[Samba] host allow

Willy Offermans willy at Offermans.Rompen.nl
Mon Nov 20 11:01:58 GMT 2006


Hello Eric,

To restrict access to your Samba shares on a host basis, you need to
identify your clients unambiguously. Since the clients have dynamic
IP addresses, this can never be guaranteed. The best thing I can
imagine is to use a bridged vpn connection from the client and provide the client
an IP address. In this way the client is unambiguously identified.
Then you allow only access to your samba via vpn (firewall rule or
whatever). In this way you also ensure that the connection
client-Samba-host is encrypted.

But I have still the feeling that this solution is much too
difficult. Let me think about this for a couple of days, maybe I find
something better. In the meantime you can give me more details about
what you really want. If things are confidential or if it is much
easier, you can also contact me in a different way than via this
list.

As a matter of fact, I live so close to your company, I can even see
it from my window on the attic... Funny coincidence.


On Mon, Nov 20, 2006 at 11:34:52AM +0100, Eijkelboom, Eric wrote:
> Correct, I don't want to use the UNIX /etc/hosts.alow file but the "host
> allow" option in Samba.
> 
>  
> 
> I've added for example "daelej*" so that every PC client that starts
> with "daelej" should be able to have acces. Then the user also needs to
> use their user-id and password. 
> 
> 
> -----Original Message-----
> From: Willy Offermans [mailto:willy at Offermans.Rompen.nl]
> Sent: Monday, November 20, 2006 11:28 AM
> To: Eijkelboom, Eric
> Subject: Re: [Samba] host allow
> 
> Helllo Eric,
> 
> Now I do understand a bit more your problem. If you talk about hosts
> allow, you mean the line in your samba configuration file. Not the file
> hosts.allow, which possibly exists in your /etc directory.
> 
> So you want to restrict access to your Samba shares on a host basis.
> This is an interesting problem and unusual at the same time. Usually one
> restricts access to samba shares on an user basis and not on a host
> basis. I guess you have to clarify this a bit to help you.
> 
> On Mon, Nov 20, 2006 at 11:06:48AM +0100, Eijkelboom, Eric wrote:
> > Thanks for the fast respons Willy !
> >
> > We're using different groups and access rights. But from an audit
> > point of view we also want to restict access to a certain IP range and
> > several hosts which obtain dynamically ip adresses (from several
> ranges).
> >
> > Reverse DNS is not setup for these clients. If I add these clients to
> > the /etc/hosts file it works ok. But since they are getting there IP
> > addresses dynamicaly, this is not an option.
> >
> > But while getting more information for you I've get beneath error
> > message. It seems I made a syntaxt error.
> >
> >
> > root at krksun1 # /usr/local/samba/bin/testparm Load smb config files
> > from /usr/local/samba/lib/smb.conf Processing section "[pnc]"
> > Processing section "[apps]"
> > Processing section "[ipacs]"
> > Processing section "[aps]"
> > Processing section "[aps1]"
> > Loaded services file OK.
> > Invalid character * in hosts allow list (daelej*) for service pnc.
> > Invalid character * in hosts allow list (DAELEJ*) for service pnc.
> > Invalid character * in hosts allow list (eijkee*) for service pnc.
> > Invalid character * in hosts allow list (stijnj1*) for service pnc.
> > Invalid character * in hosts allow list (beuskr1*) for service pnc.
> > Invalid character * in hosts allow list (brassm1*) for service pnc.
> > Invalid character * in hosts allow list (burchh1*) for service pnc.
> > Invalid character * in hosts allow list (engelm1*) for service pnc.
> > Invalid character * in hosts allow list (geenef1*) for service pnc.
> > Invalid character * in hosts allow list (haenet1*) for service pnc.
> > Invalid character * in hosts allow list (hundsr1*) for service pnc.
> > Invalid character * in hosts allow list (koekej1*) for service pnc.
> > Invalid character * in hosts allow list (mierej1*) for service pnc.
> > Invalid character * in hosts allow list (heunei1*) for service pnc.
