[Samba] Standalone server and POSIX ACL issue

Rowland penny rpenny at samba.org
Wed Jul 10 06:46:07 UTC 2019

On 09/07/2019 22:49, Yvan Masson wrote:
> Le 09/07/2019 à 21:16, Rowland penny via samba a écrit :
>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>> Hi,
>>> First, thanks for all people that continuously giving great advice 
>>> on this list!
>>> I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5 
>>> from Debian). The following directory is shared and contains two 
>>> directories:
>>> /home/eleve/partage/
>>> ├── Documents
>>> └── Travail
>>> I want user "eleve" to be able to modify everything, and guest users 
>>> to have read access on "Documents/" and write access on "Travail/". 
>>> Everything works as expected when accessing files locally, but not 
>>> when mounting the share from a Linux client:
>>> - when logged in as guest, I can read everything but have no write 
>>> access in "Travail/"
>>> - when logged in as "eleve", I can not write inside "Documents/"
>> You would be better off setting up two shares
>>> I suppose I am missing something simple, but can not find what (I 
>>> have read 
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
>> I know that page refers to a standalone server, but it is mostly 
>> aimed at AD domain members, though the basics should work on a 
>> standalone server.
>> Rowland
> Thanks for the advice. I have read 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
> which gave me the solution: I had forgot to add "eleve" user to the 
> smbpasswd database. It would need more testing, but it seems I have a 
> working setup with two shares and no POSIX ACL.
> I suppose I already know the answer, but is there a way to login with 
> Samba without having a smbpasswd file?
> Regards,
> Yvan

Yes, it is known as setting up an AD domain and then accounts are stored 
in AD ;-)

Otherwise if you really mean 'can I connect to a Samba share on a Samba 
standalone server without an account', then yes, you can. you will need 
'map to guest = bad user' in [global] and 'guest ok = yes' in the shares 
(note, you cannot use 'valid users' etc in the shares), with these 
settings and no users, anybody can connect to the shares and they will 
be mapped to the guest user (usually 'nobody'). This is very insecure.


More information about the samba mailing list