[Samba] problems with samba share

Michael Wood esiotrot at gmail.com
Mon Feb 8 02:58:10 MST 2010

On 8 February 2010 11:12, Alexandru Florescu <alex at acasa.ro> wrote:
>>> I want to achieve the following setup:
>>> - have a share that is read-only and accessible for guest users;
>>> - have the same share be modified by an authenticated specific user.
>>> This is running on debian lenny, samba 3.2.5.
>>> My smb.conf is as follows:
>>> [global]
>>>   workgroup = WORKGROUP
>>>   netbios name = cast
>>>   remote announce =
>>>   server string = %h server
>>>   dns proxy = no
>>>   interfaces = eth0
>>>   hosts allow =
>>>  username map = /etc/samba/usermap
>>> security = share
>>I don't think you want "security = share".
> But I do want security = share.

I am not sure that you can do what you are trying to do if you use
"security = share".

The smb.conf man page says various things about the possible options
for the "security" parameter including:

           If your PCs use usernames that are the same as their usernames on
           the UNIX machine then you will want to use security = user. If you
           mostly use usernames that don´t exist on the UNIX box then use
           security = share.

It also says that it is more difficult to set up a share that does not
require a password if you use security = user, but says that if you do
need that you should look into the "map to guest" parameter.

In the "SECURITY = USER" section it says that in this mode users MUST
first authenticate before accessing the share.  This seems to imply
that guest shares would not be possible, but it goes on to say:

           Note that the name of the resource being requested is not sent to
           the server until after the server has successfully authenticated
           the client. This is why guest shares don´t work in user level
           security without allowing the server to automatically map unknown
           users into the guest account. See the map to guest parameter for
           details on doing this.

in other words, it is possible, but you must use the "map to guest" parameter.

So I think you need to do the following:

security = user

guest user = someuser # This should be a local user with read-only
access to /var/workplace.

map to guest = Bad User # I think this is probably the right one.  See
the man page.

Then in the [workplace] share, add:

guest only = yes

Note, I am NOT a Samba expert and I have not tried the above, but it
seems, from reading the man page, that it should work.

By the way, you have some redundancy in your config.  e.g. "guest ok"
is the same as "public" so you don't need to specify both.  Also,
"read only" is the opposite of "writable" so again you don't need

Another thing:  "admin users" specifies a list of users who will
effectively be "root" when accessing the share.  That seems dangerous
to me, but also, the man page says:

           This parameter will not work with the security = share in Samba
           3.0. This is by design.

I hope this helps.

Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list