Полезная информация

Network services - SMB


SAMBA is one of the best things since sliced bread, that is if you want to share files and printers between Windows and *NIX. It is also somewhat misunderstood, and suffers heavily from interaction with various (sometimes broken) Windows clients. SAMBA has a great many kludges that attempt to make it somewhat sane, but can lead to what looks like broken behavior sometimes. SAMBA simply gives access to the filesystem via SMB (Server Message Block), the protocol Windows uses to share files and printers. It verifies the username and password given (if required) and then gives access to the files according to the file permissions and so forth that are set. I'm only going to cover Samba 2.x, Samba 1.x is pretty old and obsolete.

Samba 2.x is controlled via smb.conf, typically in /etc (man smb.conf). In /etc/smb.conf you have 4 main areas of configuration switches: [globals] , [printers] , [homes], and each [sharename] has it's own configuration (be it a printer or drive share). There are a hundred or so switches, the smb.conf man page covers them exhaustively. Some of the important (for security) ones are:

security = xxxx where xxxx is share, server or domain, share security is per share, with a password that everyone uses to get at it, server means the samba server itself authenticates users, either via /etc/password, or smbpasswd. If you set it to domain, samba authenticates the user via an NT domain controller, thus integrating nicely into your existing NT network (if you have one).

guest account = xxxx where xxxx is the username of the account you want the guest user to map to. If a share is defined as public then all requests to it are handled as this user.

hosts allow = xxxx where xxxx is a space separated list of hosts / IP blocks allowed to connect to the server.

hosts deny = xxxx where xxxx is a space separated list of hosts / IP blocks not allowed to connect to the server.

interfaces = xxxx where xxxx is a space separated list of IP blocks that samba will bind to

SMB uses a variety or ports, mostly relying on ports 137, 138 and 139, both udp and tcp for all except 139.

ipfwadm -I -a accept -P tcp -S -D 137:139
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 137:139
ipfwadm -I -a deny -P tcp -S -D 137:139
ipfwadm -I -a accept -P udp -S -D 137:139
ipfwadm -I -a accept -P udp -S some.trusted.host -D 137:139
ipfwadm -I -a deny -P udp -S -D 137:139


ipchains -A input -p tcp -j ACCEPT -s -d 137:139
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 137:139
ipchains -A input -p tcp -j DENY -s -d 137:139
ipchains -A input -p udp -j ACCEPT -s -d 137:139
ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d 137:139
ipchains -A input -p udp -j DENY -s -d 137:139

I would also highly recommend installing and using SWAT (samba Web Administration Tool) as it will cut down on the mistakes/etc that you are liable to make. Samba and SWAT are available at: http://www.samba.org/ and ship with almost every distribution.


SWAT is a very nice administration tool to setup your smb.conf. The main problem is that is requires you to use the root account and password to 'log' in, and runs as a separate process out of inetd.conf, so there is no easy way to encrypt it, and as far as I can tell no way to grant others users administrative access to SWAT. Having said that however it is a good tool for cutting down on mistakes made while editing smb.conf. You can also run SWAT with the -a switch, meaning no password will be required, and using TCP_WRAPPERS to restrict access to certain workstations (although you'd still be open to IP spoofing). Essentially SWAT was not meant as a secure administrative tool, but it is useful. SWAT comes with samba (usually) and is available at: http://www.samba.org/, a demo of SWAT is online at: http://anu.samba.org/cgi-bin/swat/


Security Portal

Written by Kurt Seifried