Section 4.6. Networking Options with Samba

4.6. Networking Options with Samba

By default, both smbd and nmbd bind to all available broadcast-capable network interfaces on a system. There are times when you may wish to restrict this behavior, such as on a multihomed host that acts as a gateway from the internal network to the Internet, or perhaps on a laptop that has both a local network connection and a dial-up VPN connection.

Here's a simple example. Assume that our Samba server can access two subnets. The device eth0 is is bound to the 192.168.1.0/24 network and 192.168.2.0/24 is available on etH1. If Samba is not supposed to advertise itself on the 192.168.1.0/24 network, we must instruct it to use a subset of available network interfaces and bind only to those listed:

 [global]     interfaces = eth1     bind interfaces only = yes 

These two parameters, which are always used together, work in combination to restrict smbd and nmbd to the specified networks. The interfaces parameter can accept a device name (eth1), an IP address or hostname, a network/netmask pair (192.168.2.0/24), or a broadcast/netmask (192.168.2.255/255.255.255.0). The bind interfaces only option limits the behavior of smbd and nmbd to the subnets represented by the interfaces list. nmbd does not accept any broadcast messages that originate outside these subnets and smbd binds to only the specified interfaces.

It is important to realize, however, that if packets can be routed between the two networks in our example, a client on the 192.168.1.0/24 network can still access the Samba server using its 192.168.2.0/24 address.

A second alternative to restricting traffic is the hosts allow and hosts deny options. Unlike the previous two global parameters, these new options can be used on a per-service basis. If these options sound familiar, you're probably thinking of the hosts.allow and hosts.deny files found in the /etc directories of many Unix systems. The purpose of these options is identical to those files; they provide security by allowing or denying the connections of other hosts based on their IP addresses. However, Samba includes its own internal implementation of the TCP Wrappers functionality, so there is no need for additional external libraries or configuration files.

Here's a simple example that allows a portion of the hosts on the 192.168.1.0/24 network to connect to our server. Notice that we have removed the interfaces and bind interfaces only lines to ensure that smbd and nmbd bind to both eth0 and eth1 :

 [global]     hosts allow = 192.168.2. 192.168.1.100     hosts deny  = 192.168.1. 

With the hosts allow option, we've specified a 192.168.2. IP address, which is equivalent to saying: "All hosts on the 192.168.2.0/24 subnet." The trailing period is very important. Without this ending puncutation, Samba does not correctly interpret the address as a network. We have also added a single host from the 192.168.1.0/24 network to the access list. However, we've explicitly specified in a hosts deny line that hosts on the 192.168.1.0/24 network cannot connect.

It is important to understand how Samba sorts out the rules specified by hosts allow and hosts deny :

1. If no allow or deny options are defined anywhere in smb.conf, Samba allows connections from any system.

2. If hosts allow or hosts deny options are defined in the [global] section of smb.conf, they determine general access to the server, even if either option is defined in one or more of the shares.

3. If only a hosts allow option is defined for a share, only the hosts listed are allowed to use the share. All others are denied.

4. If only a hosts deny option is defined for a share, any client that is not on the list can use the share.

5. If both a hosts allow option and a hosts deny option are defined, the allow list takes precendence. But if a host does not match the allow list or the deny list, it is granted implicit access.

Take care that you don't explicitly allow a host to access a share, but then deny access to the entire subnet of which the host is part.

Let's look at another example of that final item. Consider the following options:

 hosts allow = 111.222. hosts deny = 111.222.333. 

In this case, hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. The deny list in the case is completely disregarded because it is a subset of the allow list. To allow all hosts in the 111.222.0.0/16 network except those on the 111.222.333.0/24 network, we can specify the following hosts allow shorthand notation:

 hosts allow = 111.222. EXCEPT 111.222.333. 

4.6.1. Networking Options

The networking options introduced earlier are summarized in Table 4-6.

