hosts allow/deny question

dqpr10 at dqpr10 at
Fri Aug 25 12:43:59 GMT 2000

Heh, thanks for answering but I found what's

In fact I'm using an hybrid samba configuration
using the include=smb.conf.%L parameter and I wanted to
restrict acces depending on the network that the Samba
machine is accessed from. Unfortunately, it works perfect
if I set hosts allow/deny in the main configuration file
but that's not what I want. In fact, the Samba server in
my case tries to authenticate the user BEFORE granting/denying
access depeding on this parameter.

Here's the workaround:
	My machine has 3 names, 2 public names and one "secret"
	Its real (secret) hostname is SUN8194
	Two aliases: GW1 and GW2

	It serves as a file gateway between 2 networks, one secured
	with only WinNT machines using NTLMv2 authentification, and
	one other with all otehr kind of unsecure operationg systems
	(Win9x, Linux, WinNT+NTLMv1)

	GW1 is accessed from the secured network,
	GW2 from the unsecured (let's say less secured) network.

	When users use GW1 from the secure net, they may access their
	Unix files and a public	directory. When users use GW2 from the
	unsecure net, they may only use the public share.

	Of course, only the samba machine is accessible from both
	networks as they are totally independent (filtered through a

	This is a test configuration to see if Samba is viable to serve
	as this kind of server.
	Of course, only Samba makes it possible, rock on!

	I find that kinda ironic to secure NT networks using an Unix+Samba
machine =)



	workgroup = TELENUM
	netbios name = SUN8194
	netbios aliases = GW1 GW2
	server string = Serveur passerelle
	announce as = NT
	security = server
	allow trusted domains = yes
	encrypt passwords = yes

	username map = /usr/local/samba/lib/smbusers
	restrict anonymous = false

	log level = 0
	max log size = 50
	timestamp logs = no
	time server = no

	shared mem size = 5242880

	character set = ISO8859-1
	os level = 20
	lm announce = true
	local master = no
	preferred master = no
	dns proxy = no
	name resolve order = host wins
	wins server =
	NIS homedir = no

	oplocks = yes
	level2 oplocks = true
	fstype = NTFS
	wide links = no
	;getwd cache = yes

	include = /usr/local/samba/lib/smb.conf.%L

	comment = R\351pertoire public
	path = /tmp
	public = yes
	writeable = yes
	printable = no
	browseable = yes
	force user = nobody
	force group = nobody

	hosts allow = ALL EXCEPT 192.168.242./
	password server = DOCSERVER, DATASERVER2
	NIS homedir = yes

	comment = Répertoire personnel Unix sur TVNUM
	public = no
	writeable = yes
	printable = no
	browseable = no

	comment = Répertoires personnels Unix
	path = /home/users
	public = no
	writeable = yes
	printable = no
	browseable = yes

	hosts deny = ALL EXCEPT 192.168.242./

	workgroup = TESTSECUR
	password server = PC4023

	hosts deny = ALL

Robert.Dahlem at wrote:
> Ben,
> On Thu, 24 Aug 2000 12:09:54 +0200, dqpr10 at wrote:
> >I would like to do something like this at Samba level:
> >
> >       hosts allow = subnet1/mask1 subnet2/mask2 etc
> >       hosts deny = *
> >
> >But this doesn't seem to work (machine that are not in subnet1 and
> >not in subnet2 still have access)
> Try "hosts deny EXCEPT subnet1/mask1 subnet2/mask2".
> Regards,
>         Robert
> --
> ---------------------------------------------------------------
> Robert.Dahlem at           Fax +49-69-432647
> ---------------------------------------------------------------

More information about the samba mailing list