[Samba] Custom user shares
David Bear
dwbear75 at gmail.com
Tue Apr 22 21:56:55 MDT 2014
I believe the windows client is 'in control' of this. When windows makes a
session to a 'share' that requires authentication, windows will cache the
credentials used to make the connection. I don't think there is anything
you can do on the server side to force the credentials to 'change' or
'expire'.
On Tue, Apr 22, 2014 at 12:56 PM, Ashley M. Kirchner <ashley at pcraft.com>wrote:
> Related question: when a user connects to their password protected share
> (not by mapping the drive, but simply browsing to the server/share and
> entering their credentials to connect to the share), how long till the
> share "expires" so to speak. For example, I can connect to my share through
> Windows Explorer, copy whatever I need copied, then close the window. If I
> open explorer again a moment later, it still remembers the credentials and
> gets me to the share without asking for credentials again. At what point
> will that expire or will that only happen when the client computer gets
> rebooted? Is there a way to control that, say if the connection is idling
> for a certain amount of time, go ahead and close it and force a re-login?
>
>
> On Tue, Apr 22, 2014 at 1:15 PM, Rowland Penny
> <rowlandpenny at googlemail.com>wrote:
>
> > On 22/04/14 19:59, Ashley M. Kirchner wrote:
> >
> >> *growl* This is what happens when I'm multi-tasking on both machines.
> That
> >> was the wrong one, sorry about that. This is the correct one:
> >>
> >> [global]
> >> workgroup = WORKGROUP
> >> server string = Torino
> >> netbios name = TORINO
> >> netbios aliases = DIGILAB BACKUP
> >>
> >> interfaces = lo eth1 192.168.1.0/24
> >>
> >> # logs split per machine
> >> log file = /var/log/samba/log.%m
> >> # max 50KB per log file, then rotate
> >> max log size = 50
> >>
> >> security = user
> >> map to guest = Bad User
> >>
> >> local master = no
> >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >> wins support = no
> >> dns proxy = no
> >> load printers = no
> >> disable spoolss = yes
> >> printcap name = /dev/null
> >>
> >> smb ports = 139
> >>
> >> username map = /etc/samba/usermap.txt
> >> include = /etc/samba/smb.include.%L
> >>
> >> Then for the passwordless share that everyone CAN connect to right now:
> >>
> >>> cat smb.include.digilab
> >>>
> >> [bda]
> >> comment = BDA Files
> >> browseable = yes
> >> writable = yes
> >> path = /home/digilab/BDA
> >> guest ok = yes
> >> public = yes
> >> read only = no
> >> force user = digilab
> >> force group = digilab
> >> create mask = 0777
> >> directory mask = 0777
> >> locking = no
> >>
> >> And for the one I'm trying to setup with password, which is giving me
> >> access denied:
> >>
> >>> cat smb.include.backup
> >>>
> >> [kirash]
> >> path = /mnt/backup/kirash
> >> comment = Ashley M. Kirchner
> >> writable = yes
> >> valid users = kirash
> >>
> >> Both unix servers have a user login 'kirash'. On one server I can
> connect
> >> to the samba share with a client just fine, on the older one I get
> access
> >> denied.
> >>
> >
> > You have no users in samba or unix so your password-less share works
> > You have no users in samba or unix so your share that requires a valid
> > user with a password doesn't work, or to put it another way:
> >
> > no users and password means that anybody can connect to your guest share,
> > but you need samba/unix users with passwords to connect to the other
> share.
> >
> > Rowland
> >
> >
> >
> >
> >> On Tue, Apr 22, 2014 at 12:50 PM, Rowland Penny <
> >> rowlandpenny at googlemail.com
> >>
> >>> wrote:
> >>> On 22/04/14 19:08, Ashley M. Kirchner wrote:
> >>>
> >>> Uh, excuse my ignorance, but what? What samba database? I didn't do
> >>>> anything with any database on any of the servers, not the one that is
> >>>> working fine nor this (older) one I'm trying to configure. If you're
> >>>> referring specifically to the 'passdb backend' option, it's commented
> >>>> out
> >>>> on both servers.
> >>>>
> >>>> This is the complete smb.conf file on both.
