
There are two security levels available to the Common Internet Filesystem (CIFS) network protocol user-level and share-level. Samba's security mode implementation allows more flexibility, providing four ways of implementing user-level security and one way to implement share-level:
turvalisus = kasutaja: nõuab klientidelt jagamistega ühendumiseks kasutajanime ning parool. Samba kasutajakontod on eraldatud süsteemikontodest, kuid libpam-smbpass pakett sünkroniseerib süsteemi kasutajad ja paroolid Samba kasutajate andmebaasiga.
turvalisus = domeen: see režiim lubab Samba serverit näha Windowsi klientidel primaarse domeenikontrollerina (PDCna), haldusdoomeni varukontrollerina (BDCna) või domeeniliikme serverina (DMSina). Vaata the section called “Samba kui domeenikontroller”, et saada rohkemat informatsiooni.
security = ADS: allows the Samba server to join an Active Directory domain as a native member. See the section called “Samba Active Directory Integration” for details.
security = server: this mode is left over from before Samba could become a member server, and, due to some security issues, should not be used. See the Server Security section of the Samba guide for more details.
turvalisus = jagamine: lubab klientidel ühenduda jagamistega ilma kasutajanime ja parooli küsimata.
Eelistatud turvalisuse režiim sõltub keskkonnast ja sellest, mida Samba server teostab.
This section will reconfigure the Samba file and print server, from the section called “Samba failiserver” and the Print Server, to require authentication.
First, install the libpam-smbpass package which will sync the system users to the Samba user database:
sudo apt-get install libpam-smbpass
Note
Kui Samba serveri ülesanne oli valitud paigaldamise käigus, siis libpam-smbpass on juba paigaldatud.
Redigeeri /etc/samba/smb.conf
ja muuda [share] sektsioonis järgnevat:
guest ok = no
Finally, restart Samba for the new settings to take effect:
sudo /etc/init.d/samba restart
Kui ühendud jagatud kataloogi või printeriga, siis küsitakse sinult kasutajanime ja parooli.
Note
Võrguketta kaardistamiseks peab olema märgitud väli “ühendu sisselogimisel uuesti”. See toiming nõuab kasutajanime ja parooli sisestamist ühe korra, enne kui parool muutub.
There are several options available to increase the security for each individual shared directory. Using the [share] example, this section will cover some common options.
Groups define a collection of computers or users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources. For example, if a group qa is defined and contains the users freda, danika, and rob and a second group support is defined and consists of users danika, jeremy, and vincent, then certain network resources configured to allow access by the qa group will subsequently enable access by freda, danika, and rob, but not jeremy or vincent. Since the user danika belongs to both the qa and support groups, she will be able to access resources configured for access by both groups, whereas all other users will have only access to resources explicitly allowing the group they are part of.
Samba näeb vaikimisi välja kohaliku süsteemi grupina, mis on defineeritud /etc/group
is, et määrata seda, millised kasutajad kuuluvad millistesse gruppidesse. Rohkema info kasutajate lisamise ja eemaldamise kohta leiad siit: Basics.
When defining groups in the Samba configuration file,
/etc/samba/smb.conf
, the recognized syntax
is to preface the group name with an "@" symbol. For example, to define a group
named sysadmin in a certain section of the
/etc/samba/smb.conf
, the group name would be entered as
@sysadmin.
File Permissions define the explicit rights a computer or user has to a
particular directory, file, or set of files. Such permissions may be defined by
editing the /etc/samba/smb.conf
file and specifying the
explicit permissions of a defined file share.
For example, for a defined Samba share called share and
the need to give read-only permissions to the
group of users known as qa, while allowing
write permissions to the share by the group called
sysadmin and the user named vincent, then the
/etc/samba/smb.conf
file could be edited to add the
following entries under the [share] entry:
read list = @qa write list = @sysadmin, vincent
Another possible Samba permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource where the user has been given explicit administrative permissions.
For example, to give the user melissa
administrative permissions to the share
example, the /etc/samba/smb.conf
file would be edited to
add the following line under the [share] entry:
admin users = melissa
Peale /etc/samba/smb.conf
redigeerimist taaskäivita Samba, et muutused avaldaksid mõju:
sudo /etc/init.d/samba restart
Note
For the read list and write list to work the Samba security mode must not be set to security = share
Now that Samba has been configured to limit which groups have access to the shared directory, the filesystem permissions need to be updated.
Traditional Linux file permissions do not map well to Windows NT Access Control
Lists (ACLs). Fortunately POSIX ACLs are available on Kubuntu servers
providing more fine grained control. For example, to enable ACLs on
/srv
an EXT3 filesystem, edit
/etc/fstab
adding the acl option:
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0 1
Seejärel taasühenda partitsioon:
sudo mount -v -o remount /srv
Note
The above example assumes /srv
on a separate partition. If /srv
,
or wherever the share path is configured, is part of the /
partition, a reboot may be required.
To match the Samba configuration above, the sysadmin group
will be given read, write, and execute permissions to
/srv/samba/share
, the qa group will be
given read and execute permissions, and the files will be owned by the username
melissa. Enter the following in a terminal:
sudo chown -R melissa /srv/samba/share/ sudo chgrp -R sysadmin /srv/samba/share/ sudo setfacl -R -m g:qa:rx /srv/samba/share/
Note
The setfacl command above gives
execute permissions to all files in the
/srv/samba/share
directory, which may or may not be
desirable.
Windowsi klient näitab seda, kas uued failiõigused on teostatud. Vaata acl ja setfacl manuaalileheküljelt rohkemat informatsiooni POSIX ACLi kohta.
Kubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to the proper configuration. For more details on using AppArmor, please refer to the wiki
There are default AppArmor profiles for /usr/sbin/smbd
and
/usr/sbin/nmbd
, the Samba daemon binaries, as part of the
apparmor-profiles packages. To install the package,
from a terminal prompt, enter:
sudo apt-get install apparmor-profiles
Note
This package contains profiles for several other binaries.
By default the profiles for smbd and nmbd are in complain mode, allowing Samba to work without modifying the profile, and only logging errors. To place the smbd profile into enforce mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
Edit /etc/apparmor.d/usr.sbin.smbd
, adding information for
[share] from the file server example:
/srv/samba/share/ r, /srv/samba/share/** rwkix,
Nüüd leia enforcei asukoht ning tee sellele uuestilaadimine:
sudo aa-enforce /usr/sbin/smbd cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
It is now possible to read, write, and execute files in the shared directory as
normal, and the smbd binary will have access to only
the configured files and directories. Be sure to add entries for each directory
that Samba is configured to share. Any errors will be logged to
/var/log/syslog
.
For in depth Samba configurations, see the Samba HOWTO Collection
Juhend on saadaval ka trükitud vormingus.
O'Reilly's Using Samba is also a good reference.
Peatükk 18 Samba HOWTO Collection on pühendatud turvalisusele.
Rohkemat informatsiooni Samba ACLi kohta leiad Samba ACLi lehelt .