1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�16.�Securing Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="locking.html" title="Chapter�15.�File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter�17.�Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�16.�Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter�16.�Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="securing-samba.html#id2567193">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id2567233">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id2567308">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id2567324">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567419">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567477">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567565">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567611">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567699">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id2567747">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id2567768">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id2567784">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id2567804">Why Can Users Access Home Directories of Other Users?</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567193"></a>Introduction</h2></div></div></div><p> 2This note was attached to the Samba 2.2.8 release notes as it contained an 3important security fix. The information contained here applies to Samba 4installations in general. 5</p><div class="blockquote"><blockquote class="blockquote"><p> 6A new apprentice reported for duty to the chief engineer of a boiler house. He said, “<span class="quote"><span class="emphasis"><em>Here I am, 7if you will show me the boiler I'll start working on it.</em></span></span>” Then engineer replied, “<span class="quote"><span class="emphasis"><em>You're leaning 8on it!</em></span></span>” 9</p></blockquote></div><p> 10Security concerns are just like that. You need to know a little about the subject to appreciate 11how obvious most of it really is. The challenge for most of us is to discover that first morsel 12of knowledge with which we may unlock the secrets of the masters. 13</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567233"></a>Features and Benefits</h2></div></div></div><p> 14There are three levels at which security principals must be observed in order to render a site 15at least moderately secure. They are the perimeter firewall, the configuration of the host 16server that is running Samba and Samba itself. 17</p><p> 18Samba permits a most flexible approach to network security. As far as possible Samba implements 19the latest protocols to permit more secure MS Windows file and print operations. 20</p><p> 21Samba may be secured from connections that originate from outside the local network. This may be 22done using <span class="emphasis"><em>host-based protection</em></span> (using Samba's implementation of a technology 23known as “<span class="quote"><span class="emphasis"><em>tcpwrappers,</em></span></span>” or it may be done be using <span class="emphasis"><em>interface-based exclusion</em></span> 24so <span class="application">smbd</span> will bind only to specifically permitted interfaces. It is also 25possible to set specific share or resource-based exclusions, for example on the <i class="parameter"><tt>[IPC$]</tt></i> 26auto-share. The <i class="parameter"><tt>[IPC$]</tt></i> share is used for browsing purposes as well as to establish 27TCP/IP connections. 28</p><p> 29Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access 30Control List (ACL) on the shares themselves. This is discussed in <a href="AccessControls.html" title="Chapter�14.�File, Directory and Share Access Controls">File, Directory and Share Access Controls</a>. 31</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567308"></a>Technical Discussion of Protective Measures and Issues</h2></div></div></div><p> 32The key challenge of security is the fact that protective measures suffice at best 33only to close the door on known exploits and breach techniques. Never assume that 34because you have followed these few measures that the Samba server is now an impenetrable 35fortress! Given the history of information systems so far, it is only a matter of time 36before someone will find yet another vulnerability. 37</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567324"></a>Using Host-Based Protection</h3></div></div></div><p> 38 In many installations of Samba, the greatest threat comes from outside 39 your immediate network. By default, Samba will accept connections from 40 any host, which means that if you run an insecure version of Samba on 41 a host that is directly connected to the Internet you can be 42 especially vulnerable. 43 </p><p> 44 One of the simplest fixes in this case is to use the <a class="indexterm" name="id2567342"></a>hosts allow and 45 <a class="indexterm" name="id2567349"></a>hosts deny options in the Samba <tt class="filename">smb.conf</tt> configuration file to only 46 allow access to your server from a specific range of hosts. An example might be: 47 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2567372"></a><i class="parameter"><tt> 48 49 hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</tt></i></td></tr><tr><td><a class="indexterm" name="id2567388"></a><i class="parameter"><tt> 50 51 hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p> 52 The above will only allow SMB connections from <tt class="constant">localhost</tt> (your own 53 computer) and from the two private networks 192.168.2 and 192.168.3. All other 54 connections will be refused as soon as the client sends its first packet. The refusal 55 will be marked as <span class="errorname">not listening on called name</span> error. 56 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567419"></a>User-Based Protection</h3></div></div></div><p> 57 If you want to restrict access to your server to valid users only, then the following 58 method may be of use. In the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[global]</tt></i> section put: 59 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2567449"></a><i class="parameter"><tt> 60 61 valid users = @smbusers, jacko</tt></i></td></tr></table><p> 62 This restricts all server access to either the user <span class="emphasis"><em>jacko</em></span> 63 or to members of the system group <span class="emphasis"><em>smbusers</em></span>. 64 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567477"></a>Using Interface Protection</h3></div></div></div><p> 65 By default, Samba will accept connections on any network interface that 66 it finds on your system. That means if you have a ISDN line or a PPP 67 connection to the Internet then Samba will accept connections on those 68 links. This may not be what you want. 69 </p><p> 70 You can change this behavior using options like this: 71 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2567502"></a><i class="parameter"><tt> 72 73 interfaces = eth* lo</tt></i></td></tr><tr><td><a class="indexterm" name="id2567517"></a><i class="parameter"><tt> 74 75 bind interfaces only = yes</tt></i></td></tr></table><p> 76 This tells Samba to only listen for connections on interfaces with a 77 name starting with <tt class="constant">eth</tt> such as <tt class="constant">eth0, eth1</tt> plus on the loopback 78 interface called <tt class="constant">lo</tt>. The name you will need to use depends on what 79 OS you are using. In the above, I used the common name for Ethernet 80 adapters on Linux. 81 </p><p> 82 If you use the above and someone tries to make an SMB connection to 83 your host over a PPP interface called <tt class="constant">ppp0,</tt> then they will get a TCP 84 connection refused reply. In that case, no Samba code is run at all as 85 the operating system has been told not to pass connections from that 86 interface to any Samba process. 87 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567565"></a>Using a Firewall</h3></div></div></div><p> 88 Many people use a firewall to deny access to services they do not 89 want exposed outside their network. This can be a good idea, 90 although I recommend using it in conjunction with the above 91 methods so you are protected even if your firewall is not active 92 for some reason. 93 </p><p> 94 If you are setting up a firewall, you need to know what TCP and 95 UDP ports to allow and block. Samba uses the following: 96 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>UDP/137 - used by nmbd</td></tr><tr><td>UDP/138 - used by nmbd</td></tr><tr><td>TCP/139 - used by smbd</td></tr><tr><td>TCP/445 - used by smbd</td></tr></table><p> 97 The last one is important as many older firewall setups may not be 98 aware of it, given that this port was only added to the protocol in 99 recent years. 100 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567611"></a>Using IPC$ Share-Based Denials </h3></div></div></div><p> 101 If the above methods are not suitable, then you could also place a 102 more specific deny on the IPC$ share that is used in the recently 103 discovered security hole. This allows you to offer access to other 104 shares while denying access to IPC$ from potentially un-trustworthy 105 hosts. 106 </p><p> 107 To do this you could use: 108 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[IPC$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2567644"></a><i class="parameter"><tt> 109 110 hosts allow = 192.168.115.0/24 127.0.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2567661"></a><i class="parameter"><tt> 111 112 hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p> 113 This instructs Samba that IPC$ connections are not allowed from 114 anywhere except from the two listed network addresses (localhost and the 192.168.115 115 subnet). Connections to other shares are still allowed. As the 116 IPC$ share is the only share that is always accessible anonymously, 117 this provides some level of protection against attackers that do not 118 know a valid username/password for your host. 119 </p><p> 120 If you use this method, then clients will be given an <span class="errorname">`access denied'</span> 121 reply when they try to access the IPC$ share. Those clients will not be able to 122 browse shares, and may also be unable to access some other resources. This is not 123 recommended unless you cannot use one of the other methods listed above for some reason. 124 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567699"></a>NTLMv2 Security</h3></div></div></div><p> 125 To configure NTLMv2 authentication, the following registry keys are worth knowing about: 126 </p><p> 127 </p><pre class="screen"> 128 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 129 "lmcompatibilitylevel"=dword:00000003 130 </pre><p> 131 </p><p> 132 The value 0x00000003 means send NTLMv2 response only. Clients will use NTLMv2 authentication, 133 use NTLMv2 session security if the server supports it. Domain Controllers accept LM, 134 NTLM and NTLMv2 authentication. 135 </p><p> 136 </p><pre class="screen"> 137 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] 138 "NtlmMinClientSec"=dword:00080000 139 </pre><p> 140 </p><p> 141 The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or 142 NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2 143 session security is not negotiated. 144 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567747"></a>Upgrading Samba</h2></div></div></div><p> 145Please check regularly on <a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> for updates and 146important announcements. Occasionally security releases are made and 147it is highly recommended to upgrade Samba when a security vulnerability 148is discovered. Check with your OS vendor for OS specific upgrades. 149</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567768"></a>Common Errors</h2></div></div></div><p> 150If all of Samba and host platform configuration were really as intuitive as one might like them to be, this 151section would not be necessary. Security issues are often vexing for a support person to resolve, not 152because of the complexity of the problem, but for the reason that most administrators who post what turns 153out to be a security problem request are totally convinced that the problem is with Samba. 154</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567784"></a>Smbclient Works on Localhost, but the Network Is Dead</h3></div></div></div><p> 155 This is a common problem. Red Hat Linux (and others) installs a default firewall. 156 With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1) 157 is allowed through the firewall. 158 </p><p> 159 The solution is either to remove the firewall (stop it) or modify the firewall script to 160 allow SMB networking traffic through. See section above in this chapter. 161 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567804"></a>Why Can Users Access Home Directories of Other Users?</h3></div></div></div><p> 162 “<span class="quote"><span class="emphasis"><em> 163 We are unable to keep individual users from mapping to any other user's 164 home directory once they have supplied a valid password! They only need 165 to enter their own password. I have not found any method to configure 166 Samba so that users may map only their own home directory. 167 </em></span></span>” 168 </p><p>“<span class="quote"><span class="emphasis"><em> 169 User xyzzy can map his home directory. Once mapped user xyzzy can also map 170 anyone else's home directory. 171 </em></span></span>”</p><p> 172 This is not a security flaw, it is by design. Samba allows users to have 173 exactly the same access to the UNIX file system as when they were logged 174 onto the UNIX box, except that it only allows such views onto the file 175 system as are allowed by the defined shares. 176 </p><p> 177 If your UNIX home directories are set up so that one user can happily <span><b class="command">cd</b></span> 178 into another users directory and execute <span><b class="command">ls</b></span>, the UNIX security solution is to change file 179 permissions on the user's home directories such that the <span><b class="command">cd</b></span> and <span><b class="command">ls</b></span> are denied. 180 </p><p> 181 Samba tries very hard not to second guess the UNIX administrators security policies, and 182 trusts the UNIX admin to set the policies and permissions he or she desires. 183 </p><p> 184 Samba allows the behavior you require. Simply put the <a class="indexterm" name="id2567877"></a>only user = %S 185 option in the <i class="parameter"><tt>[homes]</tt></i> share definition. 186 </p><p> 187 The <a class="indexterm" name="id2567895"></a>only user works in conjunction with the <a class="indexterm" name="id2567902"></a>users = list, 188 so to get the behavior you require, add the line : 189 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2567916"></a><i class="parameter"><tt> 190 191 users = %S</tt></i></td></tr></table><p> 192 this is equivalent to adding 193 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2567937"></a><i class="parameter"><tt> 194 195 valid users = %S</tt></i></td></tr></table><p> 196 to the definition of the <i class="parameter"><tt>[homes]</tt></i> share, as recommended in 197 the <tt class="filename">smb.conf</tt> man page. 198 </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�15.�File and Record Locking�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�17.�Interdomain Trust Relationships</td></tr></table></div></body></html> 199