Security :: Unable To Use Windows To Change The Security Of The Samba Share?
Mar 19, 2010
I've got a samba share on a linux server, connecting to it with a windows 2k3 server via tools > map network drive. The goal is to be able to use windows to change the security of the samba share. The good news is it works! The bad news is it's not QUITE perfect:
The share is called /company. I started with the following to give everyone access to everything, set the owner of the share to administrator (my domain admin on the Windows domain), and set the group owner to domain users (group that everyone on the domain is part of):
Code:
chmod -R 777 /company
chown -R administrator /company
chgrp -R domain users /company
I then mapped the drive as a regular user, and of course, can access/modify/delete/rename/create anything I want. Then I picked a folder to lock down. Let's call it /company/myFolder. I did this on the Windows server by mapping the drive as administrator (the owner), right click > properties > security tab > advanced > highlight "domain users" and "everyone" and click edit > clear all (i.e. remove all access). Go back to Linux and
[Code]..
The only issue that remains is that I am able to rename/delete "myFolder" as a regular user. I thought this was coming from the "acl map full control = true" parameter in smb.conf, but I changed it to false and verified the change and it still happens. If I remove group and world write access to /company, I am no longer allowed to rename/delete myFolder, but then I can't create a new folder. If I add group write access back in I can create files but can also rename/delete folders within /company that have --- specified for group access. Any ideas what I need to tweak to make this right?
View 1 Replies
ADVERTISEMENT
Jun 10, 2010
why the following doesn't work with ext3 or 4?
dd if=/dev/urandom of=/tmp/container.bin bs=1024 count=20000
sudo losetup /dev/loop2 /tmp/container.bin
sudo cryptsetup -c aes -s 256 --verify-passphrase luksFormat /dev/loop2[code].........
View 1 Replies
View Related
Mar 24, 2010
I need to allow my Windows users to be able to check off "Read-Only" or "Hidden" attributes on our Samba share. Currently its not allowing me to do so.
After searching online, I set the map readonly, hidden and archive option to "yes". Then my entire files were hidden.
I'm having a hard time understanding the concept of the "map" option in smb.conf
View 1 Replies
View Related
Jul 15, 2011
I am unable to access samba share from my windows machine. I am getting the following error
View 9 Replies
View Related
Jan 23, 2010
I can't be the first one with this problem. What am I missing?
I have setup Samba servers in the past, just none under SELinux. The last one I configured was a couple years ago, so I wouldn't doubt I'm a bit rusty.
---- Environment summary:
Clean server install of CentOS 5.4 includes SELinux
- lets call this 'server'
- updated samba to 3.0.33-3.15.el5_4.1
Client1 - Windows XP sp4 - WINS configuration uses 'server' noted above
Client2 - Windows Vista - WINS configuration uses 'server' noted above
---- What works / what doesn't ------
Clients can see the server (XP and vista) in network neighborhood.
The following does not work from windows (xp or vista)
net view
net view \server
net view \server-ip
net view \servershare
This does work on the server
smbclient -L \server
smbclient -L \server --user validuser
smbclient -L \client1 --user validuser
---- What I have configured and tried (config/output below) --------
firewall ports for samba are open
SELinux enforcing or permissive
file context is set on share
samba booleans are set
***firewall
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p udp --dport 139 -j ACCEPT
***SELinux mode/booleans
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
# getsebool -a | grep smb
allow_smbd_anon_write --> off
smbd_disable_trans --> on
# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> on
virt_use_samba --> off
***filesystem
# semanage fcontext -a -t samba_share_t �/share/photos(/.*)?�
# restorecon -R -v /share/photos
***Disks
]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 9920624 2070872 7337684 23% /
/dev/sda1 101086 19146 76721 20% /boot
tmpfs 1846656 0 1846656 0% /dev/shm
/dev/mapper/VolGroup00-xen
100791728 202540 95469188 1% /xen
/dev/mapper/VolGroup00-photo00
251981556 191716 238989840 1% /share/photos
/dev/mapper/VolGroup00-dmsdoc00
100791728 192256 95479472 1% /share/alfresco
none 1846656 104 1846552 1% /var/lib/xenstored
***smb.conf
[global]
workgroup = workgroup
netbios name = server
security = user
name resolve order = wins hosts lmhosts bcast
encrypt passwords = yes
hosts allow = 192.168.0.
