0

I have a storage server running some samba shares. I need to create multiple users for each individual working at my company, but I only want them to be able to access samba from the client machines. I do not want them to be able to log in locally or through ssh. Is there a way to disable said users from doing anything BUT connecting to the shares from another machine?

Joe Gibson
  • 45
  • 8

4 Answers4

2

Really you should restrict ssh access to a named group or individuals as a matter of course (i.e. a whitelist).

You can control access for any pam authenticated service using the modules which ship as standard with most distributions.

You don't say what services provide access to "log in locally". In addition to configuring pam, with getty you can set /etc/nologin which blocks everyone apart from root or change the users shells to something else. I don't think there's application specific tools for kdm/gdm/xdm (but again these will use pam).

BTW: if you need to create multiple users for each individual then you're probably doing something wrong.

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • This will actually work for me, seeing as my ssh configuration only allows for a single (non root) user. Then I disabled the user list on the login window. I think that's all I need here. Thanks. – Joe Gibson Aug 14 '12 at 16:36
2

You can use the smbpasswd program to create and manage users that can access samba shares etc but as the man page says

-a This option specifies that the username following should be added to the local smbpasswd file, with the new password typed (type for the old password)... Note that the default passdb backends require the user to already exist in the system password file (usually /etc/passwd), else the request to add the user will fail.

This isn't a huge problem as you can lock the loal user as part of creating the account

useradd freddy
passwd -l freddy
smbpassdw -a freddy
New SMB password:
Retype new SMB password:
Added user freddy.

Will create a user freddy who can use samba shares but who cannot log in

user9517
  • 115,471
  • 20
  • 215
  • 297
1

Depending on how you set up Samba to authenticate users, limiting those users' access to SSH login will differ.

If you've configured Samba in "User" mode with a tdbsam backend, you can simply call a "usermod -L " to lock the user account. This will not disrupt Samba access provided you don't also lock the Samba account.

This also works if you're authenticating users against a domain controller in "Domain" mode (which also requires local user accounts).

This doens't seem to be your case, but if you're using Winbind for active directory integration, and you want to limit SSH login to local users only (not domain level users), you can disable PAMAuthentication in sshd.config.

Univ426
  • 2,149
  • 14
  • 26
0

What is Samba authenticating against on the backend? Samba can use it's own database. It seems like that would be the easiest way to restrict Samba users from accessing any resource on the underlying system.

passdb backend = ???

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • The backend is tdbsam. Basically I have been following along the lines of these tutorials; http://wiki.centos.org/HowTos/SetUpSamba http://www.howtoforge.com/centos-5.3-samba-standalone-server-with-tdbsam-backend Both of those tutorials involve me creating a user for both the machine as well as for smb, and I can't figure out how to create a samba user otherwise. – Joe Gibson Aug 14 '12 at 16:07
  • Perfect. You're mostly there already. Don't sync the Samba password to the Linux password. They'll never authenticate to Linux services, then. Or, as other have mentioned, lock the Linux account. – Aaron Copley Aug 14 '12 at 16:58