6.6 Networking Options with Samba

   

If you're running Samba on a multihomed system (on multiple subnets), you will need to configure Samba to use all the network interfaces. Another use for the options presented in this section is to implement better security by allowing or disallowing connections on the specified interfaces.

Let's assume that our Samba server can access both the subnets 192.168.220.* and 134.213.233.*. Here are our additions to the configuration file to add the networking configuration options:

 [global]     #  Networking configuration options     hosts allow = 192.168.220. 134.213.233.     hosts deny = 192.168.220.102     interfaces = 192.168.220.100/255.255.255.0 \                     134.213.233.110/255.255.255.0     bind interfaces only = yes 

Take a look at the hosts allow and hosts deny options. If these options sound familiar, you're probably thinking of the hosts.allow and hosts.deny files that are found in the /etc directories of many Unix systems. The purpose of these options is identical to those files; they provide a means of security by allowing or denying the connections of other hosts based on their IP addresses. We could use the hosts.allow and hosts.deny files, but we are using this method instead because there might be services on the server that we want others to access without also giving them access to Samba's disk or printer shares.

With the hosts allow option, we've specified a 192.168.220 IP address, which is equivalent to saying: "All hosts on the 192.168.220 subnet." However, we've explicitly specified in a hosts deny line that 192.168.220.102 is not to be allowed access.

You might be wondering why 192.168.220.102 will be denied even though it is still in the subnet matched by the hosts allow option. It is important to understand how Samba sorts out the rules specified by hosts allow and hosts deny :

  1. If no allow or deny options are defined anywhere in smb.conf , Samba will allow connections from any system.

  2. If hosts allow or hosts deny options are defined in the [global] section of smb.conf , they will apply to all shares, even if either option is defined in one or more of the shares.

  3. If only a hosts allow option is defined for a share, only the hosts listed will be allowed to use the share. All others will be denied.

  4. If only a hosts deny option is defined for a share, any client which is not on the list will be able to use the share.

  5. If both a hosts allow and hosts deny option are defined, a host must appear in the allow list and not appear in the deny list (in any form) to access the share. Otherwise, the host will not be allowed.

Take care that you don't explicitly allow a host to access a share, but then deny access to the entire subnet of which the host is part.

Let's look at another example of that final item. Consider the following options:

 hosts allow = 111.222. hosts deny = 111.222.333. 

In this case, only the hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. However, if a client belongs to the 111.222.333.* subnet, it will be denied access, even though it still matches the qualifications outlined by hosts allow . The client must appear on the hosts allow list and must not appear on the hosts deny list to gain access to a Samba share.

The other two options that we've specified are interfaces and bind interface only . Let's look at the interfaces option first. Samba, by default, sends data only from the primary network interface, which in our example is the 192.168.220.100 subnet. If we would like it to send data to more than that one interface, we need to specify the complete list with the interfaces option. In the previous example, we've bound Samba to interface with both subnets (192.168.220 and 134.213.233) on which the system is operating by specifying the other network interface address: 134.213.233.100. If you have more than one interface on your computer, you should always set this option, as there is no guarantee that the primary interface that Samba chooses will be the right one.

Finally, the bind interfaces only option instructs the nmbd process not to accept any broadcast messages other than on the subnets specified with the interfaces option. This is different from the hosts allow and hosts deny options, which prevent clients from making connections to services, but not from receiving broadcast messages. Using the bind interfaces only option is a way to shut out all datagrams from foreign subnets. In addition, it instructs the smbd process to bind to only the interface list given by the interfaces option. This restricts the networks that Samba will serve.

6.6.1 Networking Options

The networking options we introduced earlier are summarized in Table 6-6.

Table 6-6. Networking configuration options

Option

Parameters

Function

Default

Scope

hosts allow (allow hosts)

string (list of hostnames)

Client systems that can connect to Samba.

None

Share

hosts deny (deny hosts)

string (list of hostnames)

Client systems that cannot connect to Samba.

None

Share

interfaces

string (list of IP/ netmask combinations)

Network interfaces Samba will respond to. Allows correcting defaults.

System-dependent

Global

bind

interfaces only

boolean

If set to yes , Samba will bind only to those interfaces specified by the interfaces option.

no

Global

6.6.1.1 hosts allow

The hosts allow option (sometimes written as allow hosts ) specifies the clients that have permission to access shares on the Samba server, written as a comma- or space-separated list of hostnames of systems or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option.

