[Samba] samba security question

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Fri Jan 19 13:51:30 GMT 2007

Hash: SHA1

On 01/18/2007 10:19 PM, Dave Abouav escreveu:
> Hi,
> I've setup a Samba server running on FreeBSD in a small 
> company I just joined.  I'd like to have some shares on
> the server be accessible to everyone, without the need
> to connect with a username and password. This is
> important for backwards compatibility with the current
> Windows PC fileserver they have (which I want to migrate
> them away from).
> I'd also like to have other shares that only certain 
> users or groups can access, such as home directory shares.
> What security setting can I set Samba to so that I can 
> accomplish both of these? It seems that the "user"
> setting will always require a username, so this is not
> good unless I can work around this for the public
> shares. But the "share" setting seems like it just
> associates a password with the share itself. This would
> be okay for home directories, but not very good for shares
> accessed by an entire group of users.

	Recently, there is a recommendation to not use the
'security = share' in your smb.conf, considering that I would
say that you should use 'security = user'.

	Samba has a special share called [homes], you can
add the 'valid users = %S' on it, that will make the $HOME
appear to the logged user and also restrict the access to
him, that's usually already configured in example smb.conf
all around.

	For shares that you don't want a user/password
check, you can use 'public = yes', that will allow people
to connect as guests.

	For shares that you want to be restricted you can
use ACLs on the filesystem or you can use groups in the
'valid users' parameter.

	You can find more details and examples in the
smb.conf man page. And you can also find useful information
and lots of tips in the Samba Official HOWTO and in the
Samba By Example:


> Any other ideas for how this can be done? Windows can do 
> it by adding the user EVERYONE. Does Samba have such a
> user? Please CC me in the email response
> (dave at transducertech.com).

	No, the 'everyone' user does not exist, but you can
achieve a similar behaviour by using the above options and
having a guest account properly configured.

> Thanks,
> Dave

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list