
There are two security levels available to the Common Internet Filesystem (CIFS) network protocol user-level and share-level. Samba's security mode implementation allows more flexibility, providing four ways of implementing user-level security and one way to implement share-level:
security = user: requires clients to supply a username and password to connect to shares. Samba user accounts are separate from system accounts, but the libpam-smbpass package will sync system users and passwords with the Samba user database.
security = domain: this mode allows the Samba server to appear to Windows™ clients as a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or a Domain Member Server (DMS). See the section called “Samba als Domänen-Contoller” for further information.
security = ADS: allows the Samba server to join an Active Directory™ domain as a native member. See the section called “Einbinden eines Samba-Active-Directories” for details.
security = server: this mode is left over from before Samba could become a member server, and, due to some security issues, should not be used. See the Server Types and Security Modes section of the Samba guide for more details.
security = share: Erlaubt es Clients, sich ohne die Angabe eines Benutzernamens oder eines Passwortes mit einer Freigabe zu verbinden.
The preferred security mode depends on the environment and what the Samba server needs to accomplish.
This section will reconfigure the Samba file and print server, from the section called “Samba-Datei–Server” and the Print Server, to require authentication.
First, install the libpam-smbpass package, which will sync the system users to the Samba user database:
sudo apt-get install libpam-smbpass
Note
If the Samba Server task was chosen during installation, libpam-smbpass is already installed.
Edit /etc/samba/smb.conf
, and in the [share] section change:
guest ok = no
Finally, restart Samba for the new settings to take effect:
sudo /etc/init.d/samba restart
Wenn Sie sich jetzt mit freigegebenen Verzeichnissen oder Druckern verbinden, wird nach Benutzername und Passwort gefragt.
Note
Um ein Netzlaufwerk in die Freigabe einzubinden, sollte “Verbinden beim Anmelden” ausgewählt werden, was es erfordert, den Benutzernamen und das Passwort zumindest einmalig einzugeben — zumindest bis das Passwort sich ändert.
Es stehen verschiedene Optionen zur Erhöhung der Sicherheit für jedes freigegebene Verzeichnis zur Verfügung. Dieser Abschnitt wird mit dem Beispiel [Freigabe] einige häufig verwendete Optionen behandeln.
Gruppen definieren eine Ansammlung von Rechnern oder Benutzern, die eine gemeinsame Stufe von Zugriffsrechten auf bestimmte Netzwerkresourcen haben und einen bestimmten Stand bzgl. Granularität in der Zugriffskontrolle zu solchen Resourcen anbieten. Wenn beispielsweise eine Gruppe qa definiert ist, die die Benutzer freda, danika und rob beinhaltet und eine zweite Gruppe namens support definiert ist, die aus den Benutzern danika, jeremy und vincent besteht, dann werden bestimmte Netzwerkresourcen, die so konfiguriert sind, dass sie der Gruppe qa Zugriff gewähren, im Weiteren auch den Benutzern freda, danika und rob Zugriff gewähren, aber nicht den Benutzern jeremy oder vincent. Da der Benutzer danika zu beiden Gruppen gehört, wird er auch Zugriff auf Resourcen haben, die für beide Gruppen konfiguriert wurden, während die anderen Benutzer nur Zugriff auf Resourcen haben, die explizit für die Gruppe, in der sie Mitglied sind, Zugriff erlauben.
By default, Samba looks for the local system groups defined in /etc/group
to determine which users belong to which groups. For more information on adding and removing users from groups, see Basics.
When defining groups in the Samba configuration file, /etc/samba/smb.conf
, the recognized syntax is to preface the group name with an "@" symbol. For example, to define a group named sysadmin in a certain section of the /etc/samba/smb.conf
, the group name would be entered as @sysadmin.
File permissions define the explicit rights a computer or user has to a particular directory, file, or set of files. Such permissions may be defined by editing the /etc/samba/smb.conf
file and specifying the explicit permissions of a defined file share.
For example, for a defined Samba share called share and the need to give read-only permissions to the group of users known as qa, while allowing write permissions to the share by the group called sysadmin and the user named vincent, then the /etc/samba/smb.conf
file could be edited to add the following entries under the [share] entry:
read list = @qa write list = @sysadmin, vincent
Another possible Samba permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource where they have been given explicit administrative permissions.
For example, to give the user melissa administrative permissions to the share example, the /etc/samba/smb.conf
file would be edited to add the following line under the [share] entry:
admin users = melissa
After editing /etc/samba/smb.conf
, restart Samba for the changes to take effect:
sudo /etc/init.d/samba restart
Note
For the read list and write list to work, the Samba security mode must not be set to security = share.
Now that Samba has been configured to limit which groups have access to the shared directory, the filesystem permissions need to be updated.
Traditional Linux™ file permissions do not map well to Windows NT™ Access Control Lists (ACLs). Fortunately POSIX ACLs are available on Kubuntu™ servers providing more fine-grained control. For example, to enable ACLs on srv
an ext3
filesystem, edit /etc/fstab
and add the ACL option:
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0 1
Danach hängen Sie die Partition wieder ein:
sudo mount -v -o remount /srv
Note
The above example assumes srv
is on a separate partition. If srv
— or wherever the share path is configured — is part of the /
partition, a reboot may be required.
To match the Samba configuration above, the sysadmin group will be given read, write, and execute permissions to /srv/samba/share
, the qa group will be given read and execute permissions, and the files will be owned by the username melissa. Enter the following in a terminal:
sudo chown -R melissa /srv/samba/share/ sudo chgrp -R sysadmin /srv/samba/share/ sudo setfacl -R -m g:qa:rx /srv/samba/share/
Note
The setfacl command above gives execute permissions to all files in the /srv/samba/share
directory, which may or may not be desirable.
A Windows™ client will show that the new file permissions are implemented. See the ACL and setfacl man pages for more information on POSIX ACLs.
Kubuntu™ comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to the proper configuration. For more details on using AppArmor, please refer to the official Ubuntu™ documentation.
There are default AppArmor profiles for /usr/sbin/smbd
and /usr/sbin/nmbd
, the Samba daemon binaries, as part of the apparmor-profiles packages. To install the package from a terminal prompt, enter:
sudo apt-get install apparmor-profiles
Note
Das Paket enthält noch Profile für viele weitere Binärdateien.
By default, the profiles for smbd and nmbd are in complain mode, allowing Samba to work without modifying the profile, and only logging errors. To place the smbd profile into enforce mode and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
Edit /etc/apparmor.d/usr.sbin.smbd
, adding information for [share] from the file server example:
/srv/samba/share/ r, /srv/samba/share/** rwkix,
Versetzen Sie nun das Profil in den enforce-Modus und laden Sie es neu:
sudo aa-enforce /usr/sbin/smbd cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
It is now possible to read, write, and execute files in the shared directory as normal, and the smbd binary will have access to only the configured files and directories. Be sure to add entries for each directory that Samba is configured to share. Any errors will be logged to /var/log/syslog
.
For in-depth Samba configurations, see the Samba HOWTO and Reference Guide.
The guide is also available in printed format.
O'Reilly's Using Samba, 3rd Edition is also a good reference.
Chapter 18 of the Samba HOWTO and Reference Guide is devoted to security.
For more information on Samba and ACLs, see the Samba File, Directory, and Share Access Controls page.