[Samba] host allow
Willy Offermans
Willy at Offermans.Rompen.nl
Wed Nov 22 11:01:10 GMT 2006
Hello Eric,
After our telephone call, I had some thoughts about your problem.
First you can ensure that the DNS server which is used by the samba host
``knows'' about all your clients. Static and dynamic IP addresses should
be given by DHCP servers, which announce those leases to the DNS
server. Look for isc-dhcp3-server or internet software consortium. Then
the reverse resolving will work. Make sure that the client-hosts are
identified unambiguously. Have also a look to named - Internet domain
name server on how to setup name servers, possibly on different levels.
Then the hosts allow entry in your smb.conf file will work.
Secondly you could use (open)vpn connections for your clients. This
would be especially useful for road warriors. It is a bit of an overkill
for clients on the safe site behind the firewall. But the advantage
could be that you use one way of connecting for all the clients,
irrespective where they are located. With the right setup you can give
the virtuel tunnel devices IP addresses correlated with the host keys.
And in that way you can identify your clients unambiguously.
So there are solutions to your problem.
I hope this is helpful for you.
On Mon, Nov 20, 2006 at 12:17:23PM +0100, Eijkelboom, Eric wrote:
> For now we decided to use static ip addresses for these PC's.
>
> Ben net op jullie website gaan kijken, je woont dus in Heerlen ?
> Zou het zeer op prijs stellen als je me laat weten als je nog iets te
> binnen schiet, maar voor nu kiezen we dus voor statische ip adressen.
>
>
> -----Original Message-----
> From: Willy Offermans [mailto:willy at Offermans.Rompen.nl]
> Sent: Monday, November 20, 2006 12:02 PM
> To: Eijkelboom, Eric
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] host allow
>
> Hello Eric,
>
> To restrict access to your Samba shares on a host basis, you need to
> identify your clients unambiguously. Since the clients have dynamic IP
> addresses, this can never be guaranteed. The best thing I can imagine is
> to use a bridged vpn connection from the client and provide the client
> an IP address. In this way the client is unambiguously identified.
> Then you allow only access to your samba via vpn (firewall rule or
> whatever). In this way you also ensure that the connection
> client-Samba-host is encrypted.
>
> But I have still the feeling that this solution is much too difficult.
> Let me think about this for a couple of days, maybe I find something
> better. In the meantime you can give me more details about what you
> really want. If things are confidential or if it is much easier, you can
> also contact me in a different way than via this list.
>
> As a matter of fact, I live so close to your company, I can even see it
> from my window on the attic... Funny coincidence.
>
>
> On Mon, Nov 20, 2006 at 11:34:52AM +0100, Eijkelboom, Eric wrote:
> > Correct, I don't want to use the UNIX /etc/hosts.alow file but the
> > "host allow" option in Samba.
> >
> >
> >
> > I've added for example "daelej*" so that every PC client that starts
> > with "daelej" should be able to have acces. Then the user also needs
> > to use their user-id and password.
> >
> >
> > -----Original Message-----
> > From: Willy Offermans [mailto:willy at Offermans.Rompen.nl]
> > Sent: Monday, November 20, 2006 11:28 AM
> > To: Eijkelboom, Eric
> > Subject: Re: [Samba] host allow
> >
> > Helllo Eric,
> >
> > Now I do understand a bit more your problem. If you talk about hosts
> > allow, you mean the line in your samba configuration file. Not the
> > file hosts.allow, which possibly exists in your /etc directory.
> >
> > So you want to restrict access to your Samba shares on a host basis.
> > This is an interesting problem and unusual at the same time. Usually
> > one restricts access to samba shares on an user basis and not on a
> > host basis. I guess you have to clarify this a bit to help you.
> >
> > On Mon, Nov 20, 2006 at 11:06:48AM +0100, Eijkelboom, Eric wrote:
> > > Thanks for the fast respons Willy !
> > >
> > > We're using different groups and access rights. But from an audit
> > > point of view we also want to restict access to a certain IP range
> > > and several hosts which obtain dynamically ip adresses (from several
> > ranges).
> > >
> > > Reverse DNS is not setup for these clients. If I add these clients
> > > to the /etc/hosts file it works ok. But since they are getting there
>
> > > IP addresses dynamicaly, this is not an option.