hosts deny = 192.168.122.
interfaces = eth0
passdb backend = tdbsam
oslevel = 222
local master = yes
domain master = yes
preferred master = yes
cups options = raw
username map = /etc/samba/smbusers
wins support = yes
log level = 4
guest ok = yes
[photo]
comment = Photos
path = /share/photos
read only = yes
guest ok = yes
View 5 Replies
View Related
Jan 22, 2011
I have installed ubuntu 10.10 and the Samba addon to configure my shares to my Windows terminals.This is what I got
Firewall off (utf disabled)
Internal Sata /dev/sda1 (EXT4 FS)
External USB HDD /dev/sdb1 mounted at /media/SG1500GB (EXT4 FS)
I have two shares
1. //home/test - Which I can see and access with no problems (can't write to it though even though I set the share as writable?, but, I can read from it). This is available to everyone. My windows terminal can see this folder and access it. This is on my main 80GB internal drive /dev/sda1.
2. //media/SG1500GB/Music. I set this up for everyone full access and I can see it at all my Windows machines but,I can't get into the folder. Windows keeps giving me an error stating network path not found.I also try to access it via the Nautilus (Places/Network/system/music) and get an error message "unable to mount location, Failed to mount windows share". This drive is mounted per the disk utility.
View 4 Replies
View Related
Jan 28, 2010
I have been trying to get my Samba 3.x NAS to connect to my Windows XP laptop. I can see the server though I cannot open it and see the shares. I have run various tests on the network and Samba (ping, smbclient) though still cannot find why I can't connect.
I can access the NAS via webmin, so I am thinking I need the security or the services settings on the XP machine. Is there a list somewhere of the Windows XP services and security settings required to share files?
View 4 Replies
View Related
Jun 15, 2010
I have read that to improve security in Ubuntu a good fix is to make the /home folder tree non-executable by default. This would mean that malware could not run in the /home tree without changing the setup.Is this a viable change, or is it just icing on the cake, any one any thoughts on this.
View 9 Replies
View Related
May 20, 2011
Do to the last thread I posted got way off topic do to my bad doing , I will post it again to get the thread back on topic.I try it one last time hopefully these myths will be cleared up and this thread will stay on topic an not derail like last one.The myths going around on the internet.
1.Less than 1% use Linux and 10% use Mac Os X it is not that they are so much better but market share .The Malware makers are going windows where the market shares are.
2.Windows have more security but most people don't use it.
3.Mac OS X security is not that good , windows is better.
4.windows it has more gradual permission level than a ON and OFF like Linux or Mac OS X
5.Malware is growing with Linux and Mac OS X now.
View 3 Replies
View Related
Dec 10, 2010
Some time back using this computer a SucKit rootkit was found. Having dd urandomed the drive, flattened CMOS battery, flashed BIOS, run Knoppix live CD 6.1,using no flat pack battery (laptop), and memtested the RAM, I am still having problems with what I suspect is a javascript file that tries to reload the rootkit from? firmware. I suspect the firmware as everything else should have eradicated it??
Also it or a hacker via a backdoor then corrupts the drivers so devices malfunction. Windows security programs and rootkit detectors don't seem to pick it up. Fresh install of Windows or linux after the above still show this problem, though internet not used. The person who admitted rootkitting this machine is capable of writing java programs or using javascripts to do all this.
When viewed using Ubuntu 8.4 files and dates on a Windows partition appear normal both in file manager and terminal. However booting using Knoppix CD these files are all green, and I cannot change their permissions, even as root. ie: everything is green including text files etc. If I copy them to a linux partition, I can change their permissions and make them nonexecutable and nonwritable. Also on the Windows FAT32 partition the . directory has the date 1 Jan 1970.
If I disable any green files, I can shutdown and reboot cleanly. If I don't I start having problems shutting down [/usr/sbin/init ?] And always these follow a pattern:
Can't remember details as I have now corralled the beast but error messages relating to:
nfs-server
inet.d/statd
are the start of these.
View 3 Replies
View Related
Jan 15, 2010
I've just installed Ubuntu 9.10 and Samba 3.4. I've shared a folder and have accessed the share from a Windows 7 client. However, I've struggled to configure the share and folder so that the Win7 client can create files and/or folders in the share. Kept getting Permission Denied errors. Finally, (using Webmin) I set the permissions on the file folder so that "Other" had write access. I don't understand why this was necessary (and how unsecure this is). I already had the write access checkbox ticked for "User" but it wasn't enough.
