Sams Teach Yourself Samba in 24 Hours
Hour 6: Security Levels and Passwords
Previous
Hour
|
Sections in this Chapter: |
|
|
|
||
|
||
|
||
|
|
Sams Teach Yourself Samba in 24 Hours |
|
||||||||||||||||
|
Hour 6: Security Levels and Passwords |
|
||||||||||||||||
|
Samba offers some additional options to control connection requests besides the standard username/password validation. These options allow you some control of connection based on the client's IP address, which can be very helpful if your network is connected to a larger LAN (or the Internet).
You can use the hosts allow parameter to define a list of hosts that are allowed to connect to a particular service. If the parameter is used in the [global] section, it applies to all services regardless of individual share settings.
The parameter takes a list of IP addresses in dotted decimal form, which can be a full address or a subnet network address. For example, 192.168.1.73 would allow a specific host to connect, whereas 192.168.1. would allow connections from any host on the 192.168.1. class C subnet. You can use hostnames rather than IP addresses as long as Samba can resolve the name. This usually means entering the fully qualified domain name (FQDN) as the value. It is also possible to exclude hosts by using the EXCEPT keyword. The default behavior accepts connections from any IP address. Here are some examples:
hosts allow = 192.168.1.73 queso.my.net 191.168. EXCEPT 191.168.2.
This setting allows connections from two specific hosts, 192.168.1.73 and queso.my.net, and connections from any host in the 191.168. class B subnet, except ones located in the 191.168.2. class C subnet.
Here's an example that uses an IP address/subnet mask pair:
hosts allow = 192.168.1.32/255.255.255.224
This allows connections from hosts in the range 192.168.1.33 to 192.168.1.63. The broadcast address for the subnet is 192.168.1.64.
The hosts deny parameter is the compliment of the hosts allow parameter. It provides the same functionality of the EXCEPT keyword in the hosts allow value but to a larger degree. The syntax is the same format as hosts allow. The default is not to deny connections from any host:
hosts deny = 192.168.3. 192.168.1.72
I mention the next two parameters only for completeness and do not recommend using them. The reason is that both provide a means of enabling users to connect to shares and authenticate without using a password. It can be a severs security hole in your server. Be careful!
The hosts equiv parameter enables you to specify the location of a file that contains a list of hosts or users, one per line, that are allowed to access services without specifying a password. The default disables this behavior entirely. Here is an example:
host equiv = /etc/hosts.equiv
The Boolean user hosts parameter causes Samba to use the UNIX user's ~/.rhosts file to determine certain hosts that are allowed access to shares without specifying a password. As it was with the hosts equiv parameter, the default setting is to disable this capability. If you want to enable it, you need to add the following in the [global] section on smb.conf:
use rhosts = yes use rhosts = yes
|
Sams Teach Yourself Samba in 24 Hours |
|
||||||||||||||||
|
Hour 6: Security Levels and Passwords |
|
||||||||||||||||
|
© Copyright Macmillan USA. All rights reserved.