Samba User Security

Crashed_Again · 01-19-2006, 09:59 AM

I've been reading the only book of Using Samba over at Oreilly.com to try and get a grasp on Samba.

I have a server at my house and has all my music on it. I want my roomate to be able to access the music via Samba without having to put in a password. The way I have it setup now he is able to do that but he is also able to write to the files and I don't want him to be able to delete anything.

What I need is the ability to optionally authenticate using a username and password. If you are authenticated with this username and password then you will have read/write access otherwise you will only have read access.

To be honest I've gotten a little confused reading this book online. I'm fairly sure I should be using 'security = user'. What I'm not sure is that if I use that security level my roomate will HAVE TO enter a username and password everytime. Is this right?

Any input would be appreciated. Thanks in advance.

Dmjmusser · 01-19-2006, 12:11 PM

What I've got setup is username mapping. It allows users logging into their local Windows workstation with the right login name to view files on your server without having to ever enter in a username or password. You create a linux and Samba username, and then create a file such as smbusers. In your smb.conf file, you add an entry in your global service to show Samba where that mapping file is:

username map = /etc/samba/smbusers

This file is not complicated. Let me show you an example:

#### smbusers ####
# Use: Unix_ID = Windows_ID
#
# Examples:
# lane = "Lisa Lane"
# jimbo = Jim Bones
#
# Note: If the windows username is more than one word, you MUST USE
# double-quotes around the name!! In the example above, Unix user jimbo
# will be mapped to Windows users "Jim" and "Bones" because no quotes were
# supplied.

mfriend = "My Friend"

#EOF

You will then need to create a Unix and Samba user mfriend and a password for him. Additionally, you will need to add that Samba user name to the "valid users" entry in the share that your music files are in. That way, Samba will assume that windows user "My Friend", who logs into the server, is essentially Unix user mfriend, and will have access to anything on your system that your Unix permissions gives him permission to.

In this manner, you can add Unix user mfriend to a group, let's call it "music", and do a chown root.music on the music files, then a chmod to give group music r+x permissions, but not write, so he won't be able to alter the files in any way on the server.

However, with this setup, ANY Windows user with the login name "My Friend" would have access to your files. As low as the probability that someone with the same Windows login name would stumble across your server may be, it'd be a good idea to specify an additional global config option in your smb.conf file: hosts allow = <ip addresses of allowed hosts, comma delimited list>

Without username mapping, he could log into the server using his Samba username and password, and will need to do this after each login to his Windows workstation. Windows should save his credentials until he logs off or shuts down his computer.

Btw, I would use the "Learn By Example" and "Official HOWTO" to Samba, provided at Samba.org. They're quite comprehensive and I've learend quite a bit in just a couple weeks.

Hope this helps!

~Myles

Crashed_Again · 01-20-2006, 08:25 AM

Thanks a lot. That was very informative.

Dmjmusser · 01-20-2006, 09:23 AM

Quote:

Originally Posted by Dmjmusser

That way, Samba will assume that windows user "My Friend", who logs into the server, is essentially Unix user mfriend, and will have access to anything on your system that your Unix permissions gives him permission to.

Sorry, that should actually read that the Windows user "My Friend" would have access to anything on your Samba share, not anything on your system.

Username mapping is also cool because then, you never have to supply the user with their Unix password, which will keep your friend from accessing your server via ssh or telnet and messing around with stuff that he shouldn't be.

And you're quite welcome. Let me know if there's anything else I can do to help.

~Myles

Matir · 01-20-2006, 10:41 AM

Quote:

Originally Posted by Dmjmusser

Username mapping is also cool because then, you never have to supply the user with their Unix password, which will keep your friend from accessing your server via ssh or telnet and messing around with stuff that he shouldn't be.

Do note that samba uses its own password file, so allowing SMB access with no unix access is quite possible. Username mapping is only neccessary when their unix username and windows username differ.

Dmjmusser · 01-20-2006, 01:49 PM

Quote:

Originally Posted by Matir

Do note that samba uses its own password file, so allowing SMB access with no unix access is quite possible. Username mapping is only neccessary when their unix username and windows username differ.

Ah, yes, there is still MUCH I do not know. I can only comment based on the working setup I now have. I have Unix names set up so that the user can SSH into the server and run smbclient to access the Samba shares that way. Is it possible for a user to change their own Samba password, or is root (by default) the only user with those kinds of permissions?

~Myles