Re: Samba setup question: security setting
On Tue, 31 Dec 2002 07:33:26 -0800 (PST)
Bill Moseley <firstname.lastname@example.org> wrote:
> I've read many Samba HOWTOs but I always have trouble -- and never really
> sure if I have it right.
> On my home LAN I have two Windows machines (Win98 and WinME). Neither are
> setup with passwords -- well nothing that I would call a password. I
> think one machine gives a login prompt but I just hit enter.
> Samba comes configured with user level security which I always have a hard
> time getting setup. I suppose it's my lack of understanding of Windows
> The other day I setup Samba for a friend who's running WinXP, and I
> used "user" level access and (IIRC) used smbpasswd to add a password for
> his account. I think I had to setup an account on linux that matched the
> username he had on WinXP, too. Frankly, I just messed with it until it
> Anyway, my question is about my home LAN. Since the Windows machines do
> not match users on the linux box I'm using share level access. But I
> think that's probably insecure. For one thing, I had a share on directory
> on the linux machine and when I connected from Windows it asked for the
> password (for that user's directory). I entered the password, asked
> Windows NOT to keep the password, yet now I can always connect to that
> share without a password!
> Is it possible (and is it recommended) to move to security = user on my
> home LAN when the Windows machines don't really have a password? I guess
> what I'm asking is how best to setup Samba and the Windows machines I'm
> running. And, more importantly, why I need to setup it up a given way.
> Also, when I followed the instructions for setting up CUPS for printing
> trying to print from Windows to linux asked for a password. Password for
> what user??
> This is what I finally setup for my printer to allow access:
> comment = All Printers
> browseable = no
> path = /tmp
> printable = yes
> # change to public
> public = yes
> guest ok = yes
> writable = no
> create mode = 0700
>  And why that stinks is that once the Windows machine got a virus and
> was then able to write junk all over that share on the Linux machine.
> Bill Moseley email@example.com
Although I can't help you with internal filtering (I guess this is possible) I would
suggest to limit the allowed ip-range to that of your own network (if you haven't
already done this off course). No external scans will expose your shares then, and
because they don't know they're there, nobody will try to connect to them (since they
don't know their netbios name anyhows).
there is a general option to set this, you can probably find it by just looking through
an example config file (eg the standard smb one?).