-   Linux - Server (
-   -   Samba guest share with valid user (

carlmarshall 08-05-2008 11:43 AM

Samba guest share with valid user

I have a Samba server which has guest shares and valid user shares and it's working just fine. However if a valid user changes their local password they can get no access to either the valid user areas or to the guest shares.

Does anyone know of a way of allowing such users to access the guest shares only until they correct their password rather than being locked out of everything?


flandou 08-06-2008 05:49 AM


Depending on your samba setup it is possible that users don't login with there local account, but with an samba account. The password of this account can be changed with smbpasswd.

If this is the case, you can write a simple wrapperscript to change both passwords at the same time.



carlmarshall 08-06-2008 06:41 AM

Cheers for that Henry,

Trouble is, they already have smbpasswd accounts as well as shell accounts which is done via a script when the account is created. If they didn't, then they would have no problem accessing the guest shares.

The problem is that most of the users have an smbpasswd account, but we need to give access to occasional users who sometimes have the same login name as regular users. e.g.:

Regular user John Smith has a shell account and an smbpasswd account using a username of "john" and a password of "secret1". He uses these to log onto his desktop system.

John Smith therefore has access to the restricted area and to the guest area as well as the shared printers.

Occasional use James Jones has no shell or smbpasswd account even though he logs on to his laptop with username "james" and a password of "secret2".

James Jones therefore cannot access the restricted areas, but he does have access to the shared areas and the shared printers.

Occasional user John Black has no shell account or smbpasswd account and logs onto his laptop with a username of "john" and a password of "secret3".

The problem is that John Black has no access to the restricted area or to the guest area, or to the shared printers. Everytime he tries to access the guest area or printers, he is asked for a username and password because Samba is expecting the username of "john" to be an smbpasswd account and not a guest account.

I'm trying to find out if there is a way of disabling the request for a password when these users access the guest areas or printers even though they share the same username (but not password).


flandou 08-06-2008 06:55 AM

Hi Carl,

I see your problem is a more complicated then i thought. As far as I know it isn't possible to have two users with the same username be treated different by samba, maybe this can be done with pam (which I never used).

One thing i was just wondering about: Are you're guest shares really public or only visible to authenticated users and shared among them? I mean, is the third user 'John Black' only allowed access to the guest shares when he is authenticated as 'john' with password 'secret3'?


carlmarshall 08-06-2008 07:49 AM

Hi Henry,

I don't think that using pam or any other authentication variant would change the situation as it's Samba which is determining if a user is a guest or not.



Originally Posted by flandou (Post 3238551)

One thing i was just wondering about: Are you're guest shares really public or only visible to authenticated users and shared among them? I mean, is the third user 'John Black' only allowed access to the guest shares when he is authenticated as 'john' with password 'secret3'?


Yes, the guest shares are just that and are public to anyone on the network. Someone with an unknown username (as far as smbpasswd or the shell are concerned) and any password (even blank) can access the public shares and the public printers.

If I delete the user John Smith (username "john" password "secret1"), then both John Smith and John Black (username "john" password "secret3") can access all the public shares and printers.

However when I reinstate user John Smith with the above details, he can access all areas but John Black can't access anywhere.


flandou 08-06-2008 08:41 AM


So if i got the question right now, it is an matter of creating the possibility to access public shares without logging in?

If that is the case; it can be done when having password-protected shares as well :D The following config should give an idea how to:

workgroup = WHATEVAH
encrypt passwords = yes
wins support = yes
log level = 1
max log size = 1000
read only = no
security = share

browsable = no
map archive = yes
public = no

public = yes
browsable = yes
read only = yes
path = /something

The browsable directive should make sure that when someone enters \\hostname he or she sees the test share.

carlmarshall 08-07-2008 03:42 AM


Here's my smb.conf:

workgroup = WORKGROUP
server string = Linux Server
netbios name = WGSERVER
wins support = yes
map to guest = Bad User
log file = /var/log/samba/%m.log
max log size = 50
max xmit = 65535
deadtime = 3
stat cache = no
dns proxy = no
usershare allow guests = yes
read only = no
max connections = 30
delete readonly = yes
printing = cups
printcap = cups
cups options = raw
load printers = yes
printer admin = @admins
security = USER
guest only = yes
smb ports = 139
comment = All Printers
path = /var/spool/samba
public = yes
guest ok = yes
printable = yes
browseable = no
writable = no
comment = Printer Driver Download Area
path = /home/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @admins
comment = private share for admins
path = /home/shares/private
guest ok = no
valid users = @admins
comment = accessible by all
path = /home/shares/public
browsable = yes
admin users = nobody
guest ok = yes

However this doesn't get me round the problem. John Black can see the server in Network Neighborhood but can't open it to get to browse the folders as it asks him for a username and password.


flandou 08-07-2008 05:17 AM

Hi Carl,

Can you try to change 'security=user' to 'security=share'? Usersecurity forces an valid login, even for public shares. If you use security=share however the shares should becom visible. The password protected shares still require an password then



All times are GMT -5. The time now is 06:07 AM.