View 1 Replies
View Related
May 25, 2010
I have been trying to share folders from my main PC which is running Ubuntu 10.04. I have been able to figure out Samba enough to get my a couple of folders shared, but I have been unable to share any folders which are on my external harddrive. After entering the path in my smb.conf file they appear on the network but I am unable to navigate to them. When trying to navigate to them through the network folder on the pc they are actually connected to I get an "Unable to mount location: Failed to mount windows share" dialog box. On the windows pc I am trying to share with I get, "Windows cannot acces \Josh-Desktop
ame of folder"
My smb.conf file looks like this:
That folders I cannot access are Music and Videos.
View 9 Replies
View Related
Sep 10, 2009
As Linux gains in popularity, (as I believe it will), do you think that Linux will ever become the target of as many virus and worm threats as Windows has faced? If so, do you think that the threats will have much success?
View 2 Replies
View Related
Apr 28, 2011
equivalent of "force_user" when sharing with nautilus-share? To put this question into context, I have shared out a folder with "Allow others to create ..." and "Guest Access ..." turned on via the GUI (I believe nautilus-share is applicaition behind the GUI). When Guest accounts create files or folders, I want the owner of the files or folders to be a specific user, rather then "nobody". In a Samba Server, I know you can use the parameter "force_user" in the smb.conf (under an individual sharename) which will specify the owner of the files and subfolders created through the share.
I have tried to add this parameter to the files created in /var/lib/samba/usershares but the owner of the files and folders are still "nobody" (NOTE: I rebooted the PC after making the change to the file) I have just done a fresh installation of Ubuntu 10.10 Desktop with nothing else installed (except the current Updates and the necessary components needed when sharing folders) As a follow on question, I also want to set the permissions for files and folders. To replicate what the "create_mask", "force_create_mode", "directory_mask" and "force_directory_mode" parameters do within a Samba Server.
View 1 Replies
View Related
Aug 25, 2009
Does anybody know if there is a quick and easy way to simply disable samba security to avoid "Access Denied" errors when trying to access shares via Windows XP?
View 2 Replies
View Related
Sep 20, 2010
I have an openSUSE 11.1 (64 bit ) machine file sharing with samba in a mixed os enviroment [ linux , winxp , mac ]and the share appears in network nghborhood on pcs ok , and the sharing is ok .But-- ther is 1 matter that i would like to change.in network neighborhood the machine name appears asSamba 3.2.7-11.7.1-2373-SUSE-CODE11 (NameMyMachine)the NameMyMachine is just fine but the 1st part --Samba 3.2.7-11.7.1-2373-SUSE-
View 3 Replies
View Related
Nov 11, 2010
I've began to work on getting my access control, set up properly on my server, and want to create a "my documents" folder for each user I add. I do not want it being part of the home directory and have read everything and still can't seem to get it to work. I've got a second drive that is mounted at /private on my server, with a folder that is underlying on it call users and groups. Then from there is has the exact unix username that I set up in Users and Groups. Ex. /private/user/gary . With Samba, I added the following code:
Code:
[My Documents]
guest ok = no
comment = %u's Documents
[code]....
I've tried using %u,%U,%S, and the normal username and of all of them, it will only work with the username. I've even used force user. added root to the valid users list and it still gives me access denied or the multiple connections to a single share with multiple user names prohibited but nothing is mounted on this share. On Webmin, it doesn't show any connections to the share. I'm rather at a stumped state in which is frustrating me, because I want to have this so when I go from my desktop to my laptop I have "My Documents" On either unit. Security on the server is set to User because I've searched to see if I can't find a way to make shares visible by a guest but read only to them and when I access them from my log in to make it read write using the "Share" option.
View 9 Replies
View Related
Apr 5, 2011
I have a samba share that was previously hosted by and accessed by Windows operating systems. As a result the filenames of all the files are not very command-line/linux friendly. I need to get a script or app that can go through the samba share recursively and change all file names to lowercase and replace spaces in the names with a ".", "_" or something.
