LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Samba guest needs a pasword (https://www.linuxquestions.org/questions/linux-newbie-8/samba-guest-needs-a-pasword-925311/)

tezarin 01-23-2012 01:33 PM

Samba guest needs a pasword
 
Hi all,

I have a file sharing Linux server that has Samba installed on it which needs to authenticate against a LDAP server and I would not like to keep this feature.

Instead, I would like to provide users username and password to the box and also would like the guest account to work.

This is my configuration but it keeps asking for password and gives me permission error. This is my smb.conf file:

Code:


# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = CINET       
#server string = Samba Server Version %v
server string = Servername

;        netbios name = MYSERVER


# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
;        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;        max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

#        passdb backend = ldapsam

        security = share
        guest account = nobody
       


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#  password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#  password server = *


;        security = domain
;        passdb backend = tdbsam
;        realm = MY_REALM

;        password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;        security = user
;        passdb backend = tdbsam

;        domain master = yes
;        domain logons = yes

        # the login script name depends on the machine name
;        logon script = %m.bat
        # the login script name depends on the unix user used
;        logon script = %u.bat
;        logon path = \\%L\Profiles\%u
        # disables profiles support by specifing an empty path
;        logon path = 

;        add user script = /usr/sbin/useradd "%u" -n -g users
;        add group script = /usr/sbin/groupadd "%g"
;        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;        delete user script = /usr/sbin/userdel "%u"
;        delete user from group script = /usr/sbin/userdel "%u" "%g"
;        delete group script = /usr/sbin/groupdel "%g"


#log level = 5
#security = user
#encrypt passwords = true
#ldap passwd sync = yes
#passdb backend = ldapsam:ldap://gauss.femmecomp.com/
#ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
#ldap suffix = dc=femmecomp,dc=com
#ldap group suffix = ou=groups
#ldap user suffix = ou=people
#ldap machine suffix = ou=machines
#obey pam restrictions = no
#domain logons = yes
#ldap ssl = off
#nt acl support = no



#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

add user script = /usr/sbin/adduser -quiet -disabled-password -gecos "" %u
add machine script = /usr/sbin/adduser -shell /bin/false -disabled-password -quiet -gecos "machine account" -force-badname %u




# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;        local master = no
;        os level = 33
;        preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#  behalf of a non WINS capable client, for this to work there must be
#  at least one        WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;        wins support = yes
;        wins server = w.x.y.z
;        wins proxy = yes

;        dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

        load printers = yes
        cups options = raw

;        printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;        printcap name = lpstat
;        printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;        map archive = no
;        map hidden = no
;        map read only = no
;        map system = no
;        store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
;        valid users = %S
;        valid users = MYDOMAIN\%S

[usersdata]
        comment = Users Data
        path = /home/samba/usersdata
        public = yes
        writeable = yes
        inherit permissions = yes
        force create mode = 0777
        force directory mode = 0777
        valid users = guest

And this is my smbusers file:

Code:

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = pcguest smbguest
guest = guest

Can you please let me know why it does't work?

Thanks,
t

cbtshare 01-23-2012 02:43 PM

We'd need to see the Samba conf file.
Check that the security" parameter =user" and not "ads"

tezarin 01-23-2012 03:05 PM

The smb.conf is already in my original post.

cbtshare 01-23-2012 06:14 PM

My bad, I was on phone at the time lol....


To allow users to enter the box.You have to have
;security =user

then under each share, make sure to add

;valid user = @username


valid user cant be guest since you dont have that parameter specified in global the system wont allow guest login.

Lastly make sure a user is valid on the linux box then issue :

Quote:

smbpasswd username
Then you will be able to login with that username.

deep27ak 01-24-2012 12:10 AM

Quote:

Originally Posted by cbtshare (Post 4582603)

Lastly make sure a user is valid on the linux box then issue :
Code:

smbpasswd username
Then you will be able to login with that username.

should be

Code:

#smbpasswd -a username
from man page
Code:

-a    This option specifies that the username following should be added to the  local  smb-
              passwd  file,  with  the new password typed (type <Enter> for the old password). This
              option is ignored if the username following already exists in the smbpasswd file  and
              it  is  treated  like a regular change password command. Note that the default passdb
              backends require the user to already  exist  in  the  system  password  file  (usual-
              ly/etc/passwd), else the request to add the user will fail.


jebe88 01-24-2012 01:44 AM

You probably have to set
guest ok = yes
for the share in order to allow access without passwords.
On my server I use:
[global]
security = user
map to guest = Bad User
guest account = nobody
[for_everybody]
force user = nobody
force group = all_the_users
guest ok = yes

The 'map to guest = Bad user' makes sure, that users providing an invalid password are mapped to the guest user.
The 'force xxx =' settings are there to force all operations on that specific share to be made as nobody:all_the_users, because otherwise, if a known user (not a guest) is accessing the share, samba would do file operations as that specific user which leads to all kinds of trouble with different ownership of files.

tezarin 01-24-2012 01:39 PM

Thanks everyone.

Here's what I did:

1) Set -----> security = user

2) [usersdata]
comment = Users Data
path = /home/samba/usersdata
public = yes
writeable = yes
inherit permissions = yes
force create mode = 0777
force directory mode = 0777
valid users = {my usernames here}

3) Added the users

4) Ran: passwd usernames

5) Ran smbpasswd -a usernames (Special thanks to deep27ak for the -a parameter!)

I'm good to go now.

The problem was that users needed to get authenticated against LDAP located on the mail server. One day the mail server stopped responding to the SSH connections and samba died because the mnachine couldn't locate the LDAP.

Now the file server is isolated and works fine and handles its own user access. But the mail server still cannot be accessed via SSH. Can anyone please help me with that as well?

Thanks in advance


All times are GMT -5. The time now is 11:52 PM.