> > Invalid character * in hosts allow list (daelej1*) for service apps.
> > Invalid character * in hosts allow list (stijnj1*) for service apps.
> > Invalid character * in hosts allow list (beuskr1*) for service apps.
> > Invalid character * in hosts allow list (brassm1*) for service apps.
> > Invalid character * in hosts allow list (burchh1*) for service apps.
> > Invalid character * in hosts allow list (engelm1*) for service apps.
> > Invalid character * in hosts allow list (geenef1*) for service apps.
> > Invalid character * in hosts allow list (haenet1*) for service apps.
> > Invalid character * in hosts allow list (hundsr1*) for service apps.
> > Invalid character * in hosts allow list (koekej1*) for service apps.
> > Invalid character * in hosts allow list (mierej1*) for service apps.
> > Invalid character * in hosts allow list (heunei1*) for service apps.
> > Invalid character * in hosts allow list (eijkee2*) for service ipacs.
> > Invalid character * in hosts allow list (daelej1*) for service ipacs.
> > Invalid character * in hosts allow list (stijnj*) for service ipacs.
> > Invalid character * in hosts allow list (beuskr1*) for service ipacs.
> > Invalid character * in hosts allow list (brassm1*) for service ipacs.
> > Invalid character * in hosts allow list (burchh1*) for service ipacs.
> > Invalid character * in hosts allow list (engelm1*) for service ipacs.
> > Invalid character * in hosts allow list (geenef1*) for service ipacs.
> > Invalid character * in hosts allow list (haenet1*) for service ipacs.
> > Invalid character * in hosts allow list (hundsr1*) for service ipacs.
> > Invalid character * in hosts allow list (koekej1*) for service ipacs.
> > Invalid character * in hosts allow list (mierej1*) for service ipacs.
> > Invalid character * in hosts allow list (heunei1*) for service ipacs.
> > Invalid character * in hosts allow list (daelej1*) for service aps.
> > Invalid character * in hosts allow list (stijnj*) for service aps.
> > Invalid character * in hosts allow list (beuskr1*) for service aps.
> > Invalid character * in hosts allow list (brassm1*) for service aps.
> > Invalid character * in hosts allow list (burchh1*) for service aps.
> > Invalid character * in hosts allow list (engelm1*) for service aps.
> > Invalid character * in hosts allow list (geenef1*) for service aps.
> > Invalid character * in hosts allow list (haenet1*) for service aps.
> > Invalid character * in hosts allow list (hundsr1*) for service aps.
> > Invalid character * in hosts allow list (koekej1*) for service aps.
> > Invalid character * in hosts allow list (mierej1*) for service aps.
> > Invalid character * in hosts allow list (heunei1*) for service aps.
> > Invalid character * in hosts allow list (daelej1*) for service aps1.
> > Invalid character * in hosts allow list (stijnj*) for service aps1.
> > Invalid character * in hosts allow list (beuskr1*) for service aps1.
> > Invalid character * in hosts allow list (brassm1*) for service aps1.
> > Invalid character * in hosts allow list (burchh1*) for service aps1.
> > Invalid character * in hosts allow list (engelm1*) for service aps1.
> > Invalid character * in hosts allow list (geenef1*) for service aps1.
> > Invalid character * in hosts allow list (haenet1*) for service aps1.
> > Invalid character * in hosts allow list (hundsr1*) for service aps1.
> > Invalid character * in hosts allow list (koekej1*) for service aps1.
> > Invalid character * in hosts allow list (mierej1*) for service aps1.
> > Invalid character * in hosts allow list (heunei1*) for service aps1.
> > Server role: ROLE_STANDALONE
> > Press enter to see a dump of your service definitions
> >
> > # Global parameters
> > [global]
> >         workgroup = MIDEARTH
> >         ldap ssl = no
> >
> > [pnc]
> >         comment = PNC root share
> >         path = /samba
> >         read list = @aps_own, @aps_doc, @aps_eng
> >         write list = @aps_own
> >         read only = No
> >         hosts allow = daelej*, DAELEJ*, eijkee*, EIJKEE2-S1,
> > 144.15.138.18, 172.25.136.12, stijnj1*,
