[Samba] problems with samba share

Alexandru Florescu alex at acasa.ro
Mon Feb 8 04:00:47 MST 2010 

Hi Michael, finally I have found the solution.
So I still have 'security = share' and I thought why it complained about
authentication failure. In smbpasswd, passwords are encrypted,
but in my general config I had 'encrypt passwords = no' and that's why it
didn't work. I changed it to yes.
So my [general] looks like this now:
   workgroup = WORKGROUP
   netbios name = cast
   remote announce = 192.168.1.99/WORKGROUP
   server string = %h server
   dns proxy = no
   interfaces = eth0
   hosts allow = 192.168.1.0/24
   realm = domain.local
   bind interfaces only = yes
   security = share
   encrypt passwords = yes
   passdb backend = smbpasswd
   lanman auth = yes
   client lanman auth = yes
   load printers = no
   printing = none
   socket options = TCP_NODELAY IPTOS_LOWDELAY

I know about the redundant options in my config, I put them on purpose
because I thought samba didn't "see" them.
Anyway, I removed them.
Thanks for the suggestions.

>>>I don't think you want "security = share".
>>
>> But I do want security = share.

>I am not sure that you can do what you are trying to do if you use
>"security = share".

>The smb.conf man page says various things about the possible options
>for the "security" parameter including:
>
>           If your PCs use usernames that are the same as their usernames
on
>           the UNIX machine then you will want to use security = user. If
you
>           mostly use usernames that don´t exist on the UNIX box then use
>           security = share.

>It also says that it is more difficult to set up a share that does not
>require a password if you use security = user, but says that if you do
>need that you should look into the "map to guest" parameter.
>
>In the "SECURITY = USER" section it says that in this mode users MUST
>first authenticate before accessing the share.  This seems to imply
>that guest shares would not be possible, but it goes on to say:
>
>           Note that the name of the resource being requested is not sent
to
>           the server until after the server has successfully authenticated
>           the client. This is why guest shares don´t work in user level
>           security without allowing the server to automatically map
unknown
>           users into the guest account. See the map to guest parameter for
>           details on doing this.

in other words, it is possible, but you must use the "map to guest"
parameter.

>So I think you need to do the following:
>
>security = user
>
>guest user = someuser # This should be a local user with read-only
>access to /var/workplace.
>
>map to guest = Bad User # I think this is probably the right one.  See
>the man page.
>
>Then in the [workplace] share, add:
>
>guest only = yes
>
>Note, I am NOT a Samba expert and I have not tried the above, but it
>seems, from reading the man page, that it should work.
>
>By the way, you have some redundancy in your config.  e.g. "guest ok"
>is the same as "public" so you don't need to specify both.  Also,
>"read only" is the opposite of "writable" so again you don't need
>both.
>
>Another thing:  "admin users" specifies a list of users who will
>effectively be "root" when accessing the share.  That seems dangerous
>to me, but also, the man page says:
>
>           This parameter will not work with the security = share in Samba
>           3.0. This is by design.
>
>I hope this helps.
>
>-- 
>Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list