> > >
> > > But while getting more information for you I've get beneath error
> > > message. It seems I made a syntaxt error.
> > >
> > >
> > > root at krksun1 # /usr/local/samba/bin/testparm Load smb config files
> > > from /usr/local/samba/lib/smb.conf Processing section "[pnc]"
> > > Processing section "[apps]"
> > > Processing section "[ipacs]"
> > > Processing section "[aps]"
> > > Processing section "[aps1]"
> > > Loaded services file OK.
> > > Invalid character * in hosts allow list (daelej*) for service pnc.
> > > Invalid character * in hosts allow list (DAELEJ*) for service pnc.
> > > Invalid character * in hosts allow list (eijkee*) for service pnc.
> > > Invalid character * in hosts allow list (stijnj1*) for service pnc.
> > > Invalid character * in hosts allow list (beuskr1*) for service pnc.
> > > Invalid character * in hosts allow list (brassm1*) for service pnc.
> > > Invalid character * in hosts allow list (burchh1*) for service pnc.
> > > Invalid character * in hosts allow list (engelm1*) for service pnc.
> > > Invalid character * in hosts allow list (geenef1*) for service pnc.
> > > Invalid character * in hosts allow list (haenet1*) for service pnc.
> > > Invalid character * in hosts allow list (hundsr1*) for service pnc.
> > > Invalid character * in hosts allow list (koekej1*) for service pnc.
> > > Invalid character * in hosts allow list (mierej1*) for service pnc.
> > > Invalid character * in hosts allow list (heunei1*) for service pnc.
> > > Invalid character * in hosts allow list (daelej1*) for service apps.
> > > Invalid character * in hosts allow list (stijnj1*) for service apps.
> > > Invalid character * in hosts allow list (beuskr1*) for service apps.
> > > Invalid character * in hosts allow list (brassm1*) for service apps.
> > > Invalid character * in hosts allow list (burchh1*) for service apps.
> > > Invalid character * in hosts allow list (engelm1*) for service apps.
> > > Invalid character * in hosts allow list (geenef1*) for service apps.
> > > Invalid character * in hosts allow list (haenet1*) for service apps.
> > > Invalid character * in hosts allow list (hundsr1*) for service apps.
> > > Invalid character * in hosts allow list (koekej1*) for service apps.
> > > Invalid character * in hosts allow list (mierej1*) for service apps.
> > > Invalid character * in hosts allow list (heunei1*) for service apps.
> > > Invalid character * in hosts allow list (eijkee2*) for service
> ipacs.
> > > Invalid character * in hosts allow list (daelej1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (stijnj*) for service ipacs.
> > > Invalid character * in hosts allow list (beuskr1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (brassm1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (burchh1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (engelm1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (geenef1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (haenet1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (hundsr1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (koekej1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (mierej1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (heunei1*) for service
> ipacs.
> > > Invalid character * in hosts allow list (daelej1*) for service aps.
> > > Invalid character * in hosts allow list (stijnj*) for service aps.
> > > Invalid character * in hosts allow list (beuskr1*) for service aps.
> > > Invalid character * in hosts allow list (brassm1*) for service aps.
> > > Invalid character * in hosts allow list (burchh1*) for service aps.
> > > Invalid character * in hosts allow list (engelm1*) for service aps.
> > > Invalid character * in hosts allow list (geenef1*) for service aps.
> > > Invalid character * in hosts allow list (haenet1*) for service aps.
> > > Invalid character * in hosts allow list (hundsr1*) for service aps.
> > > Invalid character * in hosts allow list (koekej1*) for service aps.
> > > Invalid character * in hosts allow list (mierej1*) for service aps.
> > > Invalid character * in hosts allow list (heunei1*) for service aps.
> > > Invalid character * in hosts allow list (daelej1*) for service aps1.
> > > Invalid character * in hosts allow list (stijnj*) for service aps1.
> > > Invalid character * in hosts allow list (beuskr1*) for service aps1.
> > > Invalid character * in hosts allow list (brassm1*) for service aps1.
> > > Invalid character * in hosts allow list (burchh1*) for service aps1.
> > > Invalid character * in hosts allow list (engelm1*) for service aps1.