> > mstm1bmig15.ent.core.medtronic.com, beuskr1*, brassm1*, burchh1*,
> > engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*, mierej1*, heunei1*,
> > 144.15.72.107, 144.15.72.11, 144.15.72.110, 144.15.72.116,
> > 144.15.72.119, 144.15.72.124, 144.15.72.125, 144.15.72.125,
> > 144.15.72.126, 144.15.72.127, 144.15.72.128, 144.15.72.130,
> > 144.15.72.134, 144.15.72.138, 144.15.72.139, 144.15.72.140,
> > 144.15.72.141, 144.15.72.143, 144.15.72.144, 144.15.72.145,
> > 144.15.72.146, 144.15.72.147, 144.15.72.151, 144.15.72.153,
> > 144.15.72.166, 144.15.72.167, 144.15.72.168, 144.15.72.173,
> > 144.15.72.181, 144.15.72.184, 144.15.72.184, 144.15.72.185,
> > 144.15.72.188, 144.15.72.192, 144.15.72.201, 144.15.72.202,
> > 144.15.72.203, 144.15.72.204, 144.15.72.204, 144.15.72.205,
> > 144.15.72.206, 144.15.72.207, 144.15.72.208, 144.15.72.209,
> > 144.15.72.209, 144.15.72.227, 144.15.72.228, 144.15.72.231,
> > 144.15.72.232
> >
> > [apps]
> >         comment = pns share
> >         path = /samba/apps
> >         read list = @aps_own, @aps_doc, @aps_eng
> >         write list = @aps_own
> >         read only = No
> >         hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > daelej1*, stijnj1*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*,
> > mierej1*, heunei1*, 144.15.72.107, 144.15.72.11, 144.15.72.110,
> > 144.15.72.116, 144.15.72.119, 144.15.72.124, 144.15.72.125,
> > 144.15.72.125, 144.15.72.126, 144.15.72.127, 144.15.72.128,
> > 144.15.72.130, 144.15.72.134, 144.15.72.138, 144.15.72.139,
> > 144.15.72.140, 144.15.72.141, 144.15.72.143, 144.15.72.144,
> > 144.15.72.145, 144.15.72.146, 144.15.72.147, 144.15.72.151,
> > 144.15.72.153, 144.15.72.166, 144.15.72.167, 144.15.72.168,
> > 144.15.72.173, 144.15.72.181, 144.15.72.184, 144.15.72.184,
> > 144.15.72.185, 144.15.72.188, 144.15.72.192, 144.15.72.201,
> > 144.15.72.202, 144.15.72.203, 144.15.72.204, 144.15.72.204,
> > 144.15.72.205, 144.15.72.206, 144.15.72.207, 144.15.72.208,
> > 144.15.72.209, 144.15.72.209, 144.15.72.227, 144.15.72.228,
> > 144.15.72.231, 144.15.72.232, 144.15.72.239, 144.15.72.24,
> > 144.15.72.245, 144.15.72.248, 144.15.72.251, 144.15.72.31, 1
> >
> > [ipacs]
> >         comment = pnc share ipacs
> >         path = /samba/usrdir/ipacs
> >         read list = @aps_own, @aps_doc, @aps_eng
> >         write list = @aps_own, @aps_doc
> >         read only = No
> >         hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > 172.25.37.57, eijkee2*, daelej1*, stijnj*,
> > mstm1bmig15.ent.core.medtronic.com, beuskr1*, brassm1*, burchh1*,
> > engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*, mierej1*, heunei1*,
> > 144.15.72.107, 144.15.72.11, 144.15.72.110, 144.15.72.116,
> > 144.15.72.119, 144.15.72.124, 144.15.72.125, 144.15.72.125,
> > 144.15.72.126, 144.15.72.127, 144.15.72.128, 144.15.72.130,
> > 144.15.72.134, 144.15.72.138, 144.15.72.139, 144.15.72.140,
> > 144.15.72.141, 144.15.72.143, 144.15.72.144, 144.15.72.145,
> > 144.15.72.146, 144.15.72.147, 144.15.72.151, 144.15.72.153,
> > 144.15.72.166, 144.15.72.167, 144.15.72.168, 144.15.72.173,
> > 144.15.72.181, 144.15.72.184, 144.15.72.184, 144.15.72.185,
> > 144.15.72.188, 144.15.72.192, 144.15.72.201, 144.15.72.202,
> > 144.15.72.203, 144.15.72.204, 144.15.72.204, 144.15.72.205,
> > 144.15.72.206, 144.15.72.207, 144.15.72.208, 144.15.72.209,
> > 144.15.72.209, 144.15.72.227, 144.15.72.228, 144.15.72.231,
> > 144.15.72.232, 144.15.72.239, 144.15.72.24, 144.15.72.245,
> > 144.15.72.248, 144.15.
> >
> > [aps]
> >         comment = pnc aps
> >         path = /samba/usrdir/aps
> >         read list = @aps_own, @aps_doc, @aps_eng
> >         write list = @aps_own
> >         read only = No
> >         hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > daelej1*, stijnj*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*,
> > mierej1*, heunei1*, 144.15.72.107, 144.15.72.11, 144.15.72.110,
> > 144.15.72.116, 144.15.72.119, 144.15.72.124, 144.15.72.125,
> > 144.15.72.125, 144.15.72.126, 144.15.72.127, 144.15.72.128,
> > 144.15.72.130, 144.15.72.134, 144.15.72.138, 144.15.72.139,
