On 01/23/2015 12:13 AM, Gary Stainburn wrote:
All of my servers run the same type of setup and it's all based
around "security = share". Why is this so universally declared as bad??
Well, consider how it worked:
https://www.samba.org/samba/docs/man/Samba3-HOWTO/ServerType.html#id2559439
The client requests a share, and sends a password but no user. The
server has to search through all of the users defined to see if the
password matches any of them.
So now you have a server that significantly reduces the cost of brute
forcing a password, because you can ask it if a given password is valid
for the entire user database. That's bad.
Now, when I try some of the examples found online, client PCs seem to be able
to connect to the first share ok but then whenever I try to connect a second
share it complains about having to log out of the first share first.
I suspect you're trying to connect to the second share with a different
username and password than the first? That isn't going to work with
Samba 4. You'll have to use Samba 3. I'm pretty sure you can use old
samba 3 RPMs from a previous Fedora release. At least that way you
won't sacrifice security on the rest of the system.
But realistically, you should be doing security=user or security=domain.
In that case, you just need to use group membership to effectively
govern share access, so that users connect with one username/password
instead of several.
It's hard to give you good advice with as little information as you
provided. Consider sending your configuration file or posting it
somewhere we can read it (pastebin?)
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