> > > Invalid character * in hosts allow list (geenef1*) for service aps1.
> > > Invalid character * in hosts allow list (haenet1*) for service aps1.
> > > Invalid character * in hosts allow list (hundsr1*) for service aps1.
> > > Invalid character * in hosts allow list (koekej1*) for service aps1.
> > > Invalid character * in hosts allow list (mierej1*) for service aps1.
> > > Invalid character * in hosts allow list (heunei1*) for service aps1.
> > > Server role: ROLE_STANDALONE
> > > Press enter to see a dump of your service definitions
> > >
> > > # Global parameters
> > > [global]
> > > workgroup = MIDEARTH
> > > ldap ssl = no
> > >
> > > [pnc]
> > > comment = PNC root share
> > > path = /samba
> > > read list = @aps_own, @aps_doc, @aps_eng
> > > write list = @aps_own
> > > read only = No
> > > hosts allow = daelej*, DAELEJ*, eijkee*, EIJKEE2-S1,
> > > 144.15.138.18, 172.25.136.12, stijnj1*,
> > > mstm1bmig15.ent.core.medtronic.com, beuskr1*, brassm1*, burchh1*,
> > > engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*, mierej1*,
> > > heunei1*, 144.15.72.107, 144.15.72.11, 144.15.72.110, 144.15.72.116,
>
> > > 144.15.72.119, 144.15.72.124, 144.15.72.125, 144.15.72.125,
> > > 144.15.72.126, 144.15.72.127, 144.15.72.128, 144.15.72.130,
> > > 144.15.72.134, 144.15.72.138, 144.15.72.139, 144.15.72.140,
> > > 144.15.72.141, 144.15.72.143, 144.15.72.144, 144.15.72.145,
> > > 144.15.72.146, 144.15.72.147, 144.15.72.151, 144.15.72.153,
> > > 144.15.72.166, 144.15.72.167, 144.15.72.168, 144.15.72.173,
> > > 144.15.72.181, 144.15.72.184, 144.15.72.184, 144.15.72.185,
> > > 144.15.72.188, 144.15.72.192, 144.15.72.201, 144.15.72.202,
> > > 144.15.72.203, 144.15.72.204, 144.15.72.204, 144.15.72.205,
> > > 144.15.72.206, 144.15.72.207, 144.15.72.208, 144.15.72.209,
> > > 144.15.72.209, 144.15.72.227, 144.15.72.228, 144.15.72.231,
> > > 144.15.72.232
> > >
> > > [apps]
> > > comment = pns share
> > > path = /samba/apps
> > > read list = @aps_own, @aps_doc, @aps_eng
> > > write list = @aps_own
> > > read only = No
> > > hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > > daelej1*, stijnj1*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*,
> > > koekej1*, mierej1*, heunei1*, 144.15.72.107, 144.15.72.11,
> > > 144.15.72.110, 144.15.72.116, 144.15.72.119, 144.15.72.124,
> > > 144.15.72.125, 144.15.72.125, 144.15.72.126, 144.15.72.127,
> > > 144.15.72.128, 144.15.72.130, 144.15.72.134, 144.15.72.138,
> > > 144.15.72.139, 144.15.72.140, 144.15.72.141, 144.15.72.143,
> > > 144.15.72.144, 144.15.72.145, 144.15.72.146, 144.15.72.147,
> > > 144.15.72.151, 144.15.72.153, 144.15.72.166, 144.15.72.167,
> > > 144.15.72.168, 144.15.72.173, 144.15.72.181, 144.15.72.184,
> > > 144.15.72.184, 144.15.72.185, 144.15.72.188, 144.15.72.192,
> > > 144.15.72.201, 144.15.72.202, 144.15.72.203, 144.15.72.204,
> > > 144.15.72.204, 144.15.72.205, 144.15.72.206, 144.15.72.207,
> > > 144.15.72.208, 144.15.72.209, 144.15.72.209, 144.15.72.227,
> > > 144.15.72.228, 144.15.72.231, 144.15.72.232, 144.15.72.239,
> > > 144.15.72.24, 144.15.72.245, 144.15.72.248, 144.15.72.251,
> > > 144.15.72.31, 1
> > >
> > > [ipacs]
> > > comment = pnc share ipacs
> > > path = /samba/usrdir/ipacs