4.6.1.1. hosts allow

The hosts allow option (sometimes written as allow hosts) specifies the clients that have permission to access shares on the Samba server, written as a comma- or space-separated list of hostnames of systems or their IP addresses. You can gain quite a bit of security simply by placing your LAN's subnet address in this option.

You can specify any of the following formats for the option:

• Hostnames, such as ftp.example.com.

• IP addresses, such as 130.63.9.252.

• Domain names, which can be differentiated from individual hostnames because they start with a dot. For example, .ora.com represents all systems within the ora.com domain.

• Netgroups, which start with an at sign (@), such as @printerhosts. Netgroups are usually available only on systems running NIS or NIS+. If netgroups are supported on your system, there should be a netgroups manual page that describes them in more detail.

• Subnets, which end with a dot. For example, 130.63.9. means all the systems whose IP addresses begin with 130.63.9.

• Network/netmask pairs such as 192.168.1.0/24 or 192.168.2.0/255.255.255.0.

• The keyword ALL, which allows any client access.

• The keyword EXCEPT followed by one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110.0/24 subnet with hosts allow = ALL EXCEPT 192.168.110. (remember to include the trailing dot).

The hostname localhost, for the loopback address 127.0.0.1, is included in the hosts allow list by default and does not need to be listed explicitly unless you have specified it in the hosts deny list (probably as part of a subnet). This address is required for Samba to work properly.

Other than that, there is no default value for the hosts allow configuration option. The default course of action, in the event that neither the hosts allow or hosts deny option is specified in smb.conf, is to allow access from all sources.

If you specify hosts allow or hosts deny in the [global] section, that definition applies to all connections to the server. In a sense, this definition overrides any hosts allow lines in the share definitions, which is the opposite of the usual behavior. In actuality, the service level definition applies to the tree connection requests described in Chapter 1 and the [global] defaults apply to all packets prior to that request (i.e., protocol negotiation and authentication).

4.6.1.2. hosts deny

The hosts deny option (synonymous with deny hosts) specifies client systems that do not have permission to access a share, written as a comma- or space-separated list of hostnames or their IP addresses. Use the same format for specifying clients as the hosts allow option earlier. For example, to restrict access to the server from everywhere but the subnet example.com, you could write:

 hosts deny = ALL EXCEPT .example.com 

There is no default value for the hosts deny configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources.

Never include the loopback address (localhost at IP address 127.0.0.1) in the hosts deny list. The smbpasswd program needs to connect through the loopback address to the Samba server as a client to change a user's encrypted password. If the loopback address is disabled, the locally generated packets requesting the change of the encrypted password are discarded by Samba. In addition, both local browsing propagation and some functions of SWAT require access to the Samba server through the loopback address and do not work correctly if this address is disabled.

4.6.1.3. interfaces

The interfaces option specifies the networks that you want the Samba server to recognize and respond to. This option is handy if you have a computer that resides on more than one network subnet and want to restrict the networks that Samba will serve. If this option is not set, Samba searches out and utilizes all broadcast-capable network interfaces on the server, including loopback devices. The loopback interface (lo) is automatically added to this list.

The value of this option is specified as one or more sets of IP address/netmask pairs, device names, or broadcast/netmask pairs, as in the following example:

 interfaces = eth0 192.168.2.30 

You can optionally specify a numeric bitmask, like this:

 interfaces = 192.168.220.100/24 192.168.210.30/24 

Make sure to specify the device name in the interfaces list if your Samba host is configured to use DHCP, because the server's IP address and netmask may change.

4.6.1.4. bind interfaces only

The bind interfaces only option can be used to force the smbd and nmbd processes to respond only to those addresses specified by the interfaces option and to loopback network devices. To prevent Samba from processing any packets (including broadcast packets) whose source address does not correspond to any of the network interfaces specified by the interfaces option, define the following line in addition to a list of interfaces:

 bind interfaces only = yes