
Det finns två säkerhetsnivåer tillgängliga i nätverksprotokollet Common Internet Filesystem (CIFS) användarnivå och delningsnivå. Sambas implementering av säkerhetsmetoder tillåter en högre flexibilitet genom att tillhandahålla fyra sätt att implementera säkerhet på användarnivå och ett sätt att implementera delningsnivå:
security = user: kräver att klienter anger ett användarnamn och lösenord för att ansluta till en delning. Användarkonton i Samba är separerade från systemkonton, men paketet libpam-smbpass kan synkronisera systemets användare och lösenord med användardatabasen i Samba.
security = domain: det här läget tillåter Sambaservern att för Windowsklienterna framstå som en Primary Domain Controller (PDC), Backup Domain Controller (BDC), eller en Domain Member Server (DMS). Se the section called “Samba som en domänkontrollant” för ytterligare information.
security = ADS: tillåter Sambaservern att ansluta till en Active Directory domän som en naturlig medlem. Se the section called “Samba-integrering mot Active Directory” för detaljer.
security = server: this mode is left over from before Samba could become a member server, and, due to some security issues, should not be used. See the Server Security section of the Samba guide for more details.
security = share: tillåter klienter att ansluta till delningar utan att ange användarnamn och lösenord.
The preferred security mode depends on the environment and what the Samba server needs to accomplish.
This section will reconfigure the Samba file and print server, from the section called “Samba-filserver” and the Print Server, to require authentication.
Börja med att installera paketet libpam-smbpass som kommer att synkronisera systemets användare med användardatabasen i Samba:
sudo apt-get install libpam-smbpass
Note
If the Samba Server task was chosen during installation, libpam-smbpass is already installed.
Redigera /etc/samba/smb.conf
, och i avsnittet [share] ändra:
guest ok = no
Till sist, starta om Samba för att de nya inställningarna skall få effekt:
sudo /etc/init.d/samba restart
Now when connecting to the shared directories or printers, there will be a prompt for a username and password.
Note
To map a network drive to the share, “Reconnect at Logon” should be checked, which will require the username and password to be entered just once, at least until the password changes.
Det finns flera möjliga alternativ till att utöka säkerheten för varje enskild delad katalog. Genom att använda modellen [share] kommer detta avsnitt att behandla några av de vanligaste konfigurationsalternativen.
Groups define a collection of computers or users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources. For example, if a group qa is defined and contains the users freda, danika, and rob and a second group support is defined and consists of users danika, jeremy, and vincent, then certain network resources configured to allow access by the qa group will subsequently enable access by freda, danika, and rob, but not jeremy or vincent. Since the user danika belongs to both the qa and support groups, she will be able to access resources configured for access by both groups, whereas all other users will have only access to resources explicitly allowing the group they are part of.
By default Samba looks for the local system groups defined in
/etc/group
to determine which users belong to which
groups. For more information on adding and removing users from groups see
Basics.
When defining groups in the Samba configuration file,
/etc/samba/smb.conf
, the recognized syntax
is to preface the group name with an "@" symbol. For example, to define a group
named sysadmin in a certain section of the
/etc/samba/smb.conf
, the group name would be entered as
@sysadmin.
Filrättigheter definierar tydliga rättigheter en dator eller användare har till en bestämd fil eller uppsättning filer. Sådana rättigheter kan definieras genom att redigera filen /etc/samba/smb.conf
och specificera tydliga rättigheter av en definierad fildelning.
For example, for a defined Samba share called share and
the need to give read-only permissions to the
group of users known as qa, while allowing
write permissions to the share by the group called
sysadmin and the user named vincent, then the
/etc/samba/smb.conf
file could be edited to add the
following entries under the [share] entry:
read list = @qa write list = @sysadmin, vincent
Another possible Samba permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource where the user has been given explicit administrative permissions.
For example, to give the user melissa
administrative permissions to the share
example, the /etc/samba/smb.conf
file would be edited to
add the following line under the [share] entry:
admin users = melissa
Efter redigering av /etc/samba/smb.conf
, starta om Samba för att ändringarna skall få effekt:
sudo /etc/init.d/samba restart
Note
Om read list och write list skall fungera skall inte Sambas säkerhetsläge not sättas till security = share
Nu när Samba är konfigurerat till att begränsa vilka grupper som har rättighet att komma åt delade kataloger, måste filsystemets rättigheter uppdateras.
Traditional Linux file permissions do not map well to Windows NT Access Control
Lists (ACLs). Fortunately POSIX ACLs are available on Kubuntu servers
providing more fine grained control. For example, to enable ACLs on
/srv
an EXT3 filesystem, edit
/etc/fstab
adding the acl option:
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0 1
Återmontera därefter partitionen
sudo mount -v -o remount /srv
Note
The above example assumes /srv
on a separate partition. If /srv
,
or wherever the share path is configured, is part of the /
partition, a reboot may be required.
To match the Samba configuration above, the sysadmin group
will be given read, write, and execute permissions to
/srv/samba/share
, the qa group will be
given read and execute permissions, and the files will be owned by the username
melissa. Enter the following in a terminal:
sudo chown -R melissa /srv/samba/share/ sudo chgrp -R sysadmin /srv/samba/share/ sudo setfacl -R -m g:qa:rx /srv/samba/share/
Note
The setfacl command above gives
execute permissions to all files in the
/srv/samba/share
directory, which may or may not be
desirable.
A Windows client will show that the new file permissions are implemented. See the acl and setfacl man pages for more information on POSIX ACLs.
Kubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to the proper configuration. For more details on using AppArmor, please refer to the wiki
There are default AppArmor profiles for /usr/sbin/smbd
and
/usr/sbin/nmbd
, the Samba daemon binaries, as part of the
apparmor-profiles packages. To install the package,
from a terminal prompt, enter:
sudo apt-get install apparmor-profiles
Note
Det här paketet innehåller profiler för flera andra binärer.
By default the profiles for smbd and nmbd are in complain mode, allowing Samba to work without modifying the profile, and only logging errors. To place the smbd profile into enforce mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
Edit /etc/apparmor.d/usr.sbin.smbd
, adding information for
[share] from the file server example:
/srv/samba/share/ r, /srv/samba/share/** rwkix,
Placera nu profilen i enforce och ladda om den:
sudo aa-enforce /usr/sbin/smbd cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
It is now possible to read, write, and execute files in the shared directory as
normal, and the smbd binary will have access to only
the configured files and directories. Be sure to add entries for each directory
that Samba is configured to share. Any errors will be logged to
/var/log/syslog
.
For in depth Samba configurations, see the Samba HOWTO Collection
Den här guiden finns också tillgänglig i ett utskrivet format.
O'Reilly's Using Samba är en annan bra referens.
Kapitel 18 i samlingen av Samba HOWTO ägnas åt säkerhet.
For more information on Samba and ACLs, see the Samba ACLs page .