/usr/share/doc/kde/HTML/en/kubuntu/sharing/samba-fileprint-security.html

<html><head><title>Securing a Samba File and Print Server</title><link rel="stylesheet" type="text/css" href="help:/common/kde-default.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-docs.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-localised.css"><link rel="stylesheet" type="text/css" href="help:/common/kubuntu.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="File Sharing in Kubuntu"><link rel="up" href="index.html" title="File Sharing in Kubuntu"><link rel="prev" href="samba-fileserver.html" title="Samba File Server"><link rel="next" href="samba-dc.html" title="Samba as a Domain Controller"><link rel="copyright" href="legal.html" title="Credits and License"><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta name="GENERATOR" content="KDE XSL Stylesheet V1.14 using libxslt"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div id="content"><div id="header"><div id="header_content"><div id="header_left"><div id="header_right"><img src="help:/common/top-kde.jpg" width="36" height="34"> Securing a Samba File and Print Server</div></div></div></div><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileserver.html">Prev</a></td><td class="upCell"> </td><td class="nextCell"><a accesskey="n" href="samba-dc.html">Next</a></td></tr></table></div><div id="contentBody"><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="samba-fileprint-security"></a>Securing a Samba File and Print Server</h2></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-security-mode"></a>Samba Security Modes</h3></div></div></div><p>
There are two security levels available to the Common Internet Filesystem 
(<acronym class="acronym">CIFS</acronym>) network protocol <span class="emphasis"><em>user-level</em></span> and
<span class="emphasis"><em>share-level</em></span>. <span class="application">Samba</span>'s 
<span class="emphasis"><em>security mode</em></span> implementation allows more flexibility, 
providing four ways of implementing user-level security and one way to 
implement share-level:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<span class="emphasis"><em>security = user:</em></span> requires clients to supply a username and
password to connect to shares. <span class="application">Samba</span> user accounts 
are separate from system accounts, but the 
<span class="application">libpam-smbpass</span> package will sync system users and 
passwords with the <span class="application">Samba</span> user database.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = domain:</em></span> this mode allows the 
<span class="application">Samba</span> server to appear to <span class="trademark">Windows</span>® clients as a Primary Domain Controller 
(<acronym class="acronym">PDC</acronym>), Backup Domain Controller (<acronym class="acronym">BDC</acronym>), or 
a Domain Member Server (<acronym class="acronym">DMS</acronym>). See <a class="xref" href="samba-dc.html" title="Samba as a Domain Controller">the section called &#8220;Samba as a Domain Controller&#8221;</a> 
for further information.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = ADS:</em></span> allows the 
<span class="application">Samba</span> server to join an <span class="trademark">Active Directory</span>® domain as a native member. See 
<a class="xref" href="samba-ad-integration.html" title="Samba Active Directory Integration">the section called &#8220;Samba Active Directory Integration&#8221;</a> for details.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = server:</em></span> this mode is left over from before 
<span class="application">Samba</span> could become a member server, and, due to some 
security issues, should not be used. See the <a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.%20html#id349531" target="_top">Server Security</a> section of the 
<span class="application">Samba</span> guide for more details.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>security = share:</em></span> allows clients to connect to shares
without supplying a username and password.
</p></li></ul></div><p>
The preferred security mode depends on the environment and what the 
<span class="application">Samba</span> server needs to accomplish.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-user-security"></a>Security = User</h3></div></div></div><p>
This section will reconfigure the <span class="application">Samba</span> file and 
print server, from <a class="xref" href="samba-fileserver.html" title="Samba File Server">the section called &#8220;Samba File Server&#8221;</a> and the <a class="ulink" href="help:/kubuntu/printing/" target="_top"> Print Server</a>, to require 
authentication.
</p><p>
First, install the <span class="application">libpam-smbpass</span> package, which 
will sync the system users to the <span class="application">Samba</span> user 
database:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install libpam-smbpass</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
If the <span class="emphasis"><em><span class="application">Samba</span> Server</em></span> task was 
chosen during installation, <span class="application">libpam-smbpass</span> is 
already installed.
</p></div><p>
Edit <code class="filename">/etc/samba/smb.conf</code>, and in the
<span class="emphasis"><em>[share]</em></span> section change:
</p><pre class="programlisting">
guest ok = no
</pre><p>
Finally, restart <span class="application">Samba</span> for the new settings to take 
effect:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre><p>
Now when connecting to the shared directories or printers, there will be a
prompt for a username and password.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
To map a network drive to the share, <span class="quote">&#8220;<span class="quote">Reconnect at Logon</span>&#8221;</span> should 
be checked, which will require the username and password to be entered just 
once &#8212; at least until the password changes.
</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-share-security"></a>Share Security</h3></div></div></div><p>
There are several options available to increase the security for each shared 
directory. Using the <span class="emphasis"><em>[share]</em></span> example, this section will 
cover some common options.
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="windows-networking-groups"></a>Groups</h4></div></div></div><p>
Groups define a collection of computers or users who have a common level of
access to particular network resources and offer a level of granularity in
controlling access to such resources. For example, if a group <span class="italic">qa</span> is defined and contains the users <span class="italic">freda</span>, <span class="italic">danika</span>, and 
<span class="italic">rob</span>, and a second group <span class="italic">support</span> is defined and consists of users <span class="italic">danika</span>, <span class="italic">jeremy</span>, and 
<span class="italic">vincent</span>, then certain network resources 
configured to allow access by the <span class="italic">qa</span> group 
will subsequently enable access by freda, danika, and rob, but not jeremy or
vincent. Since the user <span class="italic">danika</span> belongs to 
both the <span class="italic">qa</span> and <span class="italic">support</span> groups, she will be able to access resources
configured for access by both groups, whereas all other users will have only
access to resources explicitly allowing the group they are part of.
</p><p>
By default, <span class="application">Samba</span> looks for the local system groups 
defined in <code class="filename">/etc/group</code> to determine which users belong to 
which groups. For more information on adding and removing users from groups, 
see <a class="ulink" href="help:/kubuntu/basics/" target="_top"> Basics</a>.
</p><p>
When defining groups in the <span class="application">Samba</span> configuration 
file, <code class="filename">/etc/samba/smb.conf</code>, the recognized syntax is to 
preface the group name with an "@" symbol. For example, to define a group named 
<span class="italic">sysadmin</span> in a certain section of the 
<code class="filename">/etc/samba/smb.conf</code>, the group name would be entered as
<span class="bold"><strong>@sysadmin</strong></span>.
</p></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a name="samba-file-permissions"></a>File Permissions</h4></div></div></div><p>
File permissions define the explicit rights a computer or user has to a 
particular directory, file, or set of files. Such permissions may be defined by
editing the <code class="filename">/etc/samba/smb.conf</code> file and specifying the
explicit permissions of a defined file share.
</p><p>
For example, for a defined <span class="application">Samba</span> share called 
<span class="emphasis"><em>share</em></span> and the need to give <span class="italic">read-only</span> permissions to the group of users known as 
<span class="italic">qa</span>, while allowing write permissions to the 
share by the group called <span class="italic">sysadmin</span> and the 
user named <span class="italic">vincent</span>, then the 
<code class="filename">/etc/samba/smb.conf</code> file could be edited to add the
following entries under the <span class="emphasis"><em>[share]</em></span> entry:
</p><pre class="programlisting">
read list = @qa
write list = @sysadmin, vincent
</pre><p>
Another possible <span class="application">Samba</span> permission is to declare 
<span class="emphasis"><em>administrative</em></span> permissions to a particular shared 
resource. Users having administrative permissions may read, write, or modify 
any information contained in the resource where they have been given 
explicit administrative permissions.
</p><p>
For example, to give the user <span class="italic">melissa</span>
administrative permissions to the <span class="italic">share</span>
example, the <code class="filename">/etc/samba/smb.conf</code> file would be edited to
add the following line under the <span class="emphasis"><em>[share]</em></span> entry:
</p><pre class="programlisting">
admin users = melissa
</pre><p>
After editing <code class="filename">/etc/samba/smb.conf</code>, restart 
<span class="application">Samba</span> for the changes to take effect:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
For the <span class="emphasis"><em>read list</em></span> and <span class="emphasis"><em>write list</em></span> to
work, the <span class="application">Samba</span> security mode must 
<span class="emphasis"><em>not</em></span> be set to <span class="italic">security = 
share</span>.
</p></div><p>
Now that <span class="application">Samba</span> has been configured to limit which 
groups have access to the shared directory, the filesystem permissions need to 
be updated.
</p><p>
Traditional <span class="trademark">Linux</span>&#8482; file permissions do not map well to 
<span class="trademark">Windows NT Access Control Lists</span>® 
(<acronym class="acronym">ACL</acronym>s).  Fortunately <span class="trademark">POSIX</span>&#8482; 
<acronym class="acronym">ACL</acronym>s are available on <span>Kubuntu</span> servers providing more 
fine-grained control.  For example, to enable <acronym class="acronym">ACL</acronym>s on  
<code class="filename">/srv</code> an <span class="trademark">EXT3</span>&#8482; filesystem, edit
<code class="filename">/etc/fstab</code> adding the <span class="emphasis"><em>acl</em></span> option:
</p><pre class="programlisting">
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv  ext3    noatime,relatime,acl 0 
    1
</pre><p>
Then remount the partition:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo mount -v -o remount /srv</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above example assumes <code class="filename">/srv</code> is on a separate partition. 
If <code class="filename">/srv</code> &#8212; or wherever the share path is configured 
&#8212; is part of the <code class="filename">/</code> partition, a reboot may be 
required.
