The user mapping file is a means for mapping specific Samba users with underlying UNIX accounts without going through the traditional Samba user administrative methods. The format for the file is
Unix User ID = Windows User ID [, Windows User ID ...]
Often times this file is used to map certain Windows users (such as "Administrator") to certain priviledged UNIX users (such as root). In fact, by default on most UNIX flavours, this is the way that it is set up.
This is bad! By allowing root (or any priviledged user) access directly via Samba you have immediately elliminated all rings of security and now have a one-stop entry point for crackers to gain access to your system. A far better way is to create a standard UNIX user (perhaps call him "winadmin") and add him to Samba in the traditional way (perhaps call the Samba user "Administrator"). If the administrator user absolutely must have access to every share on the machine, then simply use UNIX groups to control access to the shares and assign this administrator to these groups (but not to any priviledged ones on the underlying UNIX system). This way, the absolute worse thing a compromized Samba server can do is destroy the Samba server itself (but not the underlying UNIX system).
Cache and Security
If a Samba server is functioning as a Windows Internet Name Service (WINS), the WINS data is located in /var/cache/wins.dat. This file is humand readable and contains various NetBIOS? names along with IP addresses for each machine. On some UNIX flavours, this file is world readable. Naturally, a file like this in the wrong hands can be used for such malicious things as IP spoofing.
There is another file in /var/cache called browse.dat that will show all of the other computers on your network, and, based on the types of NetBIOIS? names those computers register, it will show what their different capabilities are. If a cracher gains access to your system by looking in the wins.dat and browse.dat files, they very quickly can see what other IP addresses are active on your network without having to reveal their hand with something as crude and easily detectable as a ping sweep.
Newer versions of Samab uses some new types of data files to keep track of transient data. These files are kept in /var/cache/samba and most of them have only root access. They are used to keep track of things like file locks, connections, printers and printer drivers. If a cracker obtains root access, they can delete these files and disrupt your data.
Listening on the right interface
Samba normally binds to all interfaces in the machine, and in computers where you have a single network card that is the behaviour you want. However you can limit Samba from listening to every bit of trash on the network by setting a vew parameters. If you have multiple network cards (for example, in a firewall/router), you can limit the traffic Samba will allow from a particular interface or network by using the following options from the global section of the smb.conf file
[global]
# only listen on the specified interfaces
bind interfaces only = yes
# which interfaces to allow traffic from
# Samba also understands linux alias conventions
# such as eth0
interfaces 127.0.0.1 192.168.1.10
# which networks to listen to
# EXCEPT allows excluding the router address
hosts allow = 127.0.0.1 192.168.1 EXCEPT 192.168.1.1
# which networks to ignore
hosts deny = 0.0.0.0
