14.5 Common Errors


If all of Samba and host platform configuration were really as intuitive as one might like them to be, this section would not be necessary. Security issues are often vexing for a support person to resolve, not because of the complexity of the problem, but for the reason that most administrators who post what turns out to be a security problem request are totally convinced that the problem is with Samba.

14.5.1 Smbclient Works on Localhost, but the Network Is Dead

This is a common problem. Red Hat Linux (and others) installs a default firewall. With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1) is allowed through the firewall.

The solution is either to remove the firewall (stop it) or modify the firewall script to allow SMB networking traffic through. See section above in this chapter.

14.5.2 Why Can Users Access Home Directories of Other Users?

" We are unable to keep individual users from mapping to any other user 's home directory once they have supplied a valid password! They only need to enter their own password. I have not found any method to configure Samba so that users may map only their own home directory ."

" User xyzzy can map his home directory. Once mapped user xyzzy can also map anyone else's home directory ."

This is not a security flaw, it is by design. Samba allows users to have exactly the same access to the UNIX file system as when they were logged onto the UNIX box, except that it only allows such views onto the file system as are allowed by the defined shares.

If your UNIX home directories are set up so that one user can happily cd into another users directory and execute ls , the UNIX security solution is to change file permissions on the user's home directories such that the cd and ls are denied .

Samba tries very hard not to second guess the UNIX administrators security policies, and trusts the UNIX admin to set the policies and permissions he or she desires.

Samba allows the behavior you require. Simply put the only user = %S option in the [ homes ] share definition.

The only user works in conjunction with the users = list, so to get the behavior you require, add the line :

 
  users = %S  

this is equivalent to adding

 
  valid users = %S  

to the definition of the [homes] share, as recommended in the smb.conf man page.



Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net