[Samba] Samba4 as AD DC, with one anonymous read-only share

Wed Dec 18 05:32:00 MST 2013

On 12:30:22 wrote Jason Bailey:
> Hello all,
> 
> I have several Samba4 DCs that host various production shares. I need
> one share, however, available as a read-only guest share (anonymous)
> that will be used as a software distribution share point. I have been
> unable to make it work (the servers prompt me for a valid username
> and password on that share).

...

> Thoughts? Help is appreciated.

This is from samba 3.6.x on Debian. Should also work on samba4 on any 
Linux OS.

Settings in smb.conf:

[global]
    guest account     = nobody
    map to guest      = Bad User

[install]
    comment           = Installation Service
    path              = /srv/z
    browseable        = no
    guest ok          = yes
    read only         = yes

[install2]
    copy              = install
    guest ok          = no
    acl group control = Yes
    write list        = +administrators

Guest account is set to the unix user nobody. "map to guest" is not so 
important.
The install share is unvisible, readonly and allows guest access.
The install2 share points to the same path. I use the "+" sign instead 
of the "@" sign as group indicator. This prevents the unnecessary NIS 
lookup.

# getent passwd guest

# getent passwd nobody
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

There us no user guest in unix.

# pdbedit -Lv guest
Username not found!

Nor in samba

# pdbedit -Lv nobody
Unix username:        nobody
NT username:          nobody
Account Flags:        [NU         ]
User SID:             S-1-5-21-3958726613-3318811842-4132420312-501
Primary Group SID:    S-1-5-21-3958726613-3318811842-4132420312-514
Full Name:            nobody
Home Directory:       \\capella\nobody
HomeDir Drive:        U:
Logon Script:         UNKNOWN.bat
Profile Path:         \\capella\profile\nogroup\nobody\UNKNOWN
Domain:               EUROPA
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mo, 30 Apr 2012 14:22:04 CEST
Password can change:  Mo, 30 Apr 2012 14:22:04 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# ldapsearch -xLLL uid=nobody
dn: uid=nobody,ou=people,ou=accounts,dc=europa,dc=xx
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: nobody
uidNumber: 65534
gidNumber: 65534
homeDirectory: /dev/null
sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-514
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-501
loginShell: /bin/false
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1335788524
sambaAcctFlags: [NU         ]

The guest account must have the wellknown DomainSI-501 and DomainSID-514 
for primary group. Password changes are forbidden as N in sambaAcctFlags 
indicates.

I use this setup to install Windows 7 pro via pxe boot with WindowsPE 
3.0 and to install software with wpkg-gp as service.

-- 

Gruss
	Harry Jede