Table of Contents


smbaccess - access control for Linux Samba servers based on the physical hardware network address (MAC-address) of the client


smbaccess -I IP-number [-U user] [-v]


smbaccess is used to restrict access to a Samba server from clients with certain hardware network addresses. However, this mechanism only works if the client and the server are operating in the same subnet with a direct network interconnection or in a switched network environment since the hardware network address is determined from the IP-number using the arp-cache visible in /proc/net/arp under Linux. The program examines the access control table (default /etc/smbaccess.conf) and returns 0 as errorlevel if access is granted. Otherwise if access is denied a nonzero value is returned as errorlevel.

If no user is given as option smbaccess tries to determine the user-id using getlogin().


-I IP-number
The IP-number of the client connecting to the samba server.
-U user
The user-id of the user connecting from the client.
Gives additional access information on stdout. The output can be redirected to a log-file.

Access Rules

A zero value is returned if no smbaccess.conf file is available or a user entry is missing in the file for the specified user. Then access is granted from every node.

If the hardware network address from the arp-cache matches a user address combination in smbaccess.conf access is also granted. If * is specified as hardware address in smbaccess.conf, access is granted from all nodes in the subnet.

A nonzero value is returned if the physical address is found in /proc/net/arp but a user - address entry is missing in smbaccess.conf file.


To use smbaccess in conjunction with a Samba server the following lines have to be added to smb.conf in the section of the share to which the account restrictions should apply:
preexec = smbaccess -U %U -I %I
preexec close = Yes

smbaccess is invoked during the login process. If access according to the access rule is not granted a non-zero errorlevel is returned as error code and the login process is stopped due to the preexec close directive.


The default location of the smbaccess access control table is:


The IP-number - hardware address mapping is taken from from:


See Also

smb.conf(5) , The configuration file for the Samba server


Stefan Langenberg (, Zentralbereich fuer Information und Steuerung, Universitaetsklinikum Bonn

Table of Contents