[Samba] Anonymous Samba share across subnets (without WINS?)

Jon Heese jheese at co.weld.co.us
Tue Apr 9 11:00:28 MDT 2013

I'm trying to replace an old Windows 2000 server that is current set up with a number of open anonymous shares used by a legacy application that must remain in production for a few more years.  I spent a few hours trying to create anonymous shares on a 2008 R2 box but gave up.  My next idea was to use Samba to create an anonymous share, and following this quick-n-dirty HowTo: http://www.debuntu.org/samba-how-to-share-files-for-your-lan-without-userpassword/, I set up a Lucid Lynx box with samba (3.4.7~dfsg-1ubuntu3.10) to do just that.

Works great... as long as you're on the same subnet as the Samba server.

So our subnets are roughly set up thusly:

 * - Linux servers
 * - Test PCs (Win7 x64)
 * - Production PCs (Win7 x64)
 * (treated as an internal network, don't ask) - Old server subnet

And the specific machines I'll be discussing are:

 * - Samba server (wrc-deploy)
 * - My test PC (Win7 x64)
 * - Old Windows 2000 server

So from another Linux server, on the same subnet (broadcast domain), I can do the following without a problem:

jheese at wrc-aptcache1:~$ smbclient -NL wrc-deploy
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]

        Sharename       Type      Comment
        ---------       ----      -------
        APS             Disk      APS share
        CARSBIN         Disk      CARSBIN share
        CARSPROJ        Disk      CARSPROJ share
        CivilDocs       Disk      CivilDocs share
        DA_CrystalEase  Disk      DA_CrystalEase share
        RMSDist         Disk      RMSDist share
        RMSDistTRN      Disk      RMSDistTRN share
        RMSTools        Disk      RMSTools share
        TibCAD          Disk      TibCAD share
        IPC$            IPC       IPC Service (wrc-deploy)
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            WRC-DEPLOY

jheese at wrc-aptcache1:~$ smbclient -N //wrc-deploy/RMSDist
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]
Server not using user level security and no password supplied.
smb: \> ls
  .                                   D        0  Mon Mar 25 15:44:53 2013
  ..                                  D        0  Mon Mar 25 15:24:20 2013
  test                                A        0  Mon Mar 25 15:45:01 2013

                60617 blocks of size 262144. 49484 blocks available
smb: \> q
jheese at wrc-aptcache1:~$


However, from my Windows test PC on the subnet, if I try to browse to \\wrc-deploy or \\wrc-deploy\RMSDist, say, I get "The account is not authorized to log in from this station."

However, and I think this is key, I can browse to \\ and \\\RMSDist without a problem...  DNS is absolutely working properly, and I can ping, telnet, etc. to the name "wrc-deploy" from my test PC without a problem.

Also, I know that it's not the old NTLM/LM security options because I can hit the old Windows 2000 server's shares from my test PC without a problem, and it's on the old server subnet,

To my knowledge, no WINS server has ever been configured on this network, nor do we have any broadcast forwarding configured on our routers to make the old server's shares browse properly.

I've Googled the crap out of this, including the specific error message, seeing about using Samba 4.x to do this instead of Samba 3.x, whether WINS is necessary (I'd really like to not have to go this route if possible), and everything else, but I can't find anyone else in this same situation.

So, can anyone please suggest ways to make this work.  I don't care how it's done, but the requirements are:

 * Anonymous CIFS shares
 * Works by name across subnets
 * Without a WINS server on each subnet (we have waaaaay too many subnets, some in weird places)
 * (Preferably) Without WINS altogether

Let me know if you need any specific information as far as config files, versions, or diagrams.  Thanks in advance!

Jon Heese
Systems Administrator
Weld County Computer Services
ACS Government Systems, Inc., A Xerox Company
tel: 970-304-6570 x2552
jheese at co.weld.co.us

Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.

More information about the samba mailing list