You can specify any of the following formats for this option:

  • Hostnames, such as ftp.example.com .

  • IP addresses, such as 130.63.9.252 .

  • Domain names , which can be differentiated from individual hostnames because they start with a dot. For example, .ora.com represents all systems within the ora.com domain.

  • Netgroups , which start with an at sign ( @ ), such as @printerhosts . Netgroups are usually available only on systems running NIS or NIS+. If netgroups are supported on your system, there should be a netgroups manual page that describes them in more detail.

  • Subnets, which end with a dot. For example, 130.63.9 . means all the systems whose IP addresses begin with 130.63.9.

  • The keyword ALL , which allows any client access.

  • The keyword EXCEPT followed by one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet with hosts allow = ALL EXCEPT 192.168.110 . (remember to include the trailing dot).

Using the ALL keyword by itself is almost always a bad idea because it means that crackers on any network can access your Samba server.

The hostname localhost , for the loopback address 127.0.0.1, is included in the hosts allow list by default and does not need to be listed explicitly unless you have specified the bind interfaces only parameter. This address is required for Samba to work properly.

Other than that, there is no default value for the hosts allow configuration option. The default course of action in the event that neither the hosts allow or hosts deny option is specified in smb.conf is to allow access from all sources.

If you specify hosts allow in the [global] section, that definition will override any hosts allow lines in the share definitions. This is the opposite of the usual behavior, which is for parameters set in share definitions to override default values set in the [global] section.

6.6.1.2 hosts deny

The hosts deny option (synonymous with deny hosts ) specifies client systems that do not have permission to access a share, written as a comma- or space-separated list of hostnames or their IP addresses. Use the same format for specifying clients as the hosts allow option earlier. For example, to restrict access to the server from everywhere but example.com , you could write:

 hosts deny = ALL EXCEPT .example.com 

There is no default value for the hosts deny configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. Also, if you specify this option in the [global] section of the configuration file, it will override any hosts deny options defined in shares. If you wish to deny access to specific shares, omit both the hosts allow and hosts deny options from the [global] section of the configuration file.

Never include the loopback address ( localhost at IP address 127.0.0.1) in the hosts deny list. The smbpasswd program needs to connect through the loopback address to the Samba server as a client to change a user 's encrypted password. If the loopback address is disabled, the locally generated packets requesting the change of the encrypted password will be discarded by Samba.

In addition, both local browsing propagation and some functions of SWAT require access to the Samba server through the loopback address and will not work correctly if this address is disabled.

6.6.1.3 interfaces

The interfaces option specifies the networks that you want the Samba server to recognize and respond to. This option is handy if you have a computer that resides on more than one network subnet. If this option is not set, Samba searches for the primary network interface of the server (typically the first Ethernet card) upon startup and configures itself to operate on only that subnet. If the server is configured for more than one subnet and you do not specify this option, Samba will only work on the first subnet it encounters. You must use this option to force Samba to serve the other subnets on your network.

The value of this option is one or more sets of IP address/netmask pairs, as in the following:

 interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0 

You can optionally specify a CIDR format bitmask, like this:

 interfaces = 192.168.220.100/24 192.168.210.30/24 

The number after the slash specifies the number of bits that will be set in the netmask. For example, the number 24 means that the first 24 (of 32) bits will be set in the bitmask, which is the same as specifying 255.255.255.0 as the netmask. Likewise, 16 would be equivalent to a netmask of 255.255.0.0, and 8 would be the same as a netmask of 255.0.0.0.

This option might not work correctly if you are using DHCP.

6.6.1.4 bind interfaces only

The bind interfaces only option can be used to force the smbd and nmbd processes to respond only to those addresses specified by the interfaces option. The nmbd process normally binds to the all-addresses interface (0.0.0.0.) on ports 137 and 138, allowing it to receive broadcasts from anywhere. However, you can override this behavior with the following:

 bind interfaces only = yes 

This will cause Samba to ignore any packets (including broadcast packets) whose source address does not correspond to any of the network interfaces specified by the interfaces option. You should avoid using this option if you want to allow temporary network connections, such as those created through SLIP or PPP. It's very rare that this option is needed, and it should be used only by experts.

If you set bind interfaces only to yes , add the local host address (127.0.01) to the "interfaces" list. Otherwise, smbpasswd will be unable to connect to the server using its default mode in order to change a password, local browse list propagation will fail, and some functions of swat will not work properly.

   


Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2003
Pages: 475

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net