> > > read list = @aps_own, @aps_doc, @aps_eng
> > > write list = @aps_own, @aps_doc
> > > read only = No
> > > hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > > 172.25.37.57, eijkee2*, daelej1*, stijnj*,
> > > mstm1bmig15.ent.core.medtronic.com, beuskr1*, brassm1*, burchh1*,
> > > engelm1*, geenef1*, haenet1*, hundsr1*, koekej1*, mierej1*,
> > > heunei1*, 144.15.72.107, 144.15.72.11, 144.15.72.110, 144.15.72.116,
>
> > > 144.15.72.119, 144.15.72.124, 144.15.72.125, 144.15.72.125,
> > > 144.15.72.126, 144.15.72.127, 144.15.72.128, 144.15.72.130,
> > > 144.15.72.134, 144.15.72.138, 144.15.72.139, 144.15.72.140,
> > > 144.15.72.141, 144.15.72.143, 144.15.72.144, 144.15.72.145,
> > > 144.15.72.146, 144.15.72.147, 144.15.72.151, 144.15.72.153,
> > > 144.15.72.166, 144.15.72.167, 144.15.72.168, 144.15.72.173,
> > > 144.15.72.181, 144.15.72.184, 144.15.72.184, 144.15.72.185,
> > > 144.15.72.188, 144.15.72.192, 144.15.72.201, 144.15.72.202,
> > > 144.15.72.203, 144.15.72.204, 144.15.72.204, 144.15.72.205,
> > > 144.15.72.206, 144.15.72.207, 144.15.72.208, 144.15.72.209,
> > > 144.15.72.209, 144.15.72.227, 144.15.72.228, 144.15.72.231,
> > > 144.15.72.232, 144.15.72.239, 144.15.72.24, 144.15.72.245,
> > > 144.15.72.248, 144.15.
> > >
> > > [aps]
> > > comment = pnc aps
> > > path = /samba/usrdir/aps
> > > read list = @aps_own, @aps_doc, @aps_eng
> > > write list = @aps_own
> > > read only = No
> > > hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > > daelej1*, stijnj*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*,
> > > koekej1*, mierej1*, heunei1*, 144.15.72.107, 144.15.72.11,
> > > 144.15.72.110, 144.15.72.116, 144.15.72.119, 144.15.72.124,
> > > 144.15.72.125, 144.15.72.125, 144.15.72.126, 144.15.72.127,
> > > 144.15.72.128, 144.15.72.130, 144.15.72.134, 144.15.72.138,
> > > 144.15.72.139, 144.15.72.140, 144.15.72.141, 144.15.72.143,
> > > 144.15.72.144, 144.15.72.145, 144.15.72.146, 144.15.72.147,
> > > 144.15.72.151, 144.15.72.153, 144.15.72.166, 144.15.72.167,
> > > 144.15.72.168, 144.15.72.173, 144.15.72.181, 144.15.72.184,
> > > 144.15.72.184, 144.15.72.185, 144.15.72.188, 144.15.72.192,
> > > 144.15.72.201, 144.15.72.202, 144.15.72.203, 144.15.72.204,
> > > 144.15.72.204, 144.15.72.205, 144.15.72.206, 144.15.72.207,
> > > 144.15.72.208, 144.15.72.209, 144.15.72.209, 144.15.72.227,
> > > 144.15.72.228, 144.15.72.231, 144.15.72.232, 144.15.72.239,
> > > 144.15.72.24, 144.15.72.245, 144.15.72.248, 144.15.72.251,
> > > 144.15.72.31, 14
> > >
> > > [aps1]
> > > comment = pnc share aps1
> > > path = /samba/apps/aps
> > > read list = @aps_own, @aps_doc, @aps_eng
> > > write list = @aps_own
> > > read only = No
> > > hosts allow = 144.15.138.18, 172.25.136.12, 144.15.138.155,
> > > daelej1*, stijnj*, mstm1bmig15.ent.core.medtronic.com, beuskr1*,
> > > brassm1*, burchh1*, engelm1*, geenef1*, haenet1*, hundsr1*,
> > > koekej1*, mierej1*, heunei1*, 144.15.72.107, 144.15.72.11,
> > > 144.15.72.110, 144.15.72.116, 144.15.72.119, 144.15.72.124,
> > > 144.15.72.125, 144.15.72.125, 144.15.72.126, 144.15.72.127,
> > > 144.15.72.128, 144.15.72.130, 144.15.72.134, 144.15.72.138,
> > > 144.15.72.139, 144.15.72.140, 144.15.72.141, 144.15.72.143,
