[Samba] Ver 3.0.4 Anonymous access, no Password required

[Zane Minninger]

On Wed, 2 Feb 2005 11:52:18 -0700, John H Terpstra <jht at samba.org> wrote:
> Zane,
>
> In your original post you asserted that the documentation is deficient.
> In what way are you offering to rectify the deficiency?
>

I have found, that my original question, was from lack of understaning
security.  It was to get users to view the public directories on my
Samba box without a password.  I believe remote fixed that by telling
me I should have Security = share in the global.  That part, I did
find in the documentation, particularly the Samba-guide.pdf, which I
hadn't seen or found before you mentioned it.
This caused my other desired function, to fail. (Samba based
permissions to give a user write access, and allow others only read)

> In the open source world there are many deficiencies - its just a fact of
> life. The rule with open source is that because you have the source you can
> fix the deficiency. That is something of an unwritten responsibility - when
> you find a problem you fix it so that the next person does not have to go
> through the same pain you did.

I know, and I would be glad to help in any way possible.  I love
finding solutions and posting them in an effort to help other resolve
their problems.  I unfortunantly I haven't gotten into
installing/usering the C++ compiler yet, although I think my 2 years
of programing would be highly inadequite to even attemt to fix a
problem (unless Very minor or small), I wouldn't be able to repair the
source code.

>
> So please help sort out the deficiencies. There are two official Samba
> documents: The Samba-HOWTO-Collection and the Samba-Guide.
> I welcome your documentation updates in any form you can provide them.
> You have my total attention and my commitment to fix the gaping holes.
>
> On Wednesday 02 February 2005 04:01, Zane Minninger wrote:
> > Ok, I have read that PDF, and is doesn't look like it goes into what I
> > want, but there is SO much info there, I'll be taking it to bed a for
> > a few nights.  Here is the basics that I have been able to
> > understand---
> >
> > I would like to have no username/password box appear when users on
> > Win2000 and WinXP browse to \\server\  I would also like certain
> > folders (\\server\pub\) to not require a username/password and only
> > have Read access.
>
> Windows opens a secure channel to a server. It authenticates only the first
> time that secure channel is opened. Subsequent connections from the client
> use only already established credentials. You therefore can not do what you
> want. In Windows NT4/200x/XPP an authentication failure may result in a
> pop-up asking for new credentials but you should not depend on that for
> access control as in many situations the client will not permit you access
> anyhow.

I agree, and concur.  If you use the same loging session on the client
box, the credientials are cached.  I have been re-logging in each time
after a successful attaching to the share, which does clear the
credentials.  The original though was if I needed to have write access
to a folder, before making any connection to it, I could map a drive
with crendentials and have the full access I needed.  If I didn't, I
just browse and could only read the data.

> >
> > The next step is the trick.
> >
> > Is there a way where in Windows I can Map a network drive and choose a
> > different Username/password to connect to the \\server\pub share to
> > give me permissions to add/delete.
>
> You just need to set your permissions and privileges in UNIX/Linux to work
> correctly, or create additional shares for the same directory share point.

That was the other way I was going to look into it.  I do have the
correct rights on the Unix system.  The default / generic user has
read to all folders in data (he has no rights but security is 775 for
all files / folders in the shared directory.  That should allow him
read and execute, and it does if security = Share is turned on.

> >
> > OR
> >
> > Is there a way I can setup one share to not prompt for a
> > Username/password and set another folder to prompt for a
> > Username/Password.
>
> Show me how you would do this in Windows - Samba works that same way that
> Windows does.

In windows, I have tested this just now, My 2003 domain server (The pc
is not attached, never has been, and there is no user accounts on it,
app testing box only) I created a share, data.  I gave permissions to
the share of User1 and everyone.  Everyone only has read.  User1 has
full control.  I further went into the file system properties, stipped
out all of MS's permissions and set User1 full control of all files
and everyone read, read & execute, and List folder contents.

I created 2 direcory below that.  One private, one public.  I kept the
same permissions on public, giving user1 full and everyone read,
read&execute, and list folder contents.  I took out the everyone
access to the private share and gave user1 full access.

So, in a Linux based system, it would should look like this (correct
me if I'm wrong)

DATA   (755) (I'm setting group access to 5 for now)
 |
 |------Public (755)
 |
 |------Private (700)

So, with this configuration on the Win2003 server, again, my Personal
PC is not part of the domain nor am I useing the same user name as the
user on the box,  I can log onto my WinXP pc, browse to \\server\data
and it shows me the folders public and private.  I can not copy a file
here.  I browse to public, I can not copy a file here either.  I can
not browse to private.  Error, no access/permission.

I log off my WinXP pc, and re login.  I then map a network drive to
z:\  \\server\data specifing a user of user1 and his password.  When I
browse my z:\ I can copy a file there (data directory), I can browse
to public and copy a file there, I can browse to Private and copy a
file there.

The original test, where I didn't map a drive, and I just browsed to
\\server\data gave me the access I needed, and just as importantly,
did not ask me for a username / password.  Again, this was my orignal
desire.

I don't like using windows, it doesn't house my large data structure,
and I don't like having to re-load the OS every couple of years,
trying to presuve the permissions, ETC so I want to use linux for
this.

> > -----------
> > From what I have seen, security = share will ignore all user login
> > information.  So, if I set the access to Share, Everyone can see
> > everything.  Period.  Essentially I can't control a particular user
> > access to any share.
>
> You need to read and digest the documentation better. Share mode security uses
> only a password. That password can be "no password" or a password for read
> access or for "full control" access. Read the documentation - that
> information is in the Samba-HOWTO-Collection.

I'll look samba's site as well as the how-to sites again for that, I
never saw a place for that, although I'm not sure if that will help,
I'm more than willing to learn.

> >
> > If I set the Security = User, it requires a username and password for
> > each connection, even to \\server\.  It won't let anyone connect and
> > just view the certain shares.
> >
> > So, in senario terms, Bob can browse \\server\share1 from his PC and
> > can see everything in the folder with read writes but not
> > create/delete/modify rights.  He adds a drive mapping for
> > \\server\share1 and sets it to Z:, choosing to specify a username and
> > password.  He can now access \\server\share1 via Z:\ and has the
> > pemission to create/delete/modify the files/folders.
> >
> > OR
> >
> > Senario 2, Bob browses to \\server\share1 where he can read all files,
> > but doesn't have create/delete/modify rights, but he then browses to
> > \\server\share2 which is the same directory as share1, but he is
> > promped for a username and password, which he puts in and has full
> > access to the folder.
> >
> > I hope this helps.  I understand if I get replys of "It doesn't work
> > that way, you can't do it, ETC"  It would just be nice for anonymous
> > read access, and then I can login and modfiy the files.
>
> How would you do all this with a Windows NT4/200x/XP server backend?
> Samba does it the same way!

I posted above a little more information about how I can attain the
results I want on a Windows 2003 server.  If need be, I'll put in my
Win2000 server HD and test on the OS as well, although I think it will
be the same.

> - John T.

Thank you for all your help John, as you probably notice I'm relativly
new to Linux as a whole ane even more so to samba.  Any help would be
greatfull.  If you would like, I have PC Anywhere setup on both my PC
and Win2003 server if you want to see what I'm talking about with my
example.

And thank you for your patience.