View 9 Replies
View Related
Sep 29, 2009
if u use vnc real and u share the vnc to a guest and u give him the password, and after he ends the look, u want to kill him how can u do that on the xterm i know that vncconfig can do it, but i want to know if there is a way to do it by your self, killing the ip or something.
View 1 Replies
View Related
Dec 10, 2010
My server info:
SUSE 11.3 , authenticated against LDAP, I am able to log in using LDAP credentials.
I did run smbpasswd -w password
After I configured the smb.conf file, I try to do this on the Terminal to make sure it will work in Windows machines but I got this error:
user@mybox:~> smbclient -L mybox.mydomain.com
Enter user's password: (I enter the user password here)
Connection to mybox.mydomain.com failed (Error NT_STATUS_CONNECTION_REFUSED)
so I went to /var/log/samba.log to check the error file, I got this :
Connection to LDAP server failed for the 1 try!
[2010/12/10 18:08:50.919813, 1] lib/smbldap.c:1330(another_ldap_try)
Connection to LDAP server failed for the 2 try!
[2010/12/10 18:08:52.133624, 1] lib/smbldap.c:1330(another_ldap_try)
Connection to LDAP server failed for the 3 try!
and it kept going on and on until I stop it.
Here is my smb.conf file, please take a look to see what I've done wrong here. I tried to to take out WORKGROUP in GLOBAL but there were error like " Work group name x.x.x.com is too long, so I put in WORKGROUP = etc.
[global]
workgroup = mybox
passdb backend = ldapsam:ldap://ldap.my domain.com:11389/
ldap suffix = dc=my domain,dc=com
name resolve order = wins bcast hosts
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = "cn=sambaLabs2,ou=roles,dc=domain name,dc=com"
ldap ssl = start tls
server string = "my File Server"
security = user
log file = /var/log/samba.log
log level = 1
Max log size = 50
wins support = yes
wins server = my wins servers here
winbind enum users = no
winbind enum groups = no
unix extensions = no
wide links = yes
hosts deny = ALL
hosts allow = 192.168.
interfaces = lo eth0
bind interfaces only = true
browseable = No
read only = No
usershare allow guests = No
load printers = yes
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
[homes]
comment = home directories
browseable = No
valid users = %S
read only = No
writable = yes
create mask = 0660
directory mask = 0770
inherit acls = Yes
inherit permissions = yes
[sharefolder]
path = /sharefolder
valid users = @users,%S
inherit acls = Yes
inherit permissions = yes
[printers]
path = /var/spool/samba
browsable = no
public = yes
[print$]
comment = Printer Drivers
path = /etc/samba/drivers
browsable = yes
guest ok = no
read only = yes
write list = root
force group = ntadmin
create mask = 0664
directory mask = 0775
Thank you in advance.
View 1 Replies
View Related
Nov 13, 2010
my samba server is working properly but i want to mount it permanently on linux (red hat) client.i have tried /etc/fstab and also autofs service but both are not working for me.
1. /etc/fstab i made the following entry in it //192.168.0.254/myshare /temp smbfs credentials=/root/pass 0 0 and when i use comman mount -a it shows "unknown filesystem smbfs" why this is so?
2. using autofs
my auto.master file is shown below
#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
[code]....
View 13 Replies
View Related
Jun 29, 2010
I can map the share just fine, but cannot write, regardless of how open I make the permissions of the Samba share.
Share from testparm:
[student]
comment = Test share
path = /home/share/students
valid users = @students
admin users = DSSJCAdministrator
write list = @students
read only = No
create mask = 0770
force create mode = 0770
directory mask = 02770
force directory mode = 02770
directory security mask = 0775
guest ok = Yes
getfacl:
getfacl /home/share/students/
getfacl: Removing leading '/' from absolute path names
# file: home/share/students/
# owner: root
# group: students
user::rwx
group::rwx
group:students:rwx
mask::rwx
other::rwx
AD auth works fine with winbind, getent/wbinfo returns properly enumerated groups.
Unfortunately, the logs say:
[2010/06/29 11:17:32, 2] smbd/open.c:2447(open_directory)
open_directory: unable to create New folder. Error was NT_STATUS_ACCESS_DENIED
View 1 Replies
View Related
Oct 10, 2010
System: openSUSE 11.3, Gnome
In the Windows network, there are 2 or more shares as follows:
I can access both shares in nautilus e.g. "smb://bla.bla.company.com/share $". The shares are mounted then in "home/user/.gvfs/". ok.
