Hi when using the "windows network" browser I can see my Linux machine with all the shares on it. When I click on something like "D" (a SAMBA shared volume) I can see all the directories on that volume.

I really need to throw up a password before the user can access either the disk or view the shares on the remote machine (at least the first time).

Any ideas how to get this working. Not sure if this is a "DOZE" or SAMBA issue.

I'm using SLED 10 which really works for all these network accesses (but currently a little TOO easily).

Here's a screenshot of what's happening

I'm on Windows (it's a Virtual Machine --but that doesn't matter).

Somewhere I ought to have got a password prompt before user can access the data.

http://www.1kyle.com/network1.jpg

http://www.1kyle.com/network2.jpg


I've already set in the SAMBA conf file the following option

encrypt passwords = yes

added user into the password file with smbpasswd command


makes no difference.

Created user DOG (no admin rights) on windows machine with no account on remote Linux machine.

windows can still access the whole network. This user shouldn't have ANY display access to the remote network.


(incidentally same problem when using a Linux machine -- I can still browse the remote Linux network from a Linux desktop without supplying a password so I suspect it's a SAMBA error.

I hate to say this but for once it doesn't actually seem Windows's fault).


Cheers.

-K

Could you post the smb.conf [general] portion of the configuration and the section of the D share?

Is the virtual windows machine on the same computer as the D share?

Do you see the same thing as a different user?
I'm wondering if your credentials have already been accepted and you are just looking at a different share on the server.

If you have the samba-doc package available, it supplies 3 samba books in PDF and html form:
Samba 3 by Example
Samba 3 Developers Guide
Samba 3 Reference and Howto

As well as a number of man pages and example configurations.

Hi -- same prob occurs when I logon to laptop with REAL windows.

Machines running through a Local Router with all firewalls (both Linux and Windows) switched off while testing. Router is running DHCP to assign IP addresses.

Every machine (Real or VM can access the Network and Internet without problem -- too easily as I've specified !!!!).

However corrent config

Laptop SUSE SLED 10
Vm Windows XP on Laptop -- bridged networking i.e both host and guest have their own IP address
Host 192.168.2.4 Windows VM guest 192.168.2.2

Remote machine running SUSE SLED 10

192.168.2.3.

There's also 2 VM's running on this remote server machine

Windows XP 192.168.2.7
Windows Vista Business 192.168.2.8

(however these are "suspended" while running the tests so these VM's aren't playing any part in the Network access problem).

"D" is a USB external 320GB disk NTFS formatted but enabled WRITE via fuse / ntfs-3g.

In any case shouldn't I get a password dialog screen just trying to expand the directories on the remote server "Blackdog". This doesn't come up even from another Linux Laptop.

(Usually the problem is in GETTING access not preventing it ).


Anyway here's the info

Mounted volumes on external machine


blackdog:/home/jim #
blackdog:/home/jim # mount -l
/dev/hdg7 on / type reiserfs (rw,acl,user_xattr) []
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/hdg8 on /home type reiserfs (rw,acl,user_xattr) []
/dev/hde1 on /windows/C type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
/dev/sdb1 on /windows/D type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
/dev/hde5 on /windows/E type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
/dev/hde6 on /windows/F type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
/dev/hde7 on /windows/G type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
/dev/sda5 on /windows/H type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksiz e=4096) []
securityfs on /sys/kernel/security type securityfs (rw)
blackdog:/home/jim #


The relevant samba sections on the remote machine

# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2007/03/25 08:08:37

[global]
workgroup = JIMSVPN
server string = Samba 3.0.22-SUSE-SLES10-MAIN-SERVER
map to guest = Bad User
printcap name = cups
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
encrypt passwords = yes
passdb backend = smbpasswd
usershare allow guests = Yes
usershare max shares = 100
cups options = raw
include = /etc/samba/dhcp.conf

[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

[profiles]
comment = Network Profiles Service
path = /windows/C/
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
store dos attributes = Yes

[users]
comment = All users
path = /home/
read only = No
inherit acls = Yes
guest ok = Yes
veto files = /aquota.user/groups/shares/

[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775

[D]
path = /windows/D
read only = No
guest ok = Yes



Cheers

-K

After a bit more research and testing it seems that if your Windows User id and password are the same as your User id and password as on the Linux box then no password dialog is presented.

(Using Windows XP PRO SP2).

You always get a password dialog as well if you've disabled a Windows login password or if the account on the linux box has a different name and / or password to the windows box.

However once you've done this ONCE you don't need to enter a password again next time you do network browsing until you logon to Windows again.

Is there a way to ALWAYS force an initial password dialog the first time you connect to the server even if the Windows password and the Linux password (and User id) are the same.

Ideally I'd like it to present the password EVERY TIME you start the Windows My Network Places network browser.

The Linux server is a stand alone box.


