/usr/share/doc/kde/HTML/en/kubuntu/sharing/samba-fileprint-security.html is in kubuntu-docs 12.04.0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 | <html><head><title>Securing a Samba File and Print Server</title><link rel="stylesheet" type="text/css" href="help:/common/kde-default.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-docs.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-localised.css"><link rel="stylesheet" type="text/css" href="help:/common/kubuntu.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="File Sharing in Kubuntu"><link rel="up" href="index.html" title="File Sharing in Kubuntu"><link rel="prev" href="samba-fileserver.html" title="Samba File Server"><link rel="next" href="samba-dc.html" title="Samba as a Domain Controller"><link rel="copyright" href="legal.html" title="Credits and License"><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta name="GENERATOR" content="KDE XSL Stylesheet V1.14 using libxslt"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div id="content"><div id="header"><div id="header_content"><div id="header_left"><div id="header_right"><img src="help:/common/top-kde.jpg" width="36" height="34"> Securing a Samba File and Print Server</div></div></div></div><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileserver.html">Prev</a></td><td class="upCell"> </td><td class="nextCell"><a accesskey="n" href="samba-dc.html">Next</a></td></tr></table></div><div id="contentBody"><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="samba-fileprint-security"></a>Securing a Samba File and Print Server</h2></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-security-mode"></a>Samba Security Modes</h3></div></div></div><p>
There are two security levels available to the Common Internet Filesystem
(<acronym class="acronym">CIFS</acronym>) network protocol <span class="emphasis"><em>user-level</em></span> and
<span class="emphasis"><em>share-level</em></span>. <span class="application">Samba</span>'s
<span class="emphasis"><em>security mode</em></span> implementation allows more flexibility,
providing four ways of implementing user-level security and one way to
implement share-level:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<span class="emphasis"><em>security = user:</em></span> requires clients to supply a username and
password to connect to shares. <span class="application">Samba</span> user accounts
are separate from system accounts, but the
<span class="application">libpam-smbpass</span> package will sync system users and
passwords with the <span class="application">Samba</span> user database.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = domain:</em></span> this mode allows the
<span class="application">Samba</span> server to appear to <span class="trademark">Windows</span>® clients as a Primary Domain Controller
(<acronym class="acronym">PDC</acronym>), Backup Domain Controller (<acronym class="acronym">BDC</acronym>), or
a Domain Member Server (<acronym class="acronym">DMS</acronym>). See <a class="xref" href="samba-dc.html" title="Samba as a Domain Controller">the section called “Samba as a Domain Controller”</a>
for further information.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = ADS:</em></span> allows the
<span class="application">Samba</span> server to join an <span class="trademark">Active Directory</span>® domain as a native member. See
<a class="xref" href="samba-ad-integration.html" title="Samba Active Directory Integration">the section called “Samba Active Directory Integration”</a> for details.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = server:</em></span> this mode is left over from before
<span class="application">Samba</span> could become a member server, and, due to some
security issues, should not be used. See the <a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.%20html#id349531" target="_top">Server Security</a> section of the
<span class="application">Samba</span> guide for more details.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = share:</em></span> allows clients to connect to shares
without supplying a username and password.
</p></li></ul></div><p>
The preferred security mode depends on the environment and what the
<span class="application">Samba</span> server needs to accomplish.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-user-security"></a>Security = User</h3></div></div></div><p>
This section will reconfigure the <span class="application">Samba</span> file and
print server, from <a class="xref" href="samba-fileserver.html" title="Samba File Server">the section called “Samba File Server”</a> and the <a class="ulink" href="help:/kubuntu/printing/" target="_top"> Print Server</a>, to require
authentication.
</p><p>
First, install the <span class="application">libpam-smbpass</span> package, which
will sync the system users to the <span class="application">Samba</span> user
database:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install libpam-smbpass</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
If the <span class="emphasis"><em><span class="application">Samba</span> Server</em></span> task was
chosen during installation, <span class="application">libpam-smbpass</span> is
already installed.
</p></div><p>
Edit <code class="filename">/etc/samba/smb.conf</code>, and in the
<span class="emphasis"><em>[share]</em></span> section change:
</p><pre class="programlisting">
guest ok = no
</pre><p>
Finally, restart <span class="application">Samba</span> for the new settings to take
effect:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre><p>
Now when connecting to the shared directories or printers, there will be a
prompt for a username and password.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
To map a network drive to the share, <span class="quote">“<span class="quote">Reconnect at Logon</span>”</span> should
be checked, which will require the username and password to be entered just
once — at least until the password changes.
</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-share-security"></a>Share Security</h3></div></div></div><p>
There are several options available to increase the security for each shared
directory. Using the <span class="emphasis"><em>[share]</em></span> example, this section will
cover some common options.
