samba - Mar 2003 - Access to shares for authenticated domain users only

I am running several samba servers (2.2.3a and 2.2.7) in various places as
pdcs. Everything seems to be running smoothly, but I can't find any way of
restricting access to only those uses who have logged on to the domain. Is
this possible? ie at the moment, any user can map a drive to \\server\share,
put in a valid user/password pair and have access to that share without
going through any logon script or pol files. This is what I would like to
avoid. I believe that if I can do this, it would also stop any unauthorised
machines from accessing the shares, as these machines would not be joined to
the domain.

Is this sort of authorisation possible?

On Thu, Mar 27, 2003 at 12:31:08PM +0700, Kevin wrote:
> I am running several samba servers (2.2.3a and 2.2.7) in various places as
> pdcs. Everything seems to be running smoothly, but I can't find any way
of
> restricting access to only those uses who have logged on to the domain. Is
> this possible? ie at the moment, any user can map a drive to
\\server\share,
> put in a valid user/password pair and have access to that share without
> going through any logon script or pol files. This is what I would like to
> avoid. I believe that if I can do this, it would also stop any unauthorised
> machines from accessing the shares, as these machines would not be joined
to
> the domain.
> 
> Is this sort of authorisation possible?
While 'hacks' might be possible, shares are authenticated seperatly to
the
domain logon, and there is no linkage apart from the fact that the domain
logon sets up the default username/pw pair.

Fundementally, any restriction imposed by logon script/.pol files can be
avoided - you must never trust the client to actually follow their directions...

Andrew Bartlett

I believe this works OK with an NT PDC as one can restrict share users
to, as an example, members of the "Domain Users" group, but this group
is not available in Samba 2.2.x. Maybe 3.0 will help.
I suppose, as one hack, you could use a "root preexec" and a
"root
postexec" to add and remove users to a particular group as they log on
and off and then use this group to define the valid users of the share.

On Thu, 2003-03-27 at 00:31, Kevin wrote:
> I am running several samba servers (2.2.3a and 2.2.7) in various places as
> pdcs. Everything seems to be running smoothly, but I can't find any way
of
> restricting access to only those uses who have logged on to the domain. Is
> this possible? ie at the moment, any user can map a drive to
\\server\share,
> put in a valid user/password pair and have access to that share without
> going through any logon script or pol files. This is what I would like to
> avoid. I believe that if I can do this, it would also stop any unauthorised
> machines from accessing the shares, as these machines would not be joined
to
> the domain.
> 
> Is this sort of authorisation possible?

You could setup shorewall (iptables) to only allow authorized mac addresses to
access the server. This would prevent a valid user from accessing the data from
an unauthorized machine.

Regards,

--
Christopher Barry
Manager of Information Systems
InfiniCon Systems
http://www.infiniconsys.com



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Friday, March 28, 2003 2:18 AM
To: Kevin
Cc: samba@lists.samba.org
Subject: Re: [Samba] Access to shares for authenticated domain users
only


On Thu, 2003-03-27 at 23:45, Kevin wrote:
> On Thu, 27 Mar 2003 07:11:55 +0000, Andrew wrote:
> 
> >While 'hacks' might be possible, shares are authenticated
seperatly to the
> >domain logon, and there is no linkage apart from the fact that the
domain
> >logon sets up the default username/pw pair.
> >
> >Fundementally, any restriction imposed by logon script/.pol files can
be
> >avoided - you must never trust the client to actually follow their
directions...
> >
> 
> Thanks Andrew. Point taken. Where would you go for more info on this sort
of
> security? In particular I'm trying to avoid unauthorised notebooks etc.
> connecting to the network and then disappearing off home with sensitive
data
> from the server on their drives.
Really, the best you can do is per-user passwords, strong passwords,
correctly set permissions, and policies (human policies, not computer
ones :-).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

I have about 120 users who have need to have access to these shares.  Only
about 30-40 of them will be accessing them at any one time.  It's not a
matter of unauthorized access.  It seems like when I get too many (valid)
requests for the shares, Samba won't let any more valid requests in.

Thanks.

-----Original Message-----
From: Barry, Christopher [mailto:cbarry@infiniconsys.com]
Sent: Friday, March 28, 2003 4:58 PM
To: Andrew Bartlett; Kevin
Cc: samba@lists.samba.org
Subject: RE: [Samba] Access to shares for authenticated domain users
only


You could setup shorewall (iptables) to only allow authorized mac addresses
to access the server. This would prevent a valid user from accessing the
data from an unauthorized machine.

Regards,

--
Christopher Barry
Manager of Information Systems
InfiniCon Systems
http://www.infiniconsys.com



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Friday, March 28, 2003 2:18 AM
To: Kevin
Cc: samba@lists.samba.org
Subject: Re: [Samba] Access to shares for authenticated domain users
only


On Thu, 2003-03-27 at 23:45, Kevin wrote:
> On Thu, 27 Mar 2003 07:11:55 +0000, Andrew wrote:
> 
> >While 'hacks' might be possible, shares are authenticated
seperatly to
the 
> >domain logon, and there is no linkage apart from the fact that the
domain
> >logon sets up the default username/pw pair.
> >
> >Fundementally, any restriction imposed by logon script/.pol files can
be
> >avoided - you must never trust the client to actually follow their
directions...
> >
> 
> Thanks Andrew. Point taken. Where would you go for more info on this sort
of
> security? In particular I'm trying to avoid unauthorised notebooks etc.
> connecting to the network and then disappearing off home with sensitive
data
> from the server on their drives.
Really, the best you can do is per-user passwords, strong passwords,
correctly set permissions, and policies (human policies, not computer
ones :-).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

well said...

--
Christopher Barry
Manager of Information Systems
InfiniCon Systems
http://www.infiniconsys.com



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Friday, March 28, 2003 6:07 PM
To: Barry, Christopher
Cc: Andrew Bartlett; Kevin; samba@lists.samba.org
Subject: RE: [Samba] Access to shares for authenticated domain users
only


On Sat, 2003-03-29 at 09:57, Barry, Christopher wrote:
> You could setup shorewall (iptables) to only allow authorized mac 
> addresses to access the server. This would prevent a valid user from
> accessing the data from an unauthorized machine.
MAC addresses, like IP addresses, are easily changed...

The only secure computer is turned off, disconnected from the world,
under 5 feet of concrete with an armed guard standing on top.  And then
somebody will probably just bribe the guard...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

On Sat, 2003-03-29 at 09:57, Barry, Christopher wrote:
> You could setup shorewall (iptables) to only allow authorized mac 
> addresses to access the server. This would prevent a valid user from
> accessing the data from an unauthorized machine.
MAC addresses, like IP addresses, are easily changed...

The only secure computer is turned off, disconnected from the world,
under 5 feet of concrete with an armed guard standing on top.  And then
somebody will probably just bribe the guard...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030329/3188d594/attachment.bin