[Samba] Ver 3.0.4 Anonymous access, no Password required
Zane Minninger
zminninger at gmail.com
Tue Feb 8 00:11:26 GMT 2005
On Wed, 2 Feb 2005 11:52:18 -0700, John H Terpstra <jht at samba.org> wrote:
> Zane,
>
> In your original post you asserted that the documentation is deficient.
> In what way are you offering to rectify the deficiency?
>
I have found, that my original question, was from lack of understaning
security. It was to get users to view the public directories on my
Samba box without a password. I believe remote fixed that by telling
me I should have Security = share in the global. That part, I did
find in the documentation, particularly the Samba-guide.pdf, which I
hadn't seen or found before you mentioned it.
This caused my other desired function, to fail. (Samba based
permissions to give a user write access, and allow others only read)
> In the open source world there are many deficiencies - its just a fact of
> life. The rule with open source is that because you have the source you can
> fix the deficiency. That is something of an unwritten responsibility - when
> you find a problem you fix it so that the next person does not have to go
> through the same pain you did.
I know, and I would be glad to help in any way possible. I love
finding solutions and posting them in an effort to help other resolve
their problems. I unfortunantly I haven't gotten into
installing/usering the C++ compiler yet, although I think my 2 years
of programing would be highly inadequite to even attemt to fix a
problem (unless Very minor or small), I wouldn't be able to repair the
source code.
>
> So please help sort out the deficiencies. There are two official Samba
> documents: The Samba-HOWTO-Collection and the Samba-Guide.
> I welcome your documentation updates in any form you can provide them.
> You have my total attention and my commitment to fix the gaping holes.
>
> On Wednesday 02 February 2005 04:01, Zane Minninger wrote:
> > Ok, I have read that PDF, and is doesn't look like it goes into what I
> > want, but there is SO much info there, I'll be taking it to bed a for
> > a few nights. Here is the basics that I have been able to
> > understand---
> >
> > I would like to have no username/password box appear when users on
> > Win2000 and WinXP browse to \\server\ I would also like certain
> > folders (\\server\pub\) to not require a username/password and only
> > have Read access.
>
> Windows opens a secure channel to a server. It authenticates only the first
> time that secure channel is opened. Subsequent connections from the client
> use only already established credentials. You therefore can not do what you
> want. In Windows NT4/200x/XPP an authentication failure may result in a
> pop-up asking for new credentials but you should not depend on that for
> access control as in many situations the client will not permit you access
> anyhow.
I agree, and concur. If you use the same loging session on the client
box, the credientials are cached. I have been re-logging in each time
after a successful attaching to the share, which does clear the
credentials. The original though was if I needed to have write access
to a folder, before making any connection to it, I could map a drive
with crendentials and have the full access I needed. If I didn't, I
just browse and could only read the data.
> >
> > The next step is the trick.
> >
> > Is there a way where in Windows I can Map a network drive and choose a
> > different Username/password to connect to the \\server\pub share to
> > give me permissions to add/delete.
>
> You just need to set your permissions and privileges in UNIX/Linux to work
> correctly, or create additional shares for the same directory share point.
That was the other way I was going to look into it. I do have the
correct rights on the Unix system. The default / generic user has
read to all folders in data (he has no rights but security is 775 for
all files / folders in the shared directory. That should allow him
read and execute, and it does if security = Share is turned on.
> >
> > OR
> >
> > Is there a way I can setup one share to not prompt for a
> > Username/password and set another folder to prompt for a
> > Username/Password.
>
> Show me how you would do this in Windows - Samba works that same way that
> Windows does.
In windows, I have tested this just now, My 2003 domain server (The pc
is not attached, never has been, and there is no user accounts on it,
app testing box only) I created a share, data. I gave permissions to
the share of User1 and everyone. Everyone only has read. User1 has
full control. I further went into the file system properties, stipped
out all of MS's permissions and set User1 full control of all files
and everyone read, read & execute, and List folder contents.
I created 2 direcory below that. One private, one public. I kept the
same permissions on public, giving user1 full and everyone read,
read&execute, and list folder contents. I took out the everyone
access to the private share and gave user1 full access.
So, in a Linux based system, it would should look like this (correct
me if I'm wrong)
DATA (755) (I'm setting group access to 5 for now)
|
|------Public (755)
|
|------Private (700)
So, with this configuration on the Win2003 server, again, my Personal
PC is not part of the domain nor am I useing the same user name as the
user on the box, I can log onto my WinXP pc, browse to \\server\data
and it shows me the folders public and private. I can not copy a file
here. I browse to public, I can not copy a file here either. I can
not browse to private. Error, no access/permission.
I log off my WinXP pc, and re login. I then map a network drive to
z:\ \\server\data specifing a user of user1 and his password. When I
browse my z:\ I can copy a file there (data directory), I can browse
to public and copy a file there, I can browse to Private and copy a
file there.
The original test, where I didn't map a drive, and I just browsed to
\\server\data gave me the access I needed, and just as importantly,
did not ask me for a username / password. Again, this was my orignal
desire.
I don't like using windows, it doesn't house my large data structure,
and I don't like having to re-load the OS every couple of years,
trying to presuve the permissions, ETC so I want to use linux for
this.
> > -----------
> > From what I have seen, security = share will ignore all user login
> > information. So, if I set the access to Share, Everyone can see
> > everything. Period. Essentially I can't control a particular user
> > access to any share.
>
> You need to read and digest the documentation better. Share mode security uses
> only a password. That password can be "no password" or a password for read
> access or for "full control" access. Read the documentation - that
> information is in the Samba-HOWTO-Collection.
I'll look samba's site as well as the how-to sites again for that, I
never saw a place for that, although I'm not sure if that will help,
I'm more than willing to learn.
> >
> > If I set the Security = User, it requires a username and password for
> > each connection, even to \\server\. It won't let anyone connect and
> > just view the certain shares.
> >
> > So, in senario terms, Bob can browse \\server\share1 from his PC and
> > can see everything in the folder with read writes but not
> > create/delete/modify rights. He adds a drive mapping for
> > \\server\share1 and sets it to Z:, choosing to specify a username and
> > password. He can now access \\server\share1 via Z:\ and has the
> > pemission to create/delete/modify the files/folders.
> >
> > OR
> >
> > Senario 2, Bob browses to \\server\share1 where he can read all files,
> > but doesn't have create/delete/modify rights, but he then browses to
> > \\server\share2 which is the same directory as share1, but he is
> > promped for a username and password, which he puts in and has full
> > access to the folder.
> >
> > I hope this helps. I understand if I get replys of "It doesn't work
> > that way, you can't do it, ETC" It would just be nice for anonymous
> > read access, and then I can login and modfiy the files.
>
> How would you do all this with a Windows NT4/200x/XP server backend?
> Samba does it the same way!
I posted above a little more information about how I can attain the
results I want on a Windows 2003 server. If need be, I'll put in my
Win2000 server HD and test on the OS as well, although I think it will
be the same.
> - John T.
Thank you for all your help John, as you probably notice I'm relativly
new to Linux as a whole ane even more so to samba. Any help would be
greatfull. If you would like, I have PC Anywhere setup on both my PC
and Win2003 server if you want to see what I'm talking about with my
example.
And thank you for your patience.
More information about the samba
mailing list