[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share

Raymond Page pagerc at gmail.com
Fri May 25 20:08:11 UTC 2018 

Well I changed my config to use the 'nobody' user, and that worked. So I
then tried to get 'guest' to work. Managed to get it to work when I changed
the 'guest' account uid from 405 to 400, when it started working too. I
toyed around with different names for the uid 405 account, and none of
those would work with samba. So there appears to be an issue with uid 405
on my environment, and nothing about the name 'guest' or even low uid's as
I can use uid 400 and it works.

This seems bizzarre to me and I can't find any configuration that indicates
that uid 405 is in any way special or unique. If anyone has any insight on
where to look, I'm running Alpine Linux, I'd appreciate some direction.

--
Raymond Page


On Fri, May 25, 2018 at 3:20 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Fri, 25 May 2018 14:48:35 -0400
> Raymond Page <pagerc at gmail.com> wrote:
>
> > So the guest account ignores the owner permissions of the files it
> > interacts with and relies only on group membership and world
> > permissions?
> >
> > Why do I need the sgid? Users will create files/directories that will
> > default to their default group from /etc/passwd, and that's the
> > behavior I want. Authenticated users should be able to make
> > files/directories with group membership different from guest accounts.
> >
>
> That isn't how the guest account works, anybody who connects to your
> share must be the guest user (remember that you don't have any users
> and unknown users are mapped to the guest account by 'map to guest =
> Bad User'). Now normally 'nobody' is the guest user and its group is
> 'nogroup', but you are using 'guest' with the group 'users' (this is a
> bad move by the way). Because of all this and the way the share is set
> up, all files and directories created in the share will belong to
> 'guest:users'
>
> As I sort of said, having a share the way you have set it up, only
> makes sense if you want/need a wide open share. Just about the only
> way you could make it any less secure would be to allow wide links
>
> Do you really need a standalone server ? or are the rest of the
> computers in a domain ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list