Cheers

-K

Subbose you add u user "billybob" to the Linux machine and the Samba database. Billybob could be fictitious or real, but just not a windows user. Then add this line into the smb,conf paragraph for the shared volume D:
This will work if the share is correctly set up. For example it would work on this share:
This would be accessible to everyone in the Samba database if the "vali users" line wasn't there

Just a passing thought

Swerdna

I've had a look at your smb.conf file in finer detail than when I made the first post.

First I see you're set up to make the new breed of shares, usershares, as well as classical shares. I'm assuming you haven't made any of those to simplify things. Here's a burst on usershares just for the record.

Now, looking at share "D" I note that its path is such that it's owned bu root in Linux but opened to all guests. If jim is a real user on the Linux machine I'd try this out:
Change ownership of the folder /windows/D to jim
Take away guest access
Restrict users to authentic entries in the Samba database
The share looks like this:
Remember to chown the folder D to jim or use superuser file browser to do that. That's structured to allow everyone who is registered in Samba database. But you can really tighten up if you add
.

I never allow the silly default shares called homes, profiles, users or groups to stand (of course, ignore that if you're using one of them for something). They just expose everything to the people in distant countries. You can turn the ones you're not using off in Yast, or comment them off with "kdesu kwrite /etc/samba/smb.conf" as your text editor (or "gnmoesu gedit /etc/samba/smb.conf"), or I just delete them using a text editor.

Swerdna

You need the users and passwords to be the same (You are using security=user), so I don't think you read it correctly. Firstly, you may not want to use guest OK. Also, check the windows clients and see if you have "reconnect on boot" selected and/or the D:/ share mapped. That will save your password and username to reopen the session without popping up a requester.

as posted above:
you need to set a request for password authentication:
smb.conf
[global]
security = user
otherwise you are allowing passwordless access to the linux share

wrong,
ownership does not imply password requirement. In the scenario above User jim is allowing passwordless access to his resources.

this stuff in the listed smb.conf kills any password setting:
[general]
.....
usershare allow guests = Yes

[users]
.....
guest ok = Yes


most of the settings in smb.conf posted makes no sense anyway. Reading about samba would help.

I didn't read this entire thread, but it sure looks like you have guest enabled on the actual shares (in your smb.conf file).

Remove the guest ok = yes from [D] and [users] shares, then restart rcsmb

Hello again broch - how are you:
Regarding "security = user": That's on by default so 1kyle doesn't need to set that because it's already set.

Regarding "usershare allow guests = yes": That refers to usershares. I'ts not relevant for classical shares, which is what 1kyle is using in smb.conf AND it should be left as it is or usershares created by R-click in Nautilus won't work.

Regarding the share I proposed: This is the share recommended in the Official Samba-3 HowTo and Reference Guide for servers, called Anonymous Read-Write Document Server. I've linked it so 1kyle can read about it. Of course, in the version I've recommended, I've STRESSES to leave out guest access because 1kyle wants only authentic-user access, and 1kyle will get that because the security level is set to user-level by default.

Regarding "most of the settings in smb.conf posted makes no sense anyway": Most of the settings in the default install of smb.conf are there for a good reason, installed that way to service the most number of average users. Of course, users like 1kyle come to forums like this for assistance with modifying smb.conf to suit their needs. Makes sense to me.

Regarding "Reading about samba would help": As you and I both know, the Official Samba-3 HowTo and Reference Guide has about 1000 pages and the section on the man pages for the Samba config file takes up some 160 pages. So it's not unreasonable for 1kyle to short cut that enormous undertaking you would impose and ask for help here. I've put together (with considerable help from your contributions in the other forum) a series of HowTo tutorials with specific foci to help Suse users like 1kyle. Here's one for this situation. It puts the share recommended in the Official Samba-3 howto, and hence by me here, into a larger perspective to facilitate understanding.

Regarding all of your advice in this thread: As you know broch, I do respect your knowledge, but I believe that in this instance you've misread the situation, which is rare for you.

So 1kyle should retain focus despite the noise (and I mean that in the nicest possible way)

Swerdna

hi swerdna,

you are correct,
default setting is
security = user

but he adds:
guest = ok
in [users] and [D] section
which "kills" password requirement.


he wants passwords. If this is w2k or xp password will appear only once.

usershare owner only = Yes
forget about nautilus, this is not safe option.


this requires
security = share
meaning passwordless

and he wants passwords
regarding default samba config:
samba does not know what is your network configuration, this file is an example, using it "as is" makes not much sense and will cause different problems
example
has this been configured?
do you have domain configured?

exapmle
do you have windows printer drivers loaded on samba server?

and so on and so for.

force user =
The force user flag causes at the point of connection the real that real user name is lost and user is now whatever you put in force user =

These directives: force user and force group have serious side-effects and should be avoided.
You should use ACL for the purpose mentioned.

example:
I access a share as admin and created a file. Normally, this file would be owned by me admin and it would not be writable by the swerdna user. If swerdna tried to modify it, access would be denied. then you will use force user = swerdna to allow swerdna acces a file created by admin. In this case file created by admin is accessible by swerdna.

this has nothing to do with passwords.

there is too many thing mixed here. Default smb.conf is only an example.