[Samba] Behavior of deprecated share security with user security

L.P.H. van Belle belle at bazuin.nl
Sat May 24 04:02:01 MDT 2014 

hai, 

this setup sets the samba shares open so no password are asked. 
works for me on ubuntu 12.04 with windows 7 and 8.1 

compair it to your config. 


Louis


#======================= Global Settings =======================
 
[global]
## Browsing/Identification ###
   workgroup = HOME
   server string = storage server
   dns proxy = no

#### Networking ####
#   interfaces = 127.0.0.0/8 eth0
#   bind interfaces only = yes
 
#### Debugging/Accounting ####
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
 
####### Authentication #######
   security = share
   guest account = nobody
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\                                                n *password\supdated\ssuccessfully* .
   pam password change = no
########## Domains ###########
## nothing used. 
 
########## Printing ##########
   load printers = no

############ Misc ############
## test without the socket option and with. 
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
 
hide unreadable = yes
 
#======================= Share Definitions =======================
 
[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S
 
[Downloads]
   comment = Downloads
   path = /home/Downloads
   browseable = yes
   guest ok = yes
   read only = no
   hide files = /lost+found/
   force directory mode = 777
   force create mode = 666
   directory mask = 777
   create mask = 666
 
 
 
if you have a dns server and it works ok in resolving every host, then also change. 
   dns proxy = yes
 

>-----Oorspronkelijk bericht-----
>Van: gael.jobin at switzerlandmail.ch 
>[mailto:samba-bounces at lists.samba.org] Namens Jobin, Gaël
>Verzonden: zaterdag 24 mei 2014 11:44
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Behavior of deprecated share security with 
>user security
>
> 
>
>Hi everyone, 
>
>I have a question since the security type "share" has been removed. How
>a guest user can access/see the shared folders of a computer without
>being prompted for its credentials with "security=user"? 
>
>What I mean is... 
>
>When I'm on a windows 7 computer and try to access an other Windows 7
>computer that appears in "Network", I can see the shared folders. If I
>try to access some of them, it asks me for an user/password or not
>(depending how the sharing is made).
>
> Now, with the config below, the Samba server appears as 
>expected in the
>"Network" list of my Windows 7 computer. If I try to access the Samba
>server, it ask directly for an user/password. I don't want to enter a
>password at this level, so I enter something wrong (like "anonymous" or
>anything else) and I can see the shared folders available on my Samba
>server. Then, I want to browse into "LocalW". Double-click on "LocalW"
>and another login pop-up appears. So now, I enter the right
>username/password that exist on my Samba server (both in Linux and
>smbpasswd). The result is that the access is denied, even with the good
>username/password... 
>
>The access to "Local" and "Public" share are working fine. No "second"
>credentials are asked and the folders are readable (and writable for
>"Public") as expected. 
>
>To sum up, I would like to remove the first user/password request.
>First, because at this level (just a view on available shared folders )
>I consider that everyone have the right to see/browse this 
>list. Second,
>because "Local" and "Public" shared folders are used by guest users and
>I want a transparent access to these shared folders (no 
>authentication).
>(This "sharing behavior" works fine with "security=share" option.) 
>
>Thank you very much for your help. 
>
>Gaël 
>
>PS: Sorry for my poor english... 
>
>SMB.CONF 
>
>> [global]
>> include = /etc/samba/dhcp.conf
>> 
>> workgroup = WORKGROUP
>> server string = %h server
>> dns proxy = no
>> interfaces = 192.168.1.0/24
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> 
>> log file = /var/log/samba/log.%m
>> log level = 3
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> 
>> security = user
>> encrypt passwords = true
>> passdb backend = smbpasswd
>> obey pam restrictions = no
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Entersnews*spassword:* %nn 
>*Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
>> pam password change = yes
>> 
>> map to guest = bad user
>> guest account = nobody
>> invalid users = root
>> 
>> usershare max shares = 0
>> use sendfile = yes
>> deadtime = 15
>> 
>> [Local]
>> comment = Media Share
>> path = /var/www/local
>> browseable = yes
>> guest ok = yes
>> create mask = 0744
>> inherit owner = yes
>> hide dot files = yes
>> writeable = no
>> veto files = /lost+found/
>> 
>> [LocalW]
>> comment = Media Share
>> path = /var/www/local
>> browseable = yes
>> guest ok = no
>> create mask = 0744
>> inherit owner = yes
>> hide dot files = yes
>> writeable = yes
>> veto files = /lost+found/
>> 
>> [Public]
>> comment = Public Share
>> path = /var/tmp/Common
>> browseable = yes
>> writeable = yes
>> guest ok = yes
>> create mask = 0744
>
> 
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list