REPEAT: hasn't anyone used smbclient linux->linux? (SAMBA digest 2278)

Jim Mulholland jim.mulholland at peri.com
Thu Oct 21 12:24:23 GMT 1999


> Date:   Wed, 20 Oct 1999 18:54:45 -0200
> From:   Andreas Hasenack <unixach at ez-poa.com.br>
> To:     plussier at ne.arris-i.com,
>         "Paul L. Lussier" <plussier at ne.arris-i.com>
> Cc:     Multiple recipients of list SAMBA <samba at samba.org>
> Subject: Re: REPEAT: hasn't anyone used smbclient linux->linux?
> Message-ID: <99102018575000.02774 at maestro.hasenack.fam.br>
> Content-Type: text/plain
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
>
> Em qua, 20 out 1999, Paul L. Lussier escreveu:
> > In a message dated: Wed, 20 Oct 1999 17:40:49 -0200
> > Andreas Hasenack said:
> >
> > >NFS's authentication is weak (it's host based). With Samba you get
also user
> > >authentication. With pam_smb you could even replace N[IY]S[+] for
the user
> > >auth part.
> >
> > True, but the basic Unix permissions are user *and* group based.
Proper
> > configuration of these, combined with the host based auth make NFS a
better
> > choice IMO than SMB.  In addition, with NFS and netgroups, you can
restrict a
> > user access to anything based on both the username *and* the host
combined,
> > which smb can't do.
>
> I think I agree with you. I just don't like the concept that, with the
root
> password of a *client* machine, one can su to any local user and thus
> invalidate the user authentication part. OK, one shouldn't give the
root
> password away, but I don't like this concept: a client machine being
able to
> look at any file (but root owned ones) on a *server* machine.

You may have missed this little gem. Set the stickybit for ALL of your
share points: ex: "chmod  +t  /home". This will cause the root accounts
on remote systems to be treated as a non-root account like nobody
(60001), noaccess (60002), or access denied (-1) depending the options
specified in your share statement. Linux is supposed to 'root squash'
(change client root uid's to 65534) by default. remove "no_root_squash"
from your export file.
Examples:
    Solaris 2.6/NIS+ environment set anon=-1 in /etc/dfs/dfstab:
share -F nfs -o anon=-1 -o rw /share.
    Linux/NIS env set anonuid=-1 in /etc/exports:     /home
(rw,anonuid=-1,anongid=-1)

- Jim Mulholland
    Periphonics Corporation



More information about the samba mailing list