[Samba] Samba 3 "public" Access

Thu Mar 4 23:18:42 GMT 2004

On Thu, 4 Mar 2004, Jason McCormick wrote:

>   What are the ramifications of changing security = share from sercurity =
> ads ?  I was using security = domain before.  Looking at the docs/manpages
> I'm unclear how other shares will be affected (for the sections that match
> UNIX == Windows for IT staff).  From reading the manpage, it sounds like
> if guest ok = yes then it skips checking, but does it fall back to ADS if
> there's no guest ok directive?

If your Samba server is an ADS member server then you should not need to
use "guest ok = yes" either - so long as you run winbindd.

Winbindd will handle the allocation of local UIDs and GIDs from the idmap
uid and idmap gid ranges you specify in your smb.conf file. If you want to
set access controlss on the directory that is exported to the public share
you must do so using domain credentials. This means that you must also
configure NSS (/etc/nsswitch.conf) to use winbind based identity
resolution.

When you have correctly configured NSS and run winbindd, and have set file
permissions appropriatey taking into account the way that Domain Users and
Groups will resolve to local IDs, then there is no need to specify "public
= yes" in your smb.conf file either.

I have documented fully the configuration of Samba-3 as an ADS domain
member server or client in my book "Samba-3 by Example". Chapter 9
contains fully documented and worked examples that you may find helpful.
This book can be pre-ordered from Amazon.Com and will start shipping March
26th.

My previous comments were made with the assumption that you want to
provide fully anonymous file access tothe 'public' share. You can still do
that within your ADS domain member context through use of netbios aliases
and the include facility. eg:

	netbios aliases = fred jimbo jacko
	include = /etc/samba/smb.conf.%L

Then if you want the server name JIMBO to be an anonymous file server, in
the file /etc/samba/smb.conf.jimbo specify:

	[global]
		security = share

	[public]
		path=/path/to/public/files
		guest ok = yes
		read only = yes

You must also then set the directory and file permissions so that the user
'nobody' can read them.

I hope this clears up the doubt.

- John T.

>
> -- Jason
>
> -----Original Message-----
> From: John H Terpstra <jht at samba.org>
> To: Jason McCormick <jmlists at lexi.com>
> Cc: samba at lists.samba.org
> Date: Thu, 4 Mar 2004 22:28:26 +0000 (GMT)
> Subject: Re: [Samba] Samba 3 "public" Access
>
> > On Thu, 4 Mar 2004, Jason McCormick wrote:
> >
> > > Hello all,
> > >
> > >   I've upgraded to Samba 3.0 and I'm having problems replicating some
> > > behavior I relied on in Samba 2.2.  Here's my scenario:  I have a
> > > Windows Active Directory domain.  All users have a windows login
> > > account.  No users have a "UNIX" login account on any of my Linux
> > > boxes.  With Samba 2.2 I could specify a share like so:
> > >
> > > [public]
> > >    path=/path/to/public/files
> > >    public = yes
> > >    writable = no
> > >    force user = nobody
> >
> > Add:
> > 	guest ok = yes
> >
> > And in [globals] set:
> > 	security = share
> >
> > - John T.
> >
> > >
> > > And have any user that was logged into their Windows workstation
> > browse
> > > to \\SERVER and then be able to open the "Public" folder (i.e. the
> > > \\SERVER\PUBLIC location).  If public=yes was not set, then you could
> > > specify Windows->UNIX mapping in smbusers, etc..
> > >
> > > However with Samba 3.0, a Windows user with no UNIX account is unable
> > to
> > > even open \\SERVER.  They are immediately prompted for a login and a
> > > password.  The Samba log shows:
> > >
> > > [2004/03/04 17:00:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
> > >   Username tjohnson is invalid on this system
> > >
> > > The few IT workers with 1:1 Windows to Linux user account mappings
> > work
> > > fine so the account logins are happening successfully.  I need to get
> > > back to a state where Windows users with no UNIX account can see
> > > "public" type folders.  Any help?
> > >
> > > Much appreciated!!
> > >
> > > -- Jason
> > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
>
>

-- 
John H Terpstra
Email: jht at samba.org