> > > 144.15.72.144, 144.15.72.145, 144.15.72.146, 144.15.72.147,
> > > 144.15.72.151, 144.15.72.153, 144.15.72.166, 144.15.72.167,
> > > 144.15.72.168, 144.15.72.173, 144.15.72.181, 144.15.72.184,
> > > 144.15.72.184, 144.15.72.185, 144.15.72.188, 144.15.72.192,
> > > 144.15.72.201, 144.15.72.202, 144.15.72.203, 144.15.72.204,
> > > 144.15.72.204, 144.15.72.205, 144.15.72.206, 144.15.72.207,
> > > 144.15.72.208, 144.15.72.209, 144.15.72.209, 144.15.72.227,
> > > 144.15.72.228, 144.15.72.231, 144.15.72.232, 144.15.72.239,
> > > 144.15.72.24, 144.15.72.245, 144.15.72.248, 144.15.72.251,
> > > 144.15.72.31, 14
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Willy Offermans [mailto:Willy at Offermans.Rompen.nl]
> > > Sent: Sunday, November 19, 2006 1:15 PM
> > > To: Eijkelboom, Eric
> > > Subject: Re: [Samba] host allow
> > >
> > > Hello Eric,
> > >
> > > On forehand I would say that this is not the best idea to prevent
> > > your clients access to your shares. But I need to have more details
> > > on how the clients connect. The best thing to prevent access would
> > > be to define different groups with different access rights. But you
> > > could also use firewall rules and a lot more of different setups. I
> > > definitely need more details on setup and configuration.
> > >
> > > On Fri, Nov 17, 2006 at 02:16:43PM +0100, Eijkelboom, Eric wrote:
> > > > Hi,
> > > >
> > > > We want to restrict acces to the shares on our samba server using
> > > > "hosts allow".
> > > > Can I get this to work with clients who have dynamic IP addresses
> > > > and don't have revers DNS lookup ?
> > > >
> > > >
> > > > Best regards,
> > > > Eric Eijkelboom
> > > > Sr Systems Manager
> > > > Medtronic B.V.
> > > > Heerlen, The Netherlands
> > > > Phone : +31-(0)45-566.8544
> > > > Fax : +31-(0)45-566.8008
> > > > www.medtronic.com <http://www.medtronic.com/>
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > > --
> > > Met vriendelijke groeten,
> > > With kind regards,
> > > Mit freundlichen Gruessen,
> > > De jrus wah,
> > >
> > > Willy
> > >
> > > *************************************
> > > W.K. Offermans
> > > Eindhoven University of Technology
> > > Department of Chemical Engineering
> > > Laboratory of Catalysis (SKA)
> > > building ST-W 4.27, PO Box 513
> > > 5600 MB Eindhoven, Netherlands
> > > Tel: +31 40 247 37 81
> > > Fax: +31 40 245 50 54
> > > Home: +31 45 544 49 44
> > > Mobile: +31 653 27 16 23
> > > e-mail: Willy at Offermans.Rompen.nl
> > > http://www.catalysis.nl
> > >
> > > Powered by ....
> > >
> > > (__)
> > > \\\'',)
> > > \/ \ ^
> > > .\._/_)
> > >
> > > www.FreeBSD.org
> >
> >
>
>
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Willy
*************************************
W.K. Offermans
Eindhoven University of Technology
Department of Chemical Engineering
Laboratory of Catalysis (SKA)
building ST-W 4.27, PO Box 513
5600 MB Eindhoven, Netherlands
Tel: +31 40 247 37 81
Fax: +31 40 245 50 54
Home: +31 45 544 49 44
Mobile: +31 653 27 16 23
e-mail: Willy at Offermans.Rompen.nl
http://www.catalysis.nl
Powered by ....
(__)
\\\'',)
\/ \ ^
.\._/_)
www.FreeBSD.org
More information about the samba
mailing list