> >>>>
> >>>> [global]
> >>>> workgroup = WORKGROUP
> >>>> server string = BRASCO
> >>>> netbios name = BRASCO
> >>>> interfaces = lo eth0 192.168.1.0/24
> >>>>
> >>>> # logs split per machine
> >>>> log file = /var/log/samba/log.%m
> >>>> # max 50KB per log file, then rotate
> >>>> max log size = 50
> >>>>
> >>>> security = user
> >>>>
> >>>> local master = no
> >>>>
> >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >>>>
> >>>> wins support = no
> >>>> dns proxy = no
> >>>> load printers = no
> >>>> disable spoolss = yes
> >>>> printcap name = /dev/null
> >>>>
> >>>> smb ports = 139
> >>>> username map = /etc/samba/usermap.txt
> >>>>
> >>>> [kirash]
> >>>> path = /opt/backup/kirash
> >>>> comment = Ashley M. Kirchner
> >>>> writable = yes
> >>>> valid users = kirash
> >>>>
> >>>>
> >>>> On Tue, Apr 22, 2014 at 11:56 AM, Marc Muehlfeld <
> mmuehlfeld at samba.org
> >>>>
> >>>>> wrote:
> >>>>>
> >>>> Hello Ashley,
> >>>>
> >>>>> Am 22.04.2014 19:45, schrieb Ashley M. Kirchner:
> >>>>>
> >>>>> We have an old internal server running samba version 3.2.15 which
> >>>>> can't
> >>>>>
> >>>>>> be
> >>>>>> upgraded for different reasons. It's been running several
> passwordless
> >>>>>> shares with no problem. Now I'm trying to configure passworded user
> >>>>>> shares
> >>>>>> and not having much luck. I'm wondering if someone can help me
> >>>>>> diagnose
> >>>>>> this:
> >>>>>>
> >>>>>> In smb.conf I have
> >>>>>>
> >>>>>> security = user
> >>>>>> map to guest = Bad user
> >>>>>> ...
> >>>>>> username map = /etc/samba/usermap.txt
> >>>>>>
> >>>>>> The public shares are setup as follows:
> >>>>>> [bda]
> >>>>>> comment = BDA Files
> >>>>>> browseable = yes
> >>>>>> writable = yes
> >>>>>> path = /opt/bda
> >>>>>> guest ok = yes
> >>>>>> public = yes
> >>>>>> read only = no
> >>>>>> force user = nobody
> >>>>>> force group = nobody
> >>>>>> create mask = 0777
> >>>>>> directory mask = 0777
> >>>>>> locking = no
> >>>>>>
> >>>>>> *This all works.*
> >>>>>>
> >>>>>>
> >>>>>> Now for the user shares, I have this:
> >>>>>> [kirash]
> >>>>>> path = /opt/backup/kirash
> >>>>>> comment = Ashley M. Kirchner
> >>>>>> writable = yes
> >>>>>> valid users = kirash
> >>>>>>
> >>>>>> The unix user 'kirash' exists.
> >>>>>> usermap.txt has a line in it that maps the user as follows:
> >>>>>> kirash = AshleyMKirchner
> >>>>>>
> >>>>>> But when I try to access that share from my client I get access
> >>>>>> denied.
> >>>>>>
> >>>>>> Interestingly enough, I have a second samba server with a more
> recent
> >>>>>> version, 3.6.9 to be exact, with the same exact samba configuration
> >>>>>> and
> >>>>>> that DOES WORK. I can access the share, it asks for the user
> >>>>>> credentials
> >>>>>> (as set on that unix server) and I'm able to log in and access that
> >>>>>> share
> >>>>>> just fine.
> >>>>>>
> >>>>>> So what am I missing on the older server that's causing it to deny
> >>>>>> access?
> >>>>>>
> >>>>>> Note: our network does NOT use any kind of directory or other server
> >>>>>> log
> >>>>>> ins. Each client is on their own.
> >>>>>>
> >>>>>>
> >>>>>> You said the user is existing in unix. But is it also existing in
> the
> >>>>> samba database? As you haven't posted the complete smb.conf, I guess
> >>>>> you
> >>>>> use tdb. Then have a look at 'smbpasswd' (-e / -a). If Samba uses a
> >>>>> different backend, please provide some more details.
> >>>>>
> >>>>>
> >>>>> Regards,
> >>>>> Marc
> >>>>>
> >>>>>
> >>>>>
> >>>>> You seem to have lost this line:
> >>>>>
> >>>>
> >>> map to guest = Bad user
> >>>
> >>> it was in your first post, this is in man smb.conf:
> >>>
> >>> · Bad User - Means user logins with an invalid password
> are
> >>> rejected, unless the username does not exist, in which
> >>> case
> >>> it
> >>> is treated as a guest login and mapped into the guest
> >>> account.
> >>>
> >>> So, as you don't have any samba users (and provided you don't have any
> >>> unix users on the machine that is running samba) all users should be
> able
> >>> to connect.
> >>>
> >>> But then you have the share, where the only valid user is kirash, try
> >>> removing this and then adding 'guest ok = yes'
> >>>
> >>> This should work, unless you have missed telling us something.
> >>>
> >>> Rowland
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
David Bear
mobile: (602) 903-6476
More information about the samba
mailing list