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="windows-networking-groups"></a>Groups</h4></div></div></div><p>
Groups define a collection of computers or users who have a common level of
access to particular network resources and offer a level of granularity in
controlling access to such resources. For example, if a group <span class="italic">qa</span> is defined and contains the users <span class="italic">freda</span>, <span class="italic">danika</span>, and
<span class="italic">rob</span>, and a second group <span class="italic">support</span> is defined and consists of users <span class="italic">danika</span>, <span class="italic">jeremy</span>, and
<span class="italic">vincent</span>, then certain network resources
configured to allow access by the <span class="italic">qa</span> group
will subsequently enable access by freda, danika, and rob, but not jeremy or
vincent. Since the user <span class="italic">danika</span> belongs to
both the <span class="italic">qa</span> and <span class="italic">support</span> groups, she will be able to access resources
configured for access by both groups, whereas all other users will have only
access to resources explicitly allowing the group they are part of.
</p><p>
By default, <span class="application">Samba</span> looks for the local system groups
defined in <code class="filename">/etc/group</code> to determine which users belong to
which groups. For more information on adding and removing users from groups,
see <a class="ulink" href="help:/kubuntu/basics/" target="_top"> Basics</a>.
</p><p>
When defining groups in the <span class="application">Samba</span> configuration
file, <code class="filename">/etc/samba/smb.conf</code>, the recognized syntax is to
preface the group name with an "@" symbol. For example, to define a group named
<span class="italic">sysadmin</span> in a certain section of the
<code class="filename">/etc/samba/smb.conf</code>, the group name would be entered as
<span class="bold"><strong>@sysadmin</strong></span>.
</p></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="samba-file-permissions"></a>File Permissions</h4></div></div></div><p>
File permissions define the explicit rights a computer or user has to a
particular directory, file, or set of files. Such permissions may be defined by
editing the <code class="filename">/etc/samba/smb.conf</code> file and specifying the
explicit permissions of a defined file share.
</p><p>
For example, for a defined <span class="application">Samba</span> share called
<span class="emphasis"><em>share</em></span> and the need to give <span class="italic">read-only</span> permissions to the group of users known as
<span class="italic">qa</span>, while allowing write permissions to the
share by the group called <span class="italic">sysadmin</span> and the
user named <span class="italic">vincent</span>, then the
<code class="filename">/etc/samba/smb.conf</code> file could be edited to add the
following entries under the <span class="emphasis"><em>[share]</em></span> entry:
</p><pre class="programlisting">
read list = @qa
write list = @sysadmin, vincent
</pre><p>
Another possible <span class="application">Samba</span> permission is to declare
<span class="emphasis"><em>administrative</em></span> permissions to a particular shared
resource. Users having administrative permissions may read, write, or modify
any information contained in the resource where they have been given
explicit administrative permissions.
</p><p>
For example, to give the user <span class="italic">melissa</span>
administrative permissions to the <span class="italic">share</span>
example, the <code class="filename">/etc/samba/smb.conf</code> file would be edited to
add the following line under the <span class="emphasis"><em>[share]</em></span> entry:
</p><pre class="programlisting">
admin users = melissa
</pre><p>
After editing <code class="filename">/etc/samba/smb.conf</code>, restart
<span class="application">Samba</span> for the changes to take effect:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
For the <span class="emphasis"><em>read list</em></span> and <span class="emphasis"><em>write list</em></span> to
work, the <span class="application">Samba</span> security mode must
<span class="emphasis"><em>not</em></span> be set to <span class="italic">security =
share</span>.
</p></div><p>
Now that <span class="application">Samba</span> has been configured to limit which
groups have access to the shared directory, the filesystem permissions need to
be updated.
</p><p>
Traditional <span class="trademark">Linux</span>™ file permissions do not map well to
<span class="trademark">Windows NT Access Control Lists</span>®
(<acronym class="acronym">ACL</acronym>s). Fortunately <span class="trademark">POSIX</span>™
<acronym class="acronym">ACL</acronym>s are available on <span>Kubuntu</span> servers providing more
fine-grained control. For example, to enable <acronym class="acronym">ACL</acronym>s on
<code class="filename">/srv</code> an <span class="trademark">EXT3</span>™ filesystem, edit
<code class="filename">/etc/fstab</code> adding the <span class="emphasis"><em>acl</em></span> option:
</p><pre class="programlisting">
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0
1
</pre><p>
Then remount the partition:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo mount -v -o remount /srv</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above example assumes <code class="filename">/srv</code> is on a separate partition.
If <code class="filename">/srv</code> — or wherever the share path is configured
— is part of the <code class="filename">/</code> partition, a reboot may be
required.
