John H Terpstra
2003-Mar-06 22:19 UTC
[Samba] restrict shares listings in domain to authenticated users
On Thu, 6 Mar 2003, unolinuxguru wrote:> I'm setting up a samba primary domain controller in Debian woody and the > users are logging into the domain fine and can access their shares. I > would like to restrict the listings of available shares to only > authenticated users of the samba domain. I know this works in a win NT4 > domain, how does one do it with samba? > > This is the listing I get from an nt4 pdc (belongs to a different domain > than this system 'WS-072') without supplying a username or password... > > root@WS-072:/etc/samba# smbclient -L //nt4pdc > added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0 > Got a positive name query response from 192.168.2.5 ( 192.168.2.5 ) > Password: > Anonymous login successful > Domain=[HMS] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] > > Sharename Type Comment > --------- ---- ------- > Error returning browse list: NT_STATUS_ACCESS_DENIED > <snip> > > If I do supply a username (with the -U option) and the proper password, I > do get a listing of the available shares. > > Now if I try the same listing without a username or password on the samba > primary domain controller of the workgroup this system belongs too... I > should get the same "NT_STATUS_ACCESS_DENIED" for guest user share > listings, but I don't - it shows all of them. > > root@WS-072:/etc/samba# smbclient -L //debianpdc > added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0 > Password: > Anonymous login successful > Domain=[LINUXTEST] OS=[Unix] Server=[Samba 2.2.3a-12 for Debian] > > Sharename Type Comment > --------- ---- ------- > tmp Disk temporary files > IPC$ IPC IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian)) > ADMIN$ Disk IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian)) > > > thoughts, suggestions, and of course solutions greatly appreciated. thanks.If you want to prevent anonymous access to the IPC$ share then in your smb.conf [globals] put: restrict anonymous = Yes - John T. -- John H Terpstra Email: jht@samba.org
unolinuxguru
2003-Mar-06 22:40 UTC
[Samba] restrict shares listings in domain to authenticated users
I'm setting up a samba primary domain controller in Debian woody and the users are logging into the domain fine and can access their shares. I would like to restrict the listings of available shares to only authenticated users of the samba domain. I know this works in a win NT4 domain, how does one do it with samba? This is the listing I get from an nt4 pdc (belongs to a different domain than this system 'WS-072') without supplying a username or password... root@WS-072:/etc/samba# smbclient -L //nt4pdc added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0 Got a positive name query response from 192.168.2.5 ( 192.168.2.5 ) Password: Anonymous login successful Domain=[HMS] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] Sharename Type Comment --------- ---- ------- Error returning browse list: NT_STATUS_ACCESS_DENIED <snip> If I do supply a username (with the -U option) and the proper password, I do get a listing of the available shares. Now if I try the same listing without a username or password on the samba primary domain controller of the workgroup this system belongs too... I should get the same "NT_STATUS_ACCESS_DENIED" for guest user share listings, but I don't - it shows all of them. root@WS-072:/etc/samba# smbclient -L //debianpdc added interface ip=192.168.2.45 bcast=192.168.2.255 nmask=255.255.255.0 Password: Anonymous login successful Domain=[LINUXTEST] OS=[Unix] Server=[Samba 2.2.3a-12 for Debian] Sharename Type Comment --------- ---- ------- tmp Disk temporary files IPC$ IPC IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian)) ADMIN$ Disk IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian)) thoughts, suggestions, and of course solutions greatly appreciated. thanks.
unolinuxguru
2003-Mar-07 03:56 UTC
[Samba] restrict shares listings in domain to authenticated users
see below...> On Thu, 6 Mar 2003, unolinuxguru wrote:<snip> I want to prevent anonymous/non-domain users from see the available drive shares on my samba primary domain controller. A Windows NT4 server on the network provides this functionality (i.e. I can only see the share listings if I provide username and password "smbclient -L //nt4pdc -U username")>> root@WS-072:/etc/samba# smbclient -L //debianpdc >> added interface ip=192.168.2.45 bcast=192.168.2.255 >> nmask=255.255.255.0 Password: >> Anonymous login successful >> Domain=[LINUXTEST] OS=[Unix] Server=[Samba 2.2.3a-12 for Debian] >> >> Sharename Type Comment >> --------- ---- ------- >> tmp Disk temporary files >> IPC$ IPC IPC Service (debianpdc server (Samba 2.2.3a-12 for Debian)) >> ADMIN$ Disk IPC Service (debianpdc server (Samba 2.2.3a-12 for >> Debian)) >> >> >> thoughts, suggestions, and of course solutions greatly appreciated. >> thanks. > > If you want to prevent anonymous access to the IPC$ share then in your > smb.conf [globals] put: > > restrict anonymous = Yes > > - John T. > -- > John H Terpstra > Email: jht@samba.orgI was very hopeful with this John, but it did not seem to work. I added this line to my smb.conf, testparm said everything was fine, I reloaded samba, stopped and restarted samba, and even tried from a totally different gnu/linux systems not even associated with the domain (machine or user), and it still enumerated the file shares on my samba pdc. Is there any other configuration options to prevent this?