[Samba] Minimal configuration for Name Service
Thiago Crepaldi
thiago at thiagocrepaldi.com
Wed Feb 26 12:29:38 MST 2014
I believe your configuration works well. I was wondering if
available=no
name resolve order = hosts
wins support = no
wins proxy = no
dns proxy = no
would make it a little bit more secure or not. I guess I ready something
somewhere alerting about the man-in-the-middle attack if wins ser, or wins
proxy or dns proxy was enabled but badly configured. In my case, as I don't
need any of it, maybe turning them off would be a good security enhancement.
But thanks, Marc, you helped a lot!
On Wed, Feb 26, 2014 at 3:53 PM, Marc Muehlfeld <samba at marc-muehlfeld.de>wrote:
> Am 26.02.2014 18:57, schrieb Thiago Crepaldi:
>
> I think, the most minimal config is:
>>>
>>> [global]
>>> workgroup = WKG
>>> netbios name = MYNAME
>>>
>>>
>> I guess I expressed myself poorly. I need a minimal configuration that is
>> also as safe as possible, so it is desired to turn off all unnecessary
>> services.
>>
>
> If you use this minimal config and only start nmbd, then only port 137/udp
> and 138/udp are opened and Samba replies only to name requests. I'm not an
> expert about netbios, but I think, there isn't much to make more secure.
>
>
> If you require smbd also to be started, then it would listen to 445/tcp
> and 139/tcp as well. But it won't authenticate or something else, as it is
> not a domain member nor have a user backend configured, etc. So I think
> there's also nothing special to secure.
>
>
>
>
>
> As we can't assume there is a DNS Server, I thought we maybe could use
>> NetBIOS Name Service to do the trick.
>>
>
> With the above minimal config and only nmbd started, you can
>
> # ping myname
>
> (tried from Win8 with the above minimal config) as the name is resolved
> through netbios broadcast (what requires to have both machines in the same
> subnet).
>
>
>
> Regards,
> Marc
>
--
Thiago
More information about the samba
mailing list