> > 144.15.72.140, 144.15.72.141, 144.15.72.143, 144.15.72.144,
> > 144.15.72.145, 144.15.72.146, 144.15.72.147, 144.15.72.151,
> > 144.15.72.153, 144.15.72.166, 144.15.72.167, 144.15.72.168,
> > 144.15.72.173, 144.15.72.181, 144.15.72.184, 144.15.72.184,
> > 144.15.72.185, 144.15.72.188, 144.15.72.192, 144.15.72.201,
> > 144.15.72.202, 144.15.72.203, 144.15.72.204, 144.15.72.204,
> > 144.15.72.205, 144.15.72.206, 144.15.72.207, 144.15.72.208,
> > 144.15.72.209, 144.15.72.209, 144.15.72.227, 144.15.72.228,
> > 144.15.72.231, 144.15.72.232, 144.15.72.239, 144.15.72.24,
> > 144.15.72.245, 144.15.72.248, 144.15.72.251, 144.15.72.31, 14
> >
> > [aps1]
> >         comment = pnc share aps1
> >         path = /samba/apps/aps
> >         read list = @aps_own, @aps_doc, @aps_eng
> >         write list = @aps_own
> >         read only = No
> >         hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > daelej1*, stijnj*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*,
> > mierej1*, heunei1*, 144.15.72.107, 144.15.72.11, 144.15.72.110,
> > 144.15.72.116, 144.15.72.119, 144.15.72.124, 144.15.72.125,
> > 144.15.72.125, 144.15.72.126, 144.15.72.127, 144.15.72.128,
> > 144.15.72.130, 144.15.72.134, 144.15.72.138, 144.15.72.139,
> > 144.15.72.140, 144.15.72.141, 144.15.72.143, 144.15.72.144,
> > 144.15.72.145, 144.15.72.146, 144.15.72.147, 144.15.72.151,
> > 144.15.72.153, 144.15.72.166, 144.15.72.167, 144.15.72.168,
> > 144.15.72.173, 144.15.72.181, 144.15.72.184, 144.15.72.184,
> > 144.15.72.185, 144.15.72.188, 144.15.72.192, 144.15.72.201,
> > 144.15.72.202, 144.15.72.203, 144.15.72.204, 144.15.72.204,
> > 144.15.72.205, 144.15.72.206, 144.15.72.207, 144.15.72.208,
> > 144.15.72.209, 144.15.72.209, 144.15.72.227, 144.15.72.228,
> > 144.15.72.231, 144.15.72.232, 144.15.72.239, 144.15.72.24,
> > 144.15.72.245, 144.15.72.248, 144.15.72.251, 144.15.72.31, 14
> >
> > 
> >
> > -----Original Message-----
> > From: Willy Offermans [mailto:Willy at Offermans.Rompen.nl]
> > Sent: Sunday, November 19, 2006 1:15 PM
> > To: Eijkelboom, Eric
> > Subject: Re: [Samba] host allow
> >
> > Hello Eric,
> >
> > On forehand I would say that this is not the best idea to prevent your
> > clients access to your shares. But I need to have more details on how
> > the clients connect. The best thing to prevent access would be to
> > define different groups with different access rights. But you could
> > also use firewall rules and a lot more of different setups. I
> > definitely need more details on setup and configuration.
> >
> > On Fri, Nov 17, 2006 at 02:16:43PM +0100, Eijkelboom, Eric wrote:
> > > Hi,
> > > 
> > > We want to restrict acces to the shares on our samba server using
> > > "hosts allow".
> > > Can I get this to work with clients who have dynamic IP addresses
> > > and don't have revers DNS lookup ?
> > > 
> > >
> > > Best regards,
> > > Eric Eijkelboom
> > > Sr Systems Manager
> > > Medtronic B.V.
> > > Heerlen, The Netherlands
> > > Phone : +31-(0)45-566.8544
> > > Fax : +31-(0)45-566.8008
> > > www.medtronic.com <http://www.medtronic.com/>
> > >
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> > --
> > Met vriendelijke groeten,
> > With kind regards,
> > Mit freundlichen Gruessen,
> > De jrus wah,
> >
> > Willy
> >
> > *************************************
> > W.K. Offermans
> > Eindhoven University of Technology
> > Department of Chemical Engineering
> > Laboratory of Catalysis (SKA)
> > building ST-W 4.27, PO Box 513
> > 5600 MB  Eindhoven, Netherlands
> > Tel:    +31 40 247 37 81
> > Fax:    +31 40 245 50 54
> > Home:   +31 45 544 49 44
> > Mobile: +31 653 27 16 23
> > e-mail: Willy at Offermans.Rompen.nl
> > http://www.catalysis.nl
> >
> >                                        Powered by ....
> >
> >                                             (__)
> >                                          \\\'',)
> >                                            \/  \ ^
> >                                            .\._/_)
> >
> >                                        www.FreeBSD.org
> 
> 




More information about the samba mailing list