[Samba] Samba4 as AD DC, with one anonymous read-only share
Harry Jede
walk2sun at arcor.de
Wed Dec 18 05:32:00 MST 2013
On 12:30:22 wrote Jason Bailey:
> Hello all,
>
> I have several Samba4 DCs that host various production shares. I need
> one share, however, available as a read-only guest share (anonymous)
> that will be used as a software distribution share point. I have been
> unable to make it work (the servers prompt me for a valid username
> and password on that share).
...
> Thoughts? Help is appreciated.
This is from samba 3.6.x on Debian. Should also work on samba4 on any
Linux OS.
Settings in smb.conf:
[global]
guest account = nobody
map to guest = Bad User
[install]
comment = Installation Service
path = /srv/z
browseable = no
guest ok = yes
read only = yes
[install2]
copy = install
guest ok = no
acl group control = Yes
write list = +administrators
Guest account is set to the unix user nobody. "map to guest" is not so
important.
The install share is unvisible, readonly and allows guest access.
The install2 share points to the same path. I use the "+" sign instead
of the "@" sign as group indicator. This prevents the unnecessary NIS
lookup.
# getent passwd guest
# getent passwd nobody
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
There us no user guest in unix.
# pdbedit -Lv guest
Username not found!
Nor in samba
# pdbedit -Lv nobody
Unix username: nobody
NT username: nobody
Account Flags: [NU ]
User SID: S-1-5-21-3958726613-3318811842-4132420312-501
Primary Group SID: S-1-5-21-3958726613-3318811842-4132420312-514
Full Name: nobody
Home Directory: \\capella\nobody
HomeDir Drive: U:
Logon Script: UNKNOWN.bat
Profile Path: \\capella\profile\nogroup\nobody\UNKNOWN
Domain: EUROPA
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Mo, 30 Apr 2012 14:22:04 CEST
Password can change: Mo, 30 Apr 2012 14:22:04 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# ldapsearch -xLLL uid=nobody
dn: uid=nobody,ou=people,ou=accounts,dc=europa,dc=xx
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: nobody
uidNumber: 65534
gidNumber: 65534
homeDirectory: /dev/null
sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-514
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-501
loginShell: /bin/false
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1335788524
sambaAcctFlags: [NU ]
The guest account must have the wellknown DomainSI-501 and DomainSID-514
for primary group. Password changes are forbidden as N in sambaAcctFlags
indicates.
I use this setup to install Windows 7 pro via pxe boot with WindowsPE
3.0 and to install software with wpkg-gp as service.
--
Gruss
Harry Jede
More information about the samba
mailing list