Samba share read only for guests and write for some specific users

^andrea^ · 06-19-2011, 05:45 PM

Hi All,

I've been reading for a while about samba but I haven't found a solution to my problem yet.

I'd like to know if, the configuration I have in mind, is possible at all ("security = user" is what I'm using now).

I want a directory to be:
1) read only for guests and some UNIX users;
2) write for some other UNIX users.

;eg:
[Music]
path = /data/Music
guest ok = yes
read list = someone, @users
write list = andrea

The advantage of this configuration would be that every single user in my LAN (with or without a UNIX account) would be able to read the content of the shared directory Music and I (UNIX user andrea) could manage the folder directly trough samba preserving the correct owner/group and permissions on the new files/folder created.

Notes about my configuration above:
1) as it is now every user gets authenticated by samba as nobody so even I (andrea) cannot write in it;
2) commenting out the line "guest ok = yes" I can authenticate as "andrea" and write in it but guest access is not possible any longer.

Any suggestios would be appreciated.

Thanks,
Andrea

jschiwal · 06-19-2011, 10:04 PM

Did you run the`smbpasswd' program so the linux user is an smb user as well?

Try adding the "andrea" user to the read list as well. Maybe then you will need to authenticate as the andrea user before reading, and not be a "bad user".

Also check the samba logs for clues. (Under /var/lib/samba/ or /var/log). This could reveal unforeseen causes such as selinux or apparmor write restrictions on the smbd daemon.

^andrea^ · 06-20-2011, 02:37 AM

I've done the original setup a few months ago so I don't remember exactly but I'm pretty sure I've run smbpasswd. Also bacause I can see shares enabled for the user "andrea" only after having entered the required password.

I checked the samba logs and I can see that, with the "guest ok = yes" option, I get authenticated as user "nobody" even though I should be the user "andrea".
If I remove that option I can see from the logs that I get authenticated as "nobody" without having to enter a password.

I read somewhere that with the option "guest ok = yes" ALL users will be authenticated as guests... :-/

tristezo2k · 06-20-2011, 05:53 AM

Quote:

Originally Posted by ^andrea^

I've done the original setup a few months ago so I don't remember exactly but I'm pretty sure I've run smbpasswd. Also bacause I can see shares enabled for the user "andrea" only after having entered the required password.

I checked the samba logs and I can see that, with the "guest ok = yes" option, I get authenticated as user "nobody" even though I should be the user "andrea".
If I remove that option I can see from the logs that I get authenticated as "nobody" without having to enter a password.

I read somewhere that with the option "guest ok = yes" ALL users will be authenticated as guests... :-/

Default is to try login with your login user at your workstation.
So, if you are logged with user1, windows will try to auth you as user1.
If samba has a user1 will ask for a passwd.
If not you will be logged as nobody.

You might do two different shares with the same path. One with read only = yes and guest ok = yes and other authenticated for your login user.

Regards
Sebastian

scott8035 · 06-20-2011, 12:06 PM

To show what users you created, do "pdbedit -L".

jschiwal · 06-20-2011, 06:17 PM

I would suggest setting up a private share for `andrea' and try logging in. Make sure that authentication works for user `andrea'. If it doesn't, look in the logs for info on what the problem is.

Did you try adding `andrea' to the read list of your public share? Add it before the @users group.

List the permissions of the /data/Music directory: ls -ld /data/Music
Is Andrea the owner? If not change the ownership of the directory or use setfacl to give andrea write permissions

Code:

setfacl -m g:u:andrea:rwx /data/Music
setfacl -m  u:andrea:rwx /data/Music

I'll guess that the owner is "andrea" and the group "users" with rwx-rxr-x permissions set.

As you probably are aware, the 'guest' user in windows is equivalent to the 'nobody' user in Linux. The 'o' permission bit for r & x needs to be set on the directory to allow nobody to read it.

^andrea^ · 06-21-2011, 05:42 PM

Firstly thanks to all of you for the help.

Let's go in order.

- tristezo2k
At the moment there are no Windows machines at all (I managed to get rid of most of them :-D).
I can login with my user (andrea) at the workstation as well as with samba (for instance when I access my home directory trough samba I'm asked for my password).
When I access (trough Nautilus/Ubuntu) the samba share "Music" with "guest ok = yes" though I'm not asked for any password at all (samba log sais I've been logged in as user "nobody").

I thought about making two different shares but that would be a pretty ugly solution since I should do it for 7/8 shared directories and I would end up with: Music, Music_writable, Something, Something_writable and so on... and on...

- scott8035
Thanks for that. I can then confirm that I've run smbpasswd before.
The output of that command is:
sudo pdbedit -L
nobody:65534:nobody
andrea:1001:Andrea Surname
other:1000:Other Surname

etc...

- jschiwal
I confirm you that the authentication for the user "andrea" works.
As stated above I can access my home directory after having authenticated as "andrea".

Just to make sure folder permissions is not the issue I've set it temporarily to 777... nothing changed. :-/

Thanks again guys and any other suggestion is welcome.

Cheers,
Andrea