Permissions or what!?! <: \

Joel Hammer Joel at HammersHome.com
Sat Nov 10 05:07:02 GMT 2001


You can get some security without passwords.
In your [global] place this:
hosts allow = 192.168. 24.101.23.59  127.0.0.
suitably modified for your ip's.
I use the 24. ip for my gateway machine.
You can make samba listen to just one of two NIC's in a double homed
machine. In [global]:
interfaces = 192.168.0.2
makes my gateway machine ignore all internet traffic.
You should arm yourself against NIMDA, which is still alive and well on the
internet. In [global]:
 veto files = /*.eml/*.nws/riched20.dll/
 veto files = /*.{*}/                                            
You can even have some user or machine based security without passwords.
For example:
comment = Root directory
        path = /
        read only = Yes
        create mask = 0766
        include = /usr/local/samba/lib/smb.conf.public.%U   
The include statement points to a file based on the name of the user logging
onto the machine:
If it doesn't exist, the global guest account is used. 
If it exists, for example: /usr/local/samba/lib/smb.conf.public.jlh
it might contain this:
read only = No
guest = jlh
You can base it on other of the built in variables that samba generates when
a client connects:
client machine NetBios name = cc111111-a (%m) <----Useful
Primary goup name of u = ftp (%G)
IP address of client = 192.168.0.2 (%I)    <---Useful
Netbios name of server = jhammer6 (%L)
Internet DNS of client= hammer2.jhammer.org (%M)  <---Useful
NIS home directory= jhammer6 (%N)
Protocal level = NT1 (%R)
Current time and date= 2001/11/10 07:54:14 (%T)
Session user name (one the client wanted)= jlh (%U)  <--Very useful
Architecture of remote machine= Samba (%a)     <---Useful
Process ID of current server= 10428 (%d)
Internet DNS hostname of server= jhammer6 (%h)
Path of services home directory from NIS= (%p)
Samba version= 2.2.1a (%v)
Home directory of user in u= /home/ftp (%H)
Root directory of current service = / (%P)
Name of current service = public (%S)
Primary group name of u in share = ftp (%g)
User name of current service = ftp (%u)           
Joel
                  
 On Fri, Nov 09, 2001 at 10:36:56PM -0600, Roleigh Martin wrote:
> Joel,
> 
> This is a nice setup, I've been having problems with passwords too
> even though I did the samba password thing -- I think my problems
> are that I took the option with Redhat Linux 7.1 Pro Server install
> to do password shadowing and MD5 passwords.  I think that has caused
> me a lot of problems.  I don't need any security on my samba network
> except to freeze out anything beyond the Linksys firewall (cable
> router/firewall).  I have a 4 user PC network in my home so all
> stations are personal family members.  Is there a way to modify the
> below script so that only those hardwardwire-connected to the local
> ethernet lan have access?
> 
> Yes, I'm just learning the ropes on sysadmin Linux (although I've been
> an AIX programmer for over 10 years but never had root authority until
> I got my Linux machine a month ago).
> 
> Thanks!
> 
> Roleigh Martin
> 
> At 09:40 PM 11/9/01, you wrote:
> >You don't really have to use !!!!! to get help. There is nothing to panic
> >about.
> >Likely, you are a new user of linux. Likely, you don't know anything about
> >permissions and the like, so, I would try the following:
> >Make up a simple smb.conf, which doesn't involve passwords:
> >Here is what I do for mine:
> >[global]
> >         netbios name = JHAMMER6
> >         server string = Samba %v Your Server
> >         security = SHARE
> >         guest account = ftp
> >         read only = No
> >         guest ok = Yes
> >
> >[public]
> >         comment = Root directory
> >         path = /
> >         create mask = 0766
> >
> >I think this will let anyone log on to your samba server as a user called
> >ftp.
> >ftp has few privileges on your machine. You could make the guest account
> >some regular user name, just to try things out.
> >Anyway, you could make the path = some directory like /SambaShares and
> >chmod 777 /SambaShares (make sure /SambaShares exists).
> >That should allow everyone to read, write, execute, etc. off the drive.
> >Naturally, you will want to arrange things to be more secure in the future.
> >Joel
> >
> >
> >--




More information about the samba mailing list