Paranoid Penguin - Samba Security, Part III

Start creating shares on your secure Samba file server.
Conclusion

That's all we've got space for this month. Next time, we'll create that third, mick-only share (I'll bet you can figure that out yourself beforehand), create persistent Samba mounts on our client systems using smbmount and at least briefly address some miscellaneous Samba security topics, such as how to make Samba automatically and safely serve people's home directories. Until then, be safe!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

troubleshooting with smbclient failed

honkytonkwillie's picture

Everything in this series of articles has worked so far until I get to the section in part III with smbtreee and smbclient.

when I enter the command

"smbclient //myserver/share -U nobody" with no password,

I get

Anonymous login successful
Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
tree connect failed: NT_STATUS_ACCESS_DENIED

Same thing happens when I use "totallyfakeusername".

Is there some obvious config thing I missed? Aside from adding users and passwords at manually at the command line, everything else I did using SWAT.

The only other item I can think to mention is that I'm not working on my server directly, but through my network from my main workstation.

Thank you.

Honkytonkwillie

troubleshooting with smbclient failed

EdSol's picture

Took me some time to figure out NT_STATUS_ACCESS_DENIED (Not a very informative thing). I remembered trying this one recently. Might help you too:

http://www.microdevsys.com/WordPress/2009/07/27/networking-sharing-folde...

Good Luck!
EdSol

edit

honkytonkwillie's picture

upon closer inspection, when trying to force a Bad User with "totallyfakeusername", I do not get an "Anonymous login successful" message, and alss the domain is different,
Domain=[MYSERVER] instead of Domain=[MYWORKGROUP]. I still get a "tree connect failed: NT_STATUS_ACCESS_DENIED" error.

Same problem here I

Anonymous's picture

Same problem here

I get
Domain=[FED-CENTRAL] OS=[Unix] Server=[Samba 3.4.0]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Please help
Tx

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix