samba clients connect using user 'nobody' only to the server.

shobhit · 09-06-2008, 02:28 PM

Hi,

I have Samba installed and running on my Fedora8 machine.
Kernel 2.6.25.11-60.
Samba Version 3.2.0

While trying to access samba shares through my mac running os x 10.5.4
It always login with user nobody.
It does not need any password for user nobody to connect.
Even if I specify a user name and password it is ignored.
Therefore my machine is open to anyone on my network as read all.

Additionally, I cannot allow anyone to have write access to samba shares.
As I can only login as nobody through samba.
Nobody does not belong to any group, therefore only way to give write access if I say o+rwx permission on the folder. Which is not a good practice.

Attached is my smb.conf file.

I will be very grateful if anyone can tell me how to configure samba to allow only users with valid passwords to connect to the server.

Code:

[global]

workgroup = MYGROUP
server string = Samba Server Version %v

;	netbios name = MYSERVER

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.


log file = /var/log/samba/log.%m
max log size = 50
log level = 10


security = share
passdb backend = tdbsam




;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

;	logon script = %m.bat
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
;	logon path =

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


;	local master = no
;	os level = 33
;	preferred master = yes


;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes


load printers = yes
cups options = raw
restrict anonymous = no
domain master = no
preferred master = no
max protocol = NT
acl compatibility = winnt
ldap ssl = No
server signing = Auto
passwd program = /usr/bin/passwd
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd

;	printcap name = /etc/printcap
;	printcap name = lpstat
;	printing = cups


;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes



[homes]
comment = Home Directories
browseable = no
read only = no
valid users = sho
write list = sho
;	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes

[MUSIC]
path = /mnt/music
guest ok = yes

[SHO]
write list = sho
hide dot files = no
read only = no
path = /home/sho
guest ok = yes

[SAMBA]
write list = sho
hide dot files = no
guest ok = yes
read only = no
path = /home/samba

Woodypecker · 09-06-2008, 05:20 PM

Why use "security = share" and "guest ok = yes"?

rob0t · 09-06-2008, 10:06 PM

Set the Security level to "user" in the [global] section of smb.conf

Code:

security = user

shobhit · 09-08-2008, 07:17 AM

I changed
security = user

Then I did

smbpasswd -a sho
New SMB password:
Retype new SMB password:

Then I restarted samba.

And tried to login.
Now it does not accept the password that I gave it.
Also it does not allow 'nobody' logins.

Is there something else I am missing here?

sanjee · 09-08-2008, 07:27 AM

You have to set a authenticate user name in smb.conf share portion :->
valid users = sho
and then set a smb password for this user and restart service . It should ask for a password.

shobhit · 09-08-2008, 10:54 AM

While trying to implement the suggestions above.
I noticed a strange thing
My passwd file is set to in smb.conf

smb passwd file = /etc/samba/smbpasswd

But when I say smbpasswd -a command. The command completes successfully. Even $? = 0.
But the /etc/samba/smbpasswd file is not touched.

I tried smbpasswd with -c flag. But still the /etc/samba/smbpasswd file is not touched!

Any ideas?

shobhit · 09-08-2008, 11:59 AM

OK I needed to add

Code:

        passdb backend = smbpasswd

to my smb.conf file.

Now at least /etc/samba/smbpasswd file is updated, when I say smbpasswd -a sho.

But I always get the error

Code:

/usr/bin/smbclient -L //192.168.1.3/SHO
Password:
session setup failed: NT_STATUS_LOGON_FAILURE

sanjee · 09-09-2008, 12:50 AM

First what I m thinking , in your smb.conf file you mentioned :-
"passwd program = /usr/bin/passwd
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd"

But according to your error... "But still the /etc/samba/smbpasswd file is not touched!"
you can try "touch /etc/samba/smbpasswd " . Then check after restart the service.

And in mounting command you are using like as per above post "/usr/bin/smbclient -L //192.168.1.3/SHO"
you can try "/usr/bin/smbclient -L 192.168.1.3 -U sho" ....assuming if there authticate issue.

sanjee · 09-09-2008, 12:57 AM

And another matter , according to your configuration
"[global]

workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

"
.......You have to allow your loopback address & network address in hosts allow option and you may include your samba server's ip and ethernet interface in interfaces option and remove the ";" from the lines.

newtech2008 · 09-09-2008, 03:50 AM

dditionally, I cannot allow anyone to have write access to samba shares.
As I can only login as nobody through samba.
Nobody does not belong to any group, therefore only way to give write access if I say o+rwx permission on the folder. Which is not a good practice.

rob0t · 09-09-2008, 08:59 AM

Quote:

Originally Posted by newtech2008

dditionally, I cannot allow anyone to have write access to samba shares.
As I can only login as nobody through samba.
Nobody does not belong to any group, therefore only way to give write access if I say o+rwx permission on the folder. Which is not a good practice.

Only Windows users connecting to the share should be able to write to it.