REPEAT: hasn't anyone used smbclient linux->linux? (SAMBA digest
2278)
Jim Mulholland
jim.mulholland at peri.com
Thu Oct 21 12:24:23 GMT 1999
> Date: Wed, 20 Oct 1999 18:54:45 -0200
> From: Andreas Hasenack <unixach at ez-poa.com.br>
> To: plussier at ne.arris-i.com,
> "Paul L. Lussier" <plussier at ne.arris-i.com>
> Cc: Multiple recipients of list SAMBA <samba at samba.org>
> Subject: Re: REPEAT: hasn't anyone used smbclient linux->linux?
> Message-ID: <99102018575000.02774 at maestro.hasenack.fam.br>
> Content-Type: text/plain
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
>
> Em qua, 20 out 1999, Paul L. Lussier escreveu:
> > In a message dated: Wed, 20 Oct 1999 17:40:49 -0200
> > Andreas Hasenack said:
> >
> > >NFS's authentication is weak (it's host based). With Samba you get
also user
> > >authentication. With pam_smb you could even replace N[IY]S[+] for
the user
> > >auth part.
> >
> > True, but the basic Unix permissions are user *and* group based.
Proper
> > configuration of these, combined with the host based auth make NFS a
better
> > choice IMO than SMB. In addition, with NFS and netgroups, you can
restrict a
> > user access to anything based on both the username *and* the host
combined,
> > which smb can't do.
>
> I think I agree with you. I just don't like the concept that, with the
root
> password of a *client* machine, one can su to any local user and thus
> invalidate the user authentication part. OK, one shouldn't give the
root
> password away, but I don't like this concept: a client machine being
able to
> look at any file (but root owned ones) on a *server* machine.
You may have missed this little gem. Set the stickybit for ALL of your
share points: ex: "chmod +t /home". This will cause the root accounts
on remote systems to be treated as a non-root account like nobody
(60001), noaccess (60002), or access denied (-1) depending the options
specified in your share statement. Linux is supposed to 'root squash'
(change client root uid's to 65534) by default. remove "no_root_squash"
from your export file.
Examples:
Solaris 2.6/NIS+ environment set anon=-1 in /etc/dfs/dfstab:
share -F nfs -o anon=-1 -o rw /share.
Linux/NIS env set anonuid=-1 in /etc/exports: /home
(rw,anonuid=-1,anongid=-1)
- Jim Mulholland
Periphonics Corporation
More information about the samba
mailing list