have specified "hosts allow = xxx.xxx.xxx/yy" please add
    to it "localhost". ie: hosts allow = 123.45.67/24 127.

The correct form is xxx.xxx.xxx.xxx/yy - note the complete IP address
before the mask size. Partial addresses (ie. network numbers) can be
used in hosts allow lines as an _alternative_ to using the IP/mask
form, not at the same time.

note also that the samba-bugs FAQ entries are now automatically
converted to HTML every hour and put on the docs page on the web site.

More information about the samba-technical mailing list