Pasword protect samba shares from Windows
Hi when using the "windows network" browser I can see my Linux machine with all the shares on it. When I click on something like "D" (a SAMBA shared volume) I can see all the directories on that volume.
I really need to throw up a password before the user can access either the disk or view the shares on the remote machine (at least the first time). Any ideas how to get this working. Not sure if this is a "DOZE" or SAMBA issue. I'm using SLED 10 which really works for all these network accesses (but currently a little TOO easily). Here's a screenshot of what's happening I'm on Windows (it's a Virtual Machine --but that doesn't matter). Somewhere I ought to have got a password prompt before user can access the data. http://www.1kyle.com/network1.jpg http://www.1kyle.com/network2.jpg I've already set in the SAMBA conf file the following option encrypt passwords = yes added user into the password file with smbpasswd command makes no difference. Created user DOG (no admin rights) on windows machine with no account on remote Linux machine. windows can still access the whole network. This user shouldn't have ANY display access to the remote network. (incidentally same problem when using a Linux machine -- I can still browse the remote Linux network from a Linux desktop without supplying a password so I suspect it's a SAMBA error. I hate to say this but for once it doesn't actually seem Windows's fault). Cheers. -K |
Could you post the smb.conf [general] portion of the configuration and the section of the D share?
Is the virtual windows machine on the same computer as the D share? Do you see the same thing as a different user? I'm wondering if your credentials have already been accepted and you are just looking at a different share on the server. If you have the samba-doc package available, it supplies 3 samba books in PDF and html form: Samba 3 by Example Samba 3 Developers Guide Samba 3 Reference and Howto As well as a number of man pages and example configurations. |
Hi -- same prob occurs when I logon to laptop with REAL windows.
Machines running through a Local Router with all firewalls (both Linux and Windows) switched off while testing. Router is running DHCP to assign IP addresses. Every machine (Real or VM can access the Network and Internet without problem -- too easily as I've specified !!!!). However corrent config Laptop SUSE SLED 10 Vm Windows XP on Laptop -- bridged networking i.e both host and guest have their own IP address Host 192.168.2.4 Windows VM guest 192.168.2.2 Remote machine running SUSE SLED 10 192.168.2.3. There's also 2 VM's running on this remote server machine Windows XP 192.168.2.7 Windows Vista Business 192.168.2.8 (however these are "suspended" while running the tests so these VM's aren't playing any part in the Network access problem). "D" is a USB external 320GB disk NTFS formatted but enabled WRITE via fuse / ntfs-3g. In any case shouldn't I get a password dialog screen just trying to expand the directories on the remote server "Blackdog". This doesn't come up even from another Linux Laptop. (Usually the problem is in GETTING access not preventing it ). Anyway here's the info Mounted volumes on external machine blackdog:/home/jim # blackdog:/home/jim # mount -l /dev/hdg7 on / type reiserfs (rw,acl,user_xattr) [] proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) /dev/hdg8 on /home type reiserfs (rw,acl,user_xattr) [] /dev/hde1 on /windows/C type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] /dev/sdb1 on /windows/D type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] /dev/hde5 on /windows/E type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] /dev/hde6 on /windows/F type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] /dev/hde7 on /windows/G type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] /dev/sda5 on /windows/H type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) [] securityfs on /sys/kernel/security type securityfs (rw) blackdog:/home/jim # The relevant samba sections on the remote machine # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2007/03/25 08:08:37 [global] workgroup = JIMSVPN server string = Samba 3.0.22-SUSE-SLES10-MAIN-SERVER map to guest = Bad User printcap name = cups logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile encrypt passwords = yes passdb backend = smbpasswd usershare allow guests = Yes usershare max shares = 100 cups options = raw include = /etc/samba/dhcp.conf [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = /windows/C/ read only = No create mask = 0600 directory mask = 0700 guest ok = Yes store dos attributes = Yes [users] comment = All users path = /home/ read only = No inherit acls = Yes guest ok = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin, root force group = ntadmin create mask = 0664 directory mask = 0775 [D] path = /windows/D read only = No guest ok = Yes Cheers -K |
After a bit more research and testing it seems that if your Windows User id and password are the same as your User id and password as on the Linux box then no password dialog is presented.
(Using Windows XP PRO SP2). You always get a password dialog as well if you've disabled a Windows login password or if the account on the linux box has a different name and / or password to the windows box. However once you've done this ONCE you don't need to enter a password again next time you do network browsing until you logon to Windows again. Is there a way to ALWAYS force an initial password dialog the first time you connect to the server even if the Windows password and the Linux password (and User id) are the same. Ideally I'd like it to present the password EVERY TIME you start the Windows My Network Places network browser. The Linux server is a stand alone box. Cheers -K |
Quote:
Code:
valid users = billybob Code:
[nameofshare] Just a passing thought Swerdna |
I've had a look at your smb.conf file in finer detail than when I made the first post.
First I see you're set up to make the new breed of shares, usershares, as well as classical shares. I'm assuming you haven't made any of those to simplify things. Here's a burst on usershares just for the record. Now, looking at share "D" I note that its path is such that it's owned bu root in Linux but opened to all guests. If jim is a real user on the Linux machine I'd try this out: Change ownership of the folder /windows/D to jim Take away guest access Restrict users to authentic entries in the Samba database The share looks like this: Code:
[D] Code:
valid users = jim I never allow the silly default shares called homes, profiles, users or groups to stand (of course, ignore that if you're using one of them for something). They just expose everything to the people in distant countries. You can turn the ones you're not using off in Yast, or comment them off with "kdesu kwrite /etc/samba/smb.conf" as your text editor (or "gnmoesu gedit /etc/samba/smb.conf"), or I just delete them using a text editor. Swerdna |
You need the users and passwords to be the same (You are using security=user), so I don't think you read it correctly. Firstly, you may not want to use guest OK. Also, check the windows clients and see if you have "reconnect on boot" selected and/or the D:/ share mapped. That will save your password and username to reopen the session without popping up a requester.
|
as posted above:
you need to set a request for password authentication: smb.conf [global] security = user otherwise you are allowing passwordless access to the linux share Quote:
ownership does not imply password requirement. In the scenario above User jim is allowing passwordless access to his resources. this stuff in the listed smb.conf kills any password setting: [general] ..... usershare allow guests = Yes [users] ..... guest ok = Yes most of the settings in smb.conf posted makes no sense anyway. Reading about samba would help. |
Quote:
Remove the guest ok = yes from [D] and [users] shares, then restart rcsmb |
Quote:
Regarding "security = user": That's on by default so 1kyle doesn't need to set that because it's already set. Regarding "usershare allow guests = yes": That refers to usershares. I'ts not relevant for classical shares, which is what 1kyle is using in smb.conf AND it should be left as it is or usershares created by R-click in Nautilus won't work. Regarding the share I proposed: This is the share recommended in the Official Samba-3 HowTo and Reference Guide for servers, called Anonymous Read-Write Document Server. I've linked it so 1kyle can read about it. Of course, in the version I've recommended, I've STRESSES to leave out guest access because 1kyle wants only authentic-user access, and 1kyle will get that because the security level is set to user-level by default. Regarding "most of the settings in smb.conf posted makes no sense anyway": Most of the settings in the default install of smb.conf are there for a good reason, installed that way to service the most number of average users. Of course, users like 1kyle come to forums like this for assistance with modifying smb.conf to suit their needs. Makes sense to me. Regarding "Reading about samba would help": As you and I both know, the Official Samba-3 HowTo and Reference Guide has about 1000 pages and the section on the man pages for the Samba config file takes up some 160 pages. So it's not unreasonable for 1kyle to short cut that enormous undertaking you would impose and ask for help here. I've put together (with considerable help from your contributions in the other forum) a series of HowTo tutorials with specific foci to help Suse users like 1kyle. Here's one for this situation. It puts the share recommended in the Official Samba-3 howto, and hence by me here, into a larger perspective to facilitate understanding. Regarding all of your advice in this thread: As you know broch, I do respect your knowledge, but I believe that in this instance you've misread the situation, which is rare for you. So 1kyle should retain focus despite the noise (and I mean that in the nicest possible way) Swerdna |
hi swerdna,
you are correct, default setting is security = user but he adds: guest = ok in [users] and [D] section which "kills" password requirement. Quote:
usershare owner only = Yes forget about nautilus, this is not safe option. Quote:
security = share meaning passwordless and he wants passwords regarding default samba config: samba does not know what is your network configuration, this file is an example, using it "as is" makes not much sense and will cause different problems example Quote:
do you have domain configured? exapmle Quote:
and so on and so for. force user = The force user flag causes at the point of connection the real that real user name is lost and user is now whatever you put in force user = These directives: force user and force group have serious side-effects and should be avoided. You should use ACL for the purpose mentioned. example: I access a share as admin and created a file. Normally, this file would be owned by me admin and it would not be writable by the swerdna user. If swerdna tried to modify it, access would be denied. then you will use force user = swerdna to allow swerdna acces a file created by admin. In this case file created by admin is accessible by swerdna. this has nothing to do with passwords. there is too many thing mixed here. Default smb.conf is only an example. |
All times are GMT -5. The time now is 05:30 PM. |