In one of shares, is a file-based repo, which I can access easily with svn.
Unfortunately when I try to checkout any normal folder from a share (as in MS$ with Tortoise), I fail...
What's more in the file-based repo, external references exist to other shares in the network, the name is as "file:///X:/folder/file.txt". SVN gives error messages about such references and does not access files (where "X:/" is also mounted, but as a "test$ to smb://bla.bla.company.com/test$" in "home/user/.gvfs/ ").
My questions:
- what is the best solution to mount shares, so I can access all the SVN repos?
- How can I access normal files and folders from a share with svn?
- How can the problem with external file references in a file-based SVN repo can be solved? without to checkout/commit files "manually"...
- Some checkouted scripts (Perl, etc.) use libs from shares:
"Use lib qw(r:/tools/perl/lib/). how to get around this as well?
- How can I change mount-names: "test$ on smb://bla.bla.company.com/test$" to something like "share-test$?
- How can I change the mount location? in "home/user/SAMBA/" instead of "/home/user/.gvfs/"..
I had tried to use "fuse-smb": installed, created config, but when I run "fusesmb /home/user/SHARES/", i get an error message: smb.conf is missing.. Where can I get this config?
And one last question: Can someone recommend me a svn-gui? i have tried tried rabbitcvs, esvn and some others .. but all either do not work or crash.
I'm not sure, but maybe I can use svn and tortoise in wine, and checkout/commit the necessary files from/to "home/user/project/"? there raises the questions whether it is possible to install tortoise in wine and how to mount the shares on the wine? How to manage the hard-coded lib-names in some scripts...
View 1 Replies
View Related
Mar 5, 2010
I have an Ubuntu server with some shares and a Windows XP client in an active directory, i've created all the right accounts but can't seem to connect my linux box from the XP machine wouldn't the user name box popping up with ACTIVEDIRETORYNAMEusername like that? hope that makes sense, the account to access the share is locally created on the linux box?
View 4 Replies
View Related
Jan 25, 2011
I had a connection to my other Windows computer the other day automatically in the Places-->Network-->Windows Network folder but it now seems to have disappeared. I tried going to Place connect to server and typing in the WIndows computer name but it won;t connect and errors out. I also tried the IP: Cannot display location "smb://%5C%5C192.168.1.36/"
View 1 Replies
View Related
Aug 31, 2010
i hav configured samba share in RHEL 5.4 , it can be accessable from other linux machine but i want to access it from windows machine, how can i do it? i also want want to know that in RHEL my partitions are in ext3 format, so how can windows can detect this partition, Is samba share is independent of filesystem on either machines
case2:---
i hav configured samba on windows server 2008 , how can i mount it on linux machine
View 9 Replies
View Related
Mar 9, 2011
I am setting up samba on my CentOS server for the first time. I am using webmin to configure samba. Here is the smb.conf
Code:
[global]
netbios name = KISKA
cups options = raw
load printers = yes
server string =
[code]...
I can see the domain name "KISKA" in the "network" tab of windows explorer, however when I click on it I get this error: Windows cannot access \KISKA check the spelling of the name. otherwise there might be a problem with your network. Under the details of this error I get this: "The network path was not found" Also I have stopped iptables so it cant be firewalled
View 5 Replies
View Related
Apr 18, 2011
Below is my samba config. Is there anything that appears obviously wrong?
Why can't I map a drive?
from a windows 7 x64 workstation:
The network path was not found.
View 9 Replies
View Related
Feb 15, 2010
I just set up an ubuntu 9.10 server (no desktop environment, command line only) and I'm unable to see my samba share. I followed these instructions. Here are the relevant parts of my smb.conf file: Quote:
workgroup = JASONGROUP
# I un-commented this
security = user
[code]....
View 9 Replies
View Related
Apr 30, 2010
I got my server set up with 10.04, and with everything installed: DHCP, SSH, Samba, VBox, etc.
DHCP, SSH work fine, but I am having problems where I cannot ping the hostname of the machine.
It worked for a few minutes after I got everything installed and now it's not letting me connect via hostname. I can connect fine if I use the IP address. I cannot ping the machine by hostname unless I add it's IP address to the hosts file.
View 7 Replies
View Related