Samba Server   «Prev  Next»

Lesson 6Securing a Samba Server
ObjectiveSecure a Samba Server.

Securing a Samba Server

Samba has several security mechanisms that you might want to use. These mechanisms allow you to specify which hosts have access to your shares and how Samba transmits passwords from SMB clients.

Host-based access control

Samba provides a mechanism for host-based access control. Using this facility, you can select hosts (either by IP or hostname) or networks to which to grant or deny access.
Specify this option, either globally or on a per-share basis, with the hosts keyword. This keyword takes one of two parameters: allow or deny. You can set the value to any of the following, separating multiple entries with whitespace:
  1. A specific host, for example, station1, station1.mycompany.com, or 192.168.0.1
  2. A DNS domain matching rule, for example, .mycompany.com
  3. An IP address matching rule, for example, 192.168.0
  4. A network/netmask pair, for example, 192.168.0.1/255.255.255.0
  5. Special keywords, for example, EXCEPT and ALL
For example, a configuration for a local area network, with IP addresses ranging from 192.168.0.1 through 192.168.0.254 and 192.168.1.1 through 192.168.1.254, might secure Samba with:

[global] hosts allow = 192.168.0. 192.168.1.

Password validation

Samba supports several methods for validating user passwords, configurable with the security keyword. The method you configure depends on how you intend to integrate your Samba server with the rest of your network.
For most installations, the default configuration security = user is acceptable. This setting requires that the Samba server have a user entry and password that matches the user name trying to the access the share.
The security = share setting is common when you wish to provide a common service to a group of trusted users with a single password. This setting requires connecting users to provide the share password before they can access the service.
The two remaining methods, security = server and security = domain, instruct Samba to use an Windows server to validate passwords. If the value is domain, the Samba server will act as part of the configured Windows domain. Otherwise, Samba will act as part of the configured workgroup.
  1. Windows domain: A more organized form of Windows workgroup.
  2. Workgroup: In Windows terminology, a group of computers acting as part of a cohesive working unit that can share resources allocated to that workgroup.
Some versions of Windows require you to set securing_a.sbspecial configurations to be compatible with the Samba default encryption scheme.
Roll your mouse over the lines of code below to investigate Samba security settings.

This marks the start of the global configuration section
This marks the start of the global configuration section

Samba Security Settings
In the next lesson, you will learn about Mars.