</p></div><p>
To match the <span class="application">Samba</span> configuration above, the 
<span class="emphasis"><em>sysadmin</em></span> group will be given read, write, and execute 
permissions to <code class="filename">/srv/samba/share</code>, the 
<span class="emphasis"><em>qa</em></span> group will be given read and execute permissions, and 
the files will be owned by the username <span class="emphasis"><em>melissa</em></span>. Enter the 
following in a terminal:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chown -R melissa /srv/samba/share/</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chgrp -R sysadmin /srv/samba/share/</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo setfacl -R -m g:qa:rx /srv/samba/share/</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The <span class="application">setfacl</span> command above gives
<span class="emphasis"><em>execute</em></span> permissions to all files in the
<code class="filename">/srv/samba/share</code> directory, which may or may not be 
desirable.
</p></div><p>
A <span class="trademark">Windows</span>® client will show that the 
new file permissions are implemented. See the  <span class="application">acl</span> 
and <span class="application">setfacl</span> man pages for more information on 
<span class="trademark">POSIX</span>&#8482; <acronym class="acronym">ACL</acronym>s.
</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-apparmor"></a>Samba AppArmor Profile</h3></div></div></div><p>
<span>Kubuntu</span> comes with the <span class="application">AppArmor</span> security module,
which provides mandatory access controls. The default 
<span class="application">AppArmor</span> profile for 
<span class="application">Samba</span> will need to be adapted to the proper 
configuration. For more details on using <span class="application">AppArmor</span>, 
please refer to the <a class="ulink" href="https://help.ubuntu.com/community/AppArmor" target="_top">
wiki</a>.
</p><p>
There are default <span class="application">AppArmor</span> profiles for 
<code class="filename">/usr/sbin/smbd</code> and <code class="filename">/usr/sbin/nmbd</code>, 
the <span class="application">Samba</span> daemon binaries, as part of the
<span class="application">apparmor-profiles</span> packages. To install the package 
from a terminal prompt, enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install apparmor-profiles</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This package contains profiles for several other binaries.
</p></div><p>
By default the profiles for <span class="application">smbd</span> and
<span class="application">nmbd</span> are in <span class="emphasis"><em>complain</em></span> mode,
allowing <span class="application">Samba</span> to work without modifying the 
profile, and only logging errors. To place the <span class="application">smbd</span> 
profile into <span class="emphasis"><em>enforce</em></span> mode and have 
<span class="application">Samba</span> work as expected, the profile will need to be 
modified to reflect any directories that are shared.
</p><p>
Edit <code class="filename">/etc/apparmor.d/usr.sbin.smbd</code>, adding information for
<span class="emphasis"><em>[share]</em></span> from the file server example:
</p><pre class="programlisting">
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
</pre><p>
Now place the profile into <span class="emphasis"><em>enforce</em></span> mode and reload it:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo aa-enforce /usr/sbin/smbd</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r</strong></span></span>
</pre><p>
It is now possible to read, write, and execute files in the shared directory as
normal, and the <span class="application">smbd</span> binary will have access to only
the configured files and directories. Be sure to add entries for each directory
that <span class="application">Samba</span> is configured to share. Any errors will 
be logged to <code class="filename">/var/log/syslog</code>.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-security-resources"></a>Resources</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
For in depth <span class="application">Samba</span> configurations, see the 
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/" target="_top">
<span class="application">Samba</span> HOWTO Collection</a>.
</p></li><li class="listitem"><p>
The guide is also available in <a class="ulink" href="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228" target="_top">printed 
format</a>.
</p></li><li class="listitem"><p>
O'Reilly's <a class="ulink" href="http://www.oreilly.com/catalog/9780596007690/" target="_top">Using
<span class="application">Samba</span></a> is also a good reference.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html" target="_top">Chapter 18</a> of the <span class="application">Samba</span> HOWTO Collection is 
devoted to security.
</p></li><li class="listitem"><p>
For more information on <span class="application">Samba</span> and ACLs, see the 
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568" target="_top">
<span class="application">Samba</span> <acronym class="acronym">ACL</acronym>s page</a>.
</p></li></ul></div></div></div></div><div id="footer"><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileserver.html">Prev</a></td><td class="upCell"><a accesskey="h" href="index.html">Home</a></td><td class="nextCell"><a accesskey="n" href="samba-dc.html">Next</a></td></tr><tr><td class="prevCell">Samba File Server </td><td class="upCell"> </td><td class="nextCell"> Samba as a Domain Controller</td></tr></table></div><div id="footer_text"><br><a href="mailto:ubuntu-docs@lists.ubuntu.com" class="footer_email">
	  Ubuntu Documentation Project
        </a></div></div></div></body></html>
kubuntu-docs 12.04.0ubuntu1 / usr / share / doc / kde / HTML / en / kubuntu / sharing / samba-fileprint-security.html