</p></div><p>
To match the <span class="application">Samba</span> configuration above, the
<span class="emphasis"><em>sysadmin</em></span> group will be given read, write, and execute
permissions to <code class="filename">/srv/samba/share</code>, the
<span class="emphasis"><em>qa</em></span> group will be given read and execute permissions, and
the files will be owned by the username <span class="emphasis"><em>melissa</em></span>. Enter the
following in a terminal:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chown -R melissa /srv/samba/share/</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chgrp -R sysadmin /srv/samba/share/</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo setfacl -R -m g:qa:rx /srv/samba/share/</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The <span class="application">setfacl</span> command above gives
<span class="emphasis"><em>execute</em></span> permissions to all files in the
<code class="filename">/srv/samba/share</code> directory, which may or may not be
desirable.
</p></div><p>
A <span class="trademark">Windows</span>® client will show that the
new file permissions are implemented. See the <span class="application">acl</span>
and <span class="application">setfacl</span> man pages for more information on
<span class="trademark">POSIX</span>™ <acronym class="acronym">ACL</acronym>s.
</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-apparmor"></a>Samba AppArmor Profile</h3></div></div></div><p>
<span>Kubuntu</span> comes with the <span class="application">AppArmor</span> security module,
which provides mandatory access controls. The default
<span class="application">AppArmor</span> profile for
<span class="application">Samba</span> will need to be adapted to the proper
configuration. For more details on using <span class="application">AppArmor</span>,
please refer to the <a class="ulink" href="https://help.ubuntu.com/community/AppArmor" target="_top">
wiki</a>.
</p><p>
There are default <span class="application">AppArmor</span> profiles for
<code class="filename">/usr/sbin/smbd</code> and <code class="filename">/usr/sbin/nmbd</code>,
the <span class="application">Samba</span> daemon binaries, as part of the
<span class="application">apparmor-profiles</span> packages. To install the package
from a terminal prompt, enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install apparmor-profiles</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This package contains profiles for several other binaries.
</p></div><p>
By default the profiles for <span class="application">smbd</span> and
<span class="application">nmbd</span> are in <span class="emphasis"><em>complain</em></span> mode,
allowing <span class="application">Samba</span> to work without modifying the
profile, and only logging errors. To place the <span class="application">smbd</span>
profile into <span class="emphasis"><em>enforce</em></span> mode and have
<span class="application">Samba</span> work as expected, the profile will need to be
modified to reflect any directories that are shared.
</p><p>
Edit <code class="filename">/etc/apparmor.d/usr.sbin.smbd</code>, adding information for
<span class="emphasis"><em>[share]</em></span> from the file server example:
</p><pre class="programlisting">
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
</pre><p>
Now place the profile into <span class="emphasis"><em>enforce</em></span> mode and reload it:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo aa-enforce /usr/sbin/smbd</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r</strong></span></span>
</pre><p>
It is now possible to read, write, and execute files in the shared directory as
normal, and the <span class="application">smbd</span> binary will have access to only
the configured files and directories. Be sure to add entries for each directory
that <span class="application">Samba</span> is configured to share. Any errors will
be logged to <code class="filename">/var/log/syslog</code>.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-security-resources"></a>Resources</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
For in depth <span class="application">Samba</span> configurations, see the
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/" target="_top">
<span class="application">Samba</span> HOWTO Collection</a>.
</p></li><li class="listitem"><p>
The guide is also available in <a class="ulink" href="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228" target="_top">printed
format</a>.
</p></li><li class="listitem"><p>
O'Reilly's <a class="ulink" href="http://www.oreilly.com/catalog/9780596007690/" target="_top">Using
<span class="application">Samba</span></a> is also a good reference.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html" target="_top">Chapter 18</a> of the <span class="application">Samba</span> HOWTO Collection is
devoted to security.
</p></li><li class="listitem"><p>
For more information on <span class="application">Samba</span> and ACLs, see the
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568" target="_top">
<span class="application">Samba</span> <acronym class="acronym">ACL</acronym>s page</a>.
</p></li></ul></div></div></div></div><div id="footer"><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileserver.html">Prev</a></td><td class="upCell"><a accesskey="h" href="index.html">Home</a></td><td class="nextCell"><a accesskey="n" href="samba-dc.html">Next</a></td></tr><tr><td class="prevCell">Samba File Server </td><td class="upCell"> </td><td class="nextCell"> Samba as a Domain Controller</td></tr></table></div><div id="footer_text"><br><a href="mailto:ubuntu-docs@lists.ubuntu.com" class="footer_email">
Ubuntu Documentation Project
</a></div></div></div></body></html>
|