Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Using Samba
Prev Home Next

4.6.1.1 hosts allow

The hosts allow option (sometimes written as allow hosts) specifies the machines that have permission to access shares on the Samba server, written as a comma- or space-separated list of names of machines or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option. For example, we specified the following in our example:


hosts allow = 192.168.220. localhost

Note that we placed localhost after the subnet address. One of the most common mistakes when attempting to use the hosts allow option is to accidentally disallow the Samba server from communicating with itself. The smbpasswd program will occasionally need to connect to the Samba server as a client in order to change a user's encrypted password. In addition, local browsing propagation requires local host access. If this option is enabled and the localhost address is not specified, the locally-generated packets requesting the change of the encrypted password will be discarded by Samba, and browsing propagation will not work properly. To avoid this, explicitly allow the loopback address (either localhost or 127.0.0.1) to be used.[ 3]

[3] Starting with Samba 2.0.5, localhost will automatically be allowed unless it is explicitly denied.

You can specify any of the following formats for this option:

  • Hostnames, such as ftp.example.com .

  • IP addresses, like 130.63.9.252.

  • Domain names, which can be differentiated from individual hostnames because they start with a dot. For example, .ora.com represents all machines within the ora.com domain.

  • Netgroups, which start with an at-sign, such as @printerhosts. Netgroups are available on systems running yellow pages/NIS or NIS+, but rarely otherwise. If netgroups are supported on your system, there should be a netgroups manual page that describes them in more detail.

  • Subnets, which end with a dot. For example, 130.63.9. means all the machines whose IP addresses begin with 130.63.9.

  • The keyword ALL, which allows any client access.

  • The keyword EXCEPT followed by more one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet with hosts allow = ALL EXCEPT 192.168.110. (remember the trailing dot).

Using the ALL keyword is almost always a bad idea, since it means that anyone on any network can browse your files if they guess the name of your server.

Note that there is no default value for the hosts allow configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. In addition, if you specify this option in the [global] section of the configuration file, it will override any hosts allow options defined shares.

Using Samba
Prev Home Next

 
 
  Published under the terms of the Creative Commons License Design by Interspire