Библиотека сайта rus-linux.net
Using SambaRobert Eckstein, David Collier-Brown, Peter Kelly1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 |
4.6 Networking Options with Samba
If you're running Samba on a multi-homed machine (that is, one on multiple subnets), or even if you want to implement a security policy on your own subnet, you should take a close look at the networking configuration options:
For the purposes of this exercise, let's assume that our Samba server is connected to a network with more than one subnet. Specifically, the machine can access both the 192.168.220.* and 134.213.233.* subnets. Here are our additions to the ongoing configuration file for the networking configuration options:
[global] netbios name = HYDRA server string = Samba %v on (%L) workgroup = SIMPLE # Networking configuration options hosts allow = 192.168.220. 134.213.233. localhost hosts deny = 192.168.220.102 interfaces = 192.168.220.100/255.255.255.0 \ 134.213.233.110/255.255.255.0 bind interfaces only = yes [data] path = /home/samba/data guest ok = yes comment = Data Drive volume = Sample-Data-Drive writeable = yesLet's first talk about the
hosts
allow
andhosts
deny
options. If these options sound familiar, you're probably thinking of the hosts.allow and hosts.deny files that are found in the /etc directories of many Unix systems. The purpose of these options is identical to those files; they provide a means of security by allowing or denying the connections of other hosts based on their IP addresses. Why not just use the hosts.allow and hosts.deny files themselves? Because there may be services on the server that you want others to access without giving them access Samba's disk or printer sharesWith the
hosts
allow
option above, we've specified a cropped IP address: 192.168.220. (Note that there is still a third period; it's just missing the fourth number.) This is equivalent to saying: "All hosts on the 192.168.220 subnet." However, we've explicitly specified in a hosts deny line that 192.168.220.102 is not to be allowed access.You might be wondering: why will 192.168.220.102 be denied even though it is still in the subnet matched by the
hosts
allow
option? Here is how Samba sorts out the rules specified byhosts
allow
andhosts
deny
:
If there are no
allow
ordeny
options defined anywhere in smb.conf, Samba will allow connections from any machine allowed by the system itself.If there are
hosts
allow
orhosts
deny
options defined in the[global]
section of smb.conf, they will apply to all shares, even if the shares have an overriding option defined.If there is only a
hosts
allow
option defined for a share, only the hosts listed will be allowed to use the share. All others will be denied.If there is only a
hosts
deny
option defined for a share, any machine which is not on the list will be able to use the share.If both a
hosts
allow
andhosts
deny
option are defined, a host must appear in the allow list and not appear in the deny list (in any form) in order to access the share. Otherwise, the host will not be allowed.WARNING: Take care that you don't explicitly allow a host to access a share, but then deny access to the entire subnet of which the host is part.
Let's look at another example of that final item. Consider the following options:
hosts allow = 111.222. hosts deny = 111.222.333.In this case, only the hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. However, if a client belongs to the 111.222.333.* subnet, it will be denied access, even though it still matches the qualifications outlined by
hosts
allow
. The client must appear on thehosts
allow
list and must not appear on thehosts
deny
list in order to gain access to a Samba share. If a computer attempts to access a share to which it is not allowed access, it will receive an error message.The other two options that we've specified are the
interfaces
and thebind
interface
only
address. Let's look at theinterfaces
option first. Samba, by default, sends data only from the primary network interface, which in our example is the 192.168.220.100 subnet. If we would like it to send data to more than that one interface, we need to specify the complete list with theinterfaces
option. In the previous example, we've bound Samba to interface with both subnets (192.168.220 and 134.213.233) on which the machine is operating by specifying the other network interface address: 134.213.233.100. If you have more than one interface on your computer, you should always set this option as there is no guarantee that the primary interface that Samba chooses will be the right one.Finally, the
bind
interfaces
only
option instructs the nmbd process not to accept any broadcast messages other than those subnets specified with theinterfaces
option. Note that this is different from thehosts
allow
andhosts
deny
options, which prevent machines from making connections to services, but not from receiving broadcast messages. Using thebind
interfaces
only
option is a way to shut out even datagrams from foreign subnets from being received by the Samba server. In addition, it instructs the smbd process to bind to only the interface list given by the interfaces option. This restricts the networks that Samba will serve.4.6.1 Networking Options
The networking options we introduced above are summarized in Table 4.5.
Table 4.5: Networking Configuration Options Option
Parameters
Function
Default
Scope
hosts allow (allow hosts)
string (list of hostnames)
Specifies the machines that can connect to Samba.
none
Share
hosts deny (deny hosts)
string (list of hostnames)
Specifies the machines that cannot connect to Samba.
none
Share
interfaces
string (list of IP/netmask combinations)
Sets the network interfaces Samba will respond to. Allows correcting defaults.
system-dependent
Global
bind
interfaces only
boolean
If set to
yes
, Samba will bind only to those interfaces specified by theinterfaces
option.
no
Global
socket
address
string (IP address)
Sets IP address to listen on, for use with multiple virtual interfaces on a server.
none
Global
4.6.1.1 hosts allow
The
hosts
allow
option (sometimes written asallow
hosts
) specifies the machines that have permission to access shares on the Samba server, written as a comma- or space-separated list of names of machines or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option. For example, we specified the following in our example:hosts allow = 192.168.220. localhostNote that we placed
localhost
after the subnet address. One of the most common mistakes when attempting to use thehosts
allow
option is to accidentally disallow the Samba server from communicating with itself. The smbpasswd program will occasionally need to connect to the Samba server as a client in order to change a user's encrypted password. In addition, local browsing propagation requires local host access. If this option is enabled and the localhost address is not specified, the locally-generated packets requesting the change of the encrypted password will be discarded by Samba, and browsing propagation will not work properly. To avoid this, explicitly allow the loopback address (eitherlocalhost
or127.0.0.1
) to be used.[3][3] Starting with Samba 2.0.5,
localhost
will automatically be allowed unless it is explicitly denied.You can specify any of the following formats for this option:
Domain names, which can be differentiated from individual hostnames because they start with a dot. For example,
.ora.com
represents all machines within the ora.com domain.Netgroups, which start with an at-sign, such as
@printerhosts
. Netgroups are available on systems running yellow pages/NIS or NIS+, but rarely otherwise. If netgroups are supported on your system, there should be anetgroups
manual page that describes them in more detail.Subnets, which end with a dot. For example,
130.63.9.
means all the machines whose IP addresses begin with 130.63.9.The keyword
EXCEPT
followed by more one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet withhosts
allow
=
ALL
EXCEPT
192.168.110.
(remember the trailing dot).Using the
ALL
keyword is almost always a bad idea, since it means that anyone on any network can browse your files if they guess the name of your server.Note that there is no default value for the
hosts
allow
configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. In addition, if you specify this option in the[global]
section of the configuration file, it will override anyhosts
allow
options defined shares.4.6.1.2 hosts deny
The
hosts
deny
option (alsodeny
hosts
) specifies machines that do not have permission to access a share, written as a comma- or space-separated list of machine names or their IP addresses. Use the same format as specifying clients as thehosts
allow
option above. For example, to restrict access to the server from everywhere but example.com, you could write:hosts deny = ALL EXCEPT .example.comLike
hosts
allow
, there is no default value for thehosts
deny
configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. Also, if you specify this option in the[global]
section of the configuration file, it will override anyhosts
deny
options defined in shares. If you wish to deny hosts access to specific shares, omit both thehosts
allow
andhosts
deny
options in the[global]
section of the configuration file.4.6.1.3 interfaces
The
interfaces
option outlines the network addresses to which you want the Samba server to recognize and respond. This option is handy if you have a computer that resides on more than one network subnet. If this option is not set, Samba searches for the primary network interface of the server (typically the first Ethernet card) upon startup and configures itself to operate on only that subnet. If the server is configured for more than one subnet and you do not specify this option, Samba will only work on the first subnet it encounters. You must use this option to force Samba to serve the other subnets on your network.The value of this option is one or more sets of IP address/netmask pairs, such as the following:
interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0You can optionally specify a CIDR format bitmask, as follows:
interfaces = 192.168.220.100/24 192.168.210.30/24The bitmask number specifies the first number of bits that will be turned on in the netmask. For example, the number 24 means that the first 24 (of 32) bits will be activated in the bit mask, which is the same as saying 255.255.255.0. Likewise, 16 would be equal to 255.255.0.0, and 8 would be equal to 255.0.0.0.
This option may not work correctly if you are using DHCP.
4.6.1.4 bind interfaces only
The
bind
interfaces
only
option can be used to force the smbd and nmbd processes to serve SMB requests to only those addresses specified by theinterfaces
option. The nmbd process normally binds to the all addresses interface (0.0.0.0.) on ports 137 and 138, allowing it to receive broadcasts from anywhere. However, you can override this behavior with the following:bind interfaces only = yesThis will cause both Samba processes to ignore any packets whose origination address does not match the broadcast address(es) specified by the
interfaces
option, including broadcast packets. With smbd, this option will cause Samba to not serve file requests to subnets other than those listed in theinterfaces
option. You should avoid using this option if you want to allow temporary network connections, such as those created through SLIP or PPP. It's very rare that this option is needed, and it should only be used by experts.If you set
bind interfaces only
toyes
, you should add the localhost address (127.0.01) to the "interfaces" list. Otherwise, smbpasswd will be unable to connect to the server using its default mode in order to change a password.4.6.1.5 socket address
The
socket
address
option dictates which of the addresses specified with theinterfaces
parameter Samba should listen on for connections. Samba accepts connections on all addresses specified by default. When used in an smb.conf file, this option will force Samba to listen on only one IP address. For example:interfaces = 192.168.220.100/24 192.168.210.30/24 socket address = 192.168.210.30This option is a programmer's tool and we recommend that you do not use it.
International | About O'Reilly | Affiliated Companies
© 1999, O'Reilly & Associates, Inc.