Paranoid Penguin - Samba Security, Part II

Build a secure file server with cross-platform compatibility.
Setting Up User Accounts

The last task we've got space for this month is setting up our user accounts, and there are four steps:

  1. Create the accounts under Linux.

  2. Assign those accounts Linux passwords.

  3. Create Samba password database entries for each.

  4. Have the users change their Samba passwords.

Step one is to use whatever method you usually use to create user accounts on your system—either by using your system administration GUI of choice (such as GNOME's Users and Groups applet) or via the commands useradd, userdel and so forth.

For example, to create Pepe's account, I could use the following command. Note the sudo, necessary for Ubuntu. On other distributions, su to root before executing these commands, and omit the sudo that each begins with here:

bash-$ sudo useradd -c "Pepe" -m -g users pepe

This creates the user account pepe with the comment Pepe, automatically creates a home directory (/home/pepe) and assigns it to the group users. To be extra paranoid, you could insert the string -s /bin/false after -g users, which will disable normal Linux logins for Pepe's account, making it useless for anything other than Samba access.

Step two is to set each user's Linux password, like this:

bash-$ sudo passwd pepe

Obviously, you need to communicate whatever password you set here to Pepe in a secure fashion, and Pepe will need to change this password to something you don't know. (But that part happens in step four.)

Step three is to use the smbpasswd command to create each user's Samba password database entry, like so:

bash-$ sudo smbpasswd -a pepe

You'll be prompted to set and confirm Pepe's Samba password, after which the new account will be added. It's probably a good idea to use the same initial password here that you used in step two.

Finally, you'll want Pepe to log in to the system (assuming you didn't set his shell to /bin/false) and issue the following command:

pepe@casademick$ smbpasswd

Pepe will be prompted for his old password, his new password and confirmation of his new password. Assuming all three of those are good, Samba will change both Pepe's Samba password and his Linux password accordingly. Note that this synchronization does not occur when you create a new Samba password entry as root, using the -a flag.

If Pepe has an invalid shell, such as /bin/false, you'll have to let him sit at your console while you type the command sudo smbpasswd pepe, and then turn your back while he changes his password. You'll then need to do the same thing with the command sudo passwd pepe, because Samba does not synchronize Linux/UNIX passwords if you execute smbpasswd as root.

Conclusion

We've specified our usage scenario, set up some basic global settings using Swat and started adding users. Next month, we'll create the actual shares, but if you can't wait until then, you'll have no problem figuring out how using Swat's ample documentation. The “Official Samba 3.2.x HOWTO and Reference Guide” (see Resources) also may help. Have fun, and be safe!

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState