[SOLVED] Make the Samba root share public

gagou7 · 05-21-2014, 03:00 PM

Hi all,

I have a Debian server with Samba running on it. I would like to access it throught another computer (Windows 7).

My Samba config is very simple:

smb.conf

Code:

[global]
include = /etc/samba/dhcp.conf

workgroup = WORKGROUP
server string = %h server
dns proxy = no
interfaces = 192.168.1.0/24
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

security = user
encrypt passwords = true
passdb backend = smbpasswd
obey pam restrictions = no
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

map to guest = bad user
guest account = nobody
invalid users = root

usershare max shares = 0
use sendfile = yes
deadtime = 15

[Local]
comment = Media Share
path = /var/www/local
browseable = yes
guest ok = yes
create mask = 0744
inherit owner = yes
hide dot files = yes
writeable = yes
veto files = /lost+found/

[LocalW]
comment = Media Share
path = /var/www/local
browseable = yes
guest ok = no
create mask = 0744
inherit owner = yes
hide dot files = yes
writeable = yes
veto files = /lost+found/

[Public]
comment = Public Share
path = /var/tmp/Common
browseable = yes
writeable = yes
guest ok = yes
create mask = 0744

When I'm on the windows 7 computer and I try to access an other Windows 7 computer that appears in "Network", I can see the shared folders. If I try to access some of them, it ask me for an user/password (depending how the sharing is made).

My goal is to have the same behavior on my Samba server as between two windows 7 computers !

So what?

Now, with the config above, the Samba server appears as expected in the "Network" list of my Windows 7 computer. If I try to access the Samba server, it ask directly for an user/password. I don't want to enter a password at this level, so I enter something wrong and I can access the list of shared folders. Then, I want to browse into "LocalW". Double-click on "LocalW" and another login pop-up appears. So now, I enter the right username/password that exist on my Samba server (both in Linux and smbpasswd). The result is that the access is denied, even with the good username/password...

The access to "Local" and "Public" are working fine. No "second" credentials are asked and the folder is browseable. I would like to remove the first user/password request (because "Local" and "Public" shared folders are used by guest user) as everyone could have a transparent access to these shared folders.

It work only if I enter a valid username/password in the first pop-up. It seems that the whole authentication is based on the first credentails I submit. The second login pop-up is quiet useless...

Questions

I know the solution: "security = share"

But since this feature has been removed in Samba4, how could we obtain the same behavior with "security = user" ?

allend · 05-21-2014, 07:20 PM

You need to specify the users that are allowed to log onto the share.

Code:

[LocalW]
comment = Media Share
path = /var/www/local
browseable = yes
guest ok = no
create mask = 0744
inherit owner = yes
hide dot files = yes
writeable = yes
veto files = /lost+found/
valid users = <your list of valid user names>

gagou7 · 05-24-2014, 03:22 AM

Hi, thanks for your answer !

Unfortunately, even with "valid users = <myuser>", it keeps asking for credentials when I try to browse the available shared folders. And if, at first, I enter a wrong username/password, it keeps refusing my valid credentails when accessing LocalW...

Another idea?

allend · 05-24-2014, 04:33 AM

Quote:

passdb backend = smbpasswd

Perhaps you should be using

Code:

passdb backend = tdbsam

instead of the old smbpasswd.

As root, check the contents of /etc/samba/private/ and see if the file names end in .tdb
If so, check credentials with 'pdbedit -L' run as root.

gagou7 · 05-24-2014, 10:48 AM

I finally found the answer on the mailinglist of samba.

When you try to reach a share on the network with Windows, at first, it transparently send the credentials of the local account currently logged in. It means that the Samba server will receive a first attempt to log in from the Windows computer. Normally, thanks to "map to guest = bad user", the acess will not be denied but accepted as a guest user instead. If the connection is still rejected, the login pop-up shows up !

What's happen if you submit a valid username with a wrong password?

In this case, because of the "map to guest = bad user", the login is rejected ! And here's the real problem ! At home, I have different computers (dual boot on each PC/laptop) as many different accounts on them but always with the same username (different password for each account).

So, in my case, to have the right behavior, I must change "map to guest = bad user" by "map to guest = bad password". Like this, the hidden first attempt to connect will fail like before but instead of being rejected (because of the valid username, wrong password), I am going to be mapped as a guest user. The donwside of this approach is mentioned in the manpage of smb.conf:

"any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong"
http://www.samba.org/samba/docs/man/...mb.conf.5.html

But forasmuch as it's for a personnal use, I will not manage thousand of account ;-)

Anyway, thank you for your help !

Regards,
gagou7

allend · 05-24-2014, 12:05 PM

Thanks for reporting back with your solution as it may help someone else.

It is your setup and your responsibility to handle user names and passwords as you choose.

Have fun:-)