[Samba] samba domain vs linux network security

Josh Kelley joshkel at gmail.com
Wed Nov 9 14:56:20 GMT 2005


On 11/9/05, mourik jan c heupink <heupink at intech.unu.edu> wrote:
> Under windows, you have to add a machine to the domain first, and only
> THEN you are able to connect to your home drive.

Unless I'm greatly mistaken, you can connect to network drives from a
computer that's not joined to the domain.

> Suppose I (as a regular user) would install my own linux machine, and
> created users and groups with the same id's as the ldap users / groups.
> My understanding now is, that I would be able to read other people's
> data. (I would simply have to find out each users uid, and that would
> allow me to pretend to be that user, and read his/her data)

Correct.  However, this is a problem with NFS security in particular,
not Linux network security in general.  NFS has been known for a long
time to be not very secure, for precisely the reasons you give.

You have several options.  First, there are steps that you can take to
improve NFS security somewhat, such as restricting it to particular IP
addresses (although IP addresses can be spoofed).  Second, you can use
NFSv4, which supports proper authentication.  Third, you can use an
alternative means of sharing drives to Linux.  I've actually been
using SMB to access my Linux server's drives from my Linux client, to
avoid setting up a separate file-sharing service.  Several other
options exist - including SSHFS (for more of a quick-and-dirty
approach), AFS, and Coda, but I don't have experience with any of
them.

Josh Kelley


More information about the samba mailing list