| View previous topic :: View next topic |
| Author |
Message |
umka69
Tux's lil' helper
Joined: 31 Mar 2013
Posts: 124
|
 Posted: Sat Sep 13, 2014 3:24 pm Post subject: [SOLVED] SMB (samba) server security |
 |
|
Hello, people!
How to create a virtual disk for Windows (VHD) in Gentoo?
I like to share one of my lvm partition in a network.
_________________
Make a wish, this text is magic. 
Last edited by umka69 on Sun Sep 27, 2015 10:11 pm; edited 2 times in total |
|
| Back to top |
|
 |
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
| Posted: Sat Sep 20, 2014 7:02 pm Post subject: |
|
|
That sounds like a job for samba. I have never done it but you may check howtos about samba.
Well on a second thought you ahve to specify your use case scenario.
are those two workstations connected over lan? => Samba
is it one box which boots windows and wants to access gnu linux? => ntfs3g
please specify. |
|
| Back to top |
|
|
The Doctor
Moderator
Joined: 27 Jul 2010
Posts: 2678
|
| Posted: Sat Sep 20, 2014 7:27 pm Post subject: |
|
|
If Windows needs to access the drive, then samba. If only other *nix boxes do nfs is probably better.
_________________
First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
| Back to top |
|
|
umka69
Tux's lil' helper
Joined: 31 Mar 2013
Posts: 124
|
| Posted: Sun Sep 20, 2015 10:53 am Post subject: |
|
|
Thank you, samba looks good for my network. MacOS, Windows and LinuxMint support SMB protocol.
I have installed samba server.
There are two public directories and two users. Can I assess both in the same time?
"Access deny" error happens every time I try to use both accounts on the same client?
AS: The Accounts works perfect if I use them separate.
Here is my smb.conf
| Code: | home ~ # cat /etc/samba/smb.conf
[global]
restrict anonymous = 2
log file = /var/log/samba.log
workgroup = home
security = user
encrypt passwords = yes
interfaces = lo wlp5s0
hosts allow = 127.0.0.1 192.168.0.0/24
hosts deny = 0.0.0.0/0
[store-user1]
case sensitive = no
path = /opt/store/user1
browseable = yes
writeable = yes
create mode = 0750
[store-user2]
case sensitive = no
path = /opt/store/user2
browseable = yes
writeable = yes
create mode = 0750
|
_________________
Make a wish, this text is magic. |
|
| Back to top |
|
|
umka69
Tux's lil' helper
Joined: 31 Mar 2013
Posts: 124
|
| Posted: Sun Sep 20, 2015 11:00 am Post subject: |
|
|
I just realized that the problem is security parameter.
If I put it to share option it works. But is it safe?
_________________
Make a wish, this text is magic. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Sep 20, 2015 11:27 am Post subject: |
|
|
| umka69 wrote: | "Access deny" error happens every time I try to use both accounts on the same client?
AS: The Accounts works perfect if I use them separate. |
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2559439
share: access grant to user1 AND user2 AND anyone with its password to either store/user1 AND store/user2.
This doesn't look any sane for me.
If you want a password protect directory that everyone could access ; grant access to one directory only to anyone (/opt/store/all_user_with_password + share security) ; else, you may mistake user1 that /opt/store/user1 is a private place only for him.
While it might be clear for you ; it's still a risk you put on your user1 and user2 that may mistake the purpose of these directories and breach their privacy (and security if user1/2 start store password in them...). |
|
| Back to top |
|
|
umka69
Tux's lil' helper
Joined: 31 Mar 2013
Posts: 124
|
| Posted: Sun Sep 20, 2015 3:20 pm Post subject: |
|
|
If I undestend you correctly It is possble to connect to user2 directory with user1 access level.
I have just tried it. There is an access error because of directory pirmision so only user2 can access user2 directory for example.
| Code: | home ~ # ls -l /opt/store/
total 24
drwx------ 2 root root 16384 Sep 17 16:31 lost+found
drwxr-x--- 5 user1 user1 4096 Sep 20 15:14 user1
drwxr-x--- 9 user2 user2 4096 Sep 20 17:23 user2
|
I'm just a newbie. Can you advise the correct method to build this architecture?
_________________
Make a wish, this text is magic. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Sep 20, 2015 10:52 pm Post subject: |
|
|
It tells you password is sent, but not username, so user1 can connect to user2 with its password ; but once done user1 is now handle as "user2" and it couldn't access user1 then...
| Quote: | | Can you advise the correct method to build this architecture? |
I'm not even sure what you are trying to do ; but from the very start i would had use ssh if couldn't use nfs (i'm less sure if any nfsclient exist for windows, but ssh do, osx should have both) ; using the stronger rules linux use instead. If you really want use samba, i'm not expert at all with it, but i would look for ldap access then. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Thu Oct 01, 2015 1:31 pm Post subject: |
|
|
https://www.samba.org/samba/docs/using_samba/appa.html
EDIT: Are you trying to stop the 2 users accessing eachother's directories?
I've tried to set up gentoo servers in active directory environments twice, the first time I spent weeks following every guide I could find but it always ended up that every user could do either everything or nothing. I'm not alone, there are threads on the freenas, freebsd etc forums where others were frustrated by the same thing. Occasionally you'll find someone who got permissions to work but it didn't seem to work for everybody else.
The second time I created a zfs zvol and formatted it to ntfs fuse, shared it with samba and set permissions with the windows domain controller. Worked like a charm and took me an afternoon of reading + tinkering.
I imagine you could do something similar with lvm and a workgroup. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Thu Oct 01, 2015 3:43 pm Post subject: |
|
|
| mrbassie wrote: | https://www.samba.org/samba/docs/using_samba/appa.html
EDIT: Are you trying to stop the 2 users accessing eachother's directories?
I've tried to set up gentoo servers in active directory environments twice, the first time I spent weeks following every guide I could find but it always ended up that every user could do either everything or nothing. I'm not alone, there are threads on the freenas, freebsd etc forums where others were frustrated by the same thing. Occasionally you'll find someone who got permissions to work but it didn't seem to work for everybody else.
The second time I created a zfs zvol and formatted it to ntfs fuse, shared it with samba and set permissions with the windows domain controller. Worked like a charm and took me an afternoon of reading (memory refreshing) + tinkering.
I imagine you could do something similar with lvm and a workgroup. |
|
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
|
| Posted: Thu Oct 01, 2015 4:02 pm Post subject: |
|
|
| mrbassie wrote: | | The second time I created a zfs zvol and formatted it to ntfs fuse, shared it with samba and set permissions with the windows domain controller. |
What are the benefits of using a foreign (NTFS) filesystem in Linux? |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Fri Oct 02, 2015 7:29 am Post subject: |
|
|
| Buffoon wrote: | | What are the benefits of using a foreign (NTFS) filesystem in Linux? |
It's easy to get windows permissions working.
It was an experiment, only a one gigabyte zvol on my workstation shared with the domain but restricted to domain admin access. I'm thinking of putting in a file server at work using this method. |
|
| Back to top |
|
|
|
Other Things Gentoo
