[CentOS] Samba problem after Up2date

Thu Feb 14 15:23:32 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

Dago Pacheco wrote:
> 
> Johnny Hughes escribió:
> >
> > OK ... I already told you to run testparm and to validate all your 
> > smb.conf lines.
> >

<snip>

> ok....This is the thing.... security level was set to "share".  When 
> thigs worked fine, there were a lot of shared folders that could be 
> access by anyone in the network, but when it comes to acces 
> the remote 
> home folder, from windows client, samba checked the 
> user/password used 
> to loged in to windows and use it.  Now whit security level set to 
> "share", I can access the public folders, but when it comes to the 
> "home" folders, smaba promt me to enter a password as an 
> invited user.

One should avoid setting security to share, it is there primarily for
historical reasons, but security should start with "user" then if
you have Windows domain servers set it to "domain" or "ads".

You will need to create LM passwords for each user unless you have
a Windows domain server to check passwords against.

I think there is an option in the man page about auto-creating
samba users on first connect if they exist in passwd, which will
ask the user for his/her password the first time and if it is
correct will save it in the samba passwd file.

> If I change security level to "user", samba promt user to 
> enter user and 
> password, that's good, but even if I enter a good login.... nothing 
> happend, it doesn't validate it... and then, I can't access home and 
> public folders.

Well there is probably additional configuration that is needed when
moving from "share" to "user".

> This is the output for testparm
> 

<Ok testparm output is good>

> 
> [global]
>         workgroup = MAKIMET
>         netbios aliases = servidor
>         server string = Servidor Maestranza
>         interfaces = 192.168.0.10/255.255.255.0
>         security = SHARE

Once again you should really use security = "user" here

>         obey pam restrictions = Yes
>         pam password change = Yes
>         username map = /etc/samba/smbusers
>         log level = 3
>         log file = /var/log/samba/%m.log
>         acl compatibility = winnt
>         server signing = auto
>         socket options = TCP_NODELAY IPTOS_LOWDELAY
>         hostname lookups = Yes
>         printcap name = /etc/printcap
>         os level = 10
>         preferred master = No
>         domain master = Yes
>         dns proxy = No
>         ldap ssl = no
>         preload = global administracion biblioteca cartas fax 
> formatos 
> fotografias informes instaladores memos of_tecnica planos 
> procedimientos

-----------
>         read only = No
>         create mask = 0777
>         force create mode = 0777
>         directory mask = 0777
>         force directory mode = 0777
>         guest ok = Yes
-----------
These options really should be per-share. You are making all data
on all shares world readable and writable by default, which you
really do not want to do.

>         hosts allow = 192.168.0., 127.0.0.
> 
> [homes]
>         comment = Home directory for %S
>         valid users = bodega, calidad, contador, cvaldivieso, 
> dibujotec1, dibujotec2, faena, hcatalan, hfigueroa, personal, 
> planning, 
> produccion, root, secretaria, tvillagran, ymoya, ocastro, hsandoval, 
> afigueroa, mahumada, chidalgo, informatica, @makimet
>         force group = makimet
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
> 
> [administracion]
>         comment = Archivos Administracion
>         path = /home/publicos/administracion
>         force user = root
>         force group = makimet

Please for your sake don't force root, use some other
administrative user like 'admin' and force that, this
is just asking for trouble!

> [biblioteca]
>         comment = Biblioteca Electronica
>         path = /home/publicos/biblioteca
>         force user = root
>         force group = makimet
> 
> [cartas]
>         comment = Cartas Enviadas
>         path = /home/publicos/cartas
>         force user = root
>         force group = makimet
> 
> [fax]
>         comment = Historico Fax
>         path = /home/publicos/fax
>         force user = root
>         force group = makimet
> 
> [formatos]
>         comment = Formatos Oficiales
>         path = /home/publicos/formatos
>         force user = root
>         force group = makimet
> 
> [fotografias]
>         comment = Historico Fotografias
>         path = /home/publicos/fotografias
>         force user = root
>         force group = makimet
> 
> [informes]
>         comment = Informes Tecnicos
>         path = /home/publicos/informes
>         force user = root
>         force group = makimet
> 
> [instaladores]
>         comment = Programas de Instalacion
>         path = /home/publicos/instaladores
>         force user = root
> 
> [memos]
>         comment = Historico Memos
>         path = /home/publicos/memos
>         force user = root
>         force group = makimet
> 
> [of_tecnica]
>         comment = Documentos Oficina Tecnica
>         path = /home/publicos/of_tecnica
>         force user = root
>         force group = makimet
> 
> [planos]
>         comment = Archivos CAD r14
>         path = /home/publicos/planos
>         force user = root
>         force group = makimet
> 
> [procedimientos]
>         comment = Manuales de Procedimento
>         path = /home/publicos/procedimientos
>         force user = root
>         force group = makimet

You really need to start tightening the security here. The system
is just ripe for an user escalation attack.

Try removing the 'force user' lines, use force group and then use
the sticky bit on the directory perms 'chmod 1XXX' so the group
will be maintained on new files and folders and move the force
create mode and force directory mode into the shares where
appropriate removing the world bits if they are not needed and/or
at least making them world readable only.

-Ross


______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.