Modification in Samba Server – Mixing User and Share Level Security

As you know samba is used to share Linux machine, so that it can be visible when accessed by Windows machine (CMIIW), making Linux become a good File Server in a mixed network environment. Anyway as a file server we cannot just give the access to everyone to “see and access” all the folder inside it. I bet you still want to have some privacy for your self.

Authentication in Samba comes in several ways, but what we are focusing is on the mixing of share and user level security. In user level, the user need to input some credential BEFORE the user want to “see and access” what file available in that share. While in share level, the user can see all the file but then, the user need to put some credential if they want to access the file (each file or folder has different password) So what we want to do is to have user-level security on your Samba server, but we want Windows clients to be able to see a list of shares on the Samba server without authenticating, like a share level server.


The aim from this article is to give different level of access to the file/folder, so later on the list of the file that is available, not all of them are password protected (public share), but some password protected, and some even hidden, you can make that setting in smb.conf (/etc/samba)

Here is the setting:

  1. Login as root or you can do su
  2. In konsole you can type:
    – smbpasswd -a nobody (put enter as password IOW null)
    – smbpasswd -n nobody (to enable null password)
    – smbpasswd -e nobody (to enable the account)
  3. open smb.conf in /etc/samba with any text editor and match yours with this for the [global] setting (remember to make a copy of your original smb.conf for backup :D):
  4. [global]
    workgroup = your windows workgroup
    name resolve order = bcast lmhosts wins host
    server string = “your server name” #quote included
    null passwords = yes
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    log file = /var/log/samba/log.%m
    syslog = 0
    username map = /etc/samba/smbusers
    passdb backend = tdbsam
    obey pam restrictions = yes
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 (cont’d below) SO_RCVBUF=8192 (end of socket option)
    domain master = no
    preferred master = yes
    os level = 65
    usershare allow guests = Yes
    usershare max shares = 100
    usershare owner only = False
    invalid users = root
    guest account = nobody #this is the trick
    security = user #use user level, not share
  5. The trick in here is that we set Samba to use default user Guest while guest is equal to nobody that doesn’t need any password to see and access the file server. So it will automatically bring the guest inside the share.
  6. While for authentication in the file that we want to protect we can use:
  7. [Public] #This is for public folder (read and write)
    comment = Public Share Directory
    path = /Home/user/share
    read only = no
    browseable = yes
    public = yes
    writable = yes
    guest ok = yes
  8. While for the file that you want to limit by including some credential, you can do this:
  9. [Limited1]
    comment = Limited Data 1
    path = /home/user/data1/
    create mask = 0777
    directory mask = 0775
    valid users = user1,user2
  10. [Limited2]
    comment = Limited Data 2
    path = /home/user/data2/
    create mask = 0777
    directory mask = 0775
    valid users = user2,user3
  11. This mean Limited Data 1 can only be accessed by user 1 and user 2, while Limited Data 2 can only be accessed by user 2 and user 3
  12. For the file that you want to hide, not even visible, you can do this:
  13. [Private]
    comment = Private
    path = /home/user/private
    browseable = no
    public = no
    writable = yes
    printable = no
    create mask = 0777
    directory mask = 0775
    valid users = user1,user2,user3
  14. This will make this Data invisible, in order to access it you need to know the director, and only user 1, user 2, and user3 can access this Data.
  15. After making all adjustment into the old smb.conf, now we must make all the user that we need (user 1, user 2, user3) in our machine account, for OpenSuse you can use yast to add user with user1, user2, and user3 as the name, and in konsole as root you type:
  16. smbpasswd -a user1 (give password)
    smbpasswd -e user1
    repeat this to make the other user
  17. You need to check all the setting before restart it, by typing:
  18. pdbedit -Lw #like debugging, it will also show the active user in Samba
  19. After that in konsole again you need to restart the Samba services by typing:
    rcnmb restart
    rcsmb restart
  20. After that you can test it.

Well good luck for the one who try this. I make some minor modification from the original source

Advertisements

2 thoughts on “Modification in Samba Server – Mixing User and Share Level Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s