despirate help needed - Samba and security = share
Gordon Messmer
gordon.messmer at gmail.com
Fri Jan 23 20:40:33 UTC 2015
On 01/23/2015 12:13 AM, Gary Stainburn wrote:
>
> All of my servers run the same type of setup and it's all based
> around "security = share". Why is this so universally declared as bad??
Well, consider how it worked:
https://www.samba.org/samba/docs/man/Samba3-HOWTO/ServerType.html#id2559439
The client requests a share, and sends a password but no user. The
server has to search through all of the users defined to see if the
password matches any of them.
So now you have a server that significantly reduces the cost of brute
forcing a password, because you can ask it if a given password is valid
for the entire user database. That's bad.
> Now, when I try some of the examples found online, client PCs seem to be able
> to connect to the first share ok but then whenever I try to connect a second
> share it complains about having to log out of the first share first.
I suspect you're trying to connect to the second share with a different
username and password than the first? That isn't going to work with
Samba 4. You'll have to use Samba 3. I'm pretty sure you can use old
samba 3 RPMs from a previous Fedora release. At least that way you
won't sacrifice security on the rest of the system.
But realistically, you should be doing security=user or security=domain.
In that case, you just need to use group membership to effectively
govern share access, so that users connect with one username/password
instead of several.
It's hard to give you good advice with as little information as you
provided. Consider sending your configuration file or posting it
somewhere we can read it (pastebin?)
More information about the users
mailing list