[Samba] Standalone server and POSIX ACL issue
yvan at masson-informatique.fr
Wed Jul 10 09:37:10 UTC 2019
Le 10/07/2019 à 08:46, Rowland penny via samba a écrit :
> On 09/07/2019 22:49, Yvan Masson wrote:
>> Le 09/07/2019 à 21:16, Rowland penny via samba a écrit :
>>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>>> First, thanks for all people that continuously giving great advice
>>>> on this list!
>>>> I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5
>>>> from Debian). The following directory is shared and contains two
>>>> ├── Documents
>>>> └── Travail
>>>> I want user "eleve" to be able to modify everything, and guest users
>>>> to have read access on "Documents/" and write access on "Travail/".
>>>> Everything works as expected when accessing files locally, but not
>>>> when mounting the share from a Linux client:
>>>> - when logged in as guest, I can read everything but have no write
>>>> access in "Travail/"
>>>> - when logged in as "eleve", I can not write inside "Documents/"
>>> You would be better off setting up two shares
>>>> I suppose I am missing something simple, but can not find what (I
>>>> have read
>>> I know that page refers to a standalone server, but it is mostly
>>> aimed at AD domain members, though the basics should work on a
>>> standalone server.
>> Thanks for the advice. I have read
>> which gave me the solution: I had forgot to add "eleve" user to the
>> smbpasswd database. It would need more testing, but it seems I have a
>> working setup with two shares and no POSIX ACL.
>> I suppose I already know the answer, but is there a way to login with
>> Samba without having a smbpasswd file?
> Yes, it is known as setting up an AD domain and then accounts are stored
> in AD ;-)
> Otherwise if you really mean 'can I connect to a Samba share on a Samba
> standalone server without an account', then yes, you can. you will need
> 'map to guest = bad user' in [global] and 'guest ok = yes' in the shares
> (note, you cannot use 'valid users' etc in the shares), with these
> settings and no users, anybody can connect to the shares and they will
> be mapped to the guest user (usually 'nobody'). This is very insecure.
OK thanks. However I still want to clarify what is wrong with my
original setup, where "Partage" directory is shared on a standalone
Samba 4.9.5 server:
Connecting with local user "yvan" (added to smbpasswd file this time),
works properly: I have write access in "Consultation/" and "Echange/".
Connecting as a guest user (mapped to user "nobody") works partially:
I have read access in "Consultation/" and "Echange/", but I would like
to have write access in "Echange/". For example, this does not work (the
share is mounted as guest via gvfs):
$ LANG=C touch
touch: cannot touch
However, everything works properly when accessing files locally. This works:
$ sudo -u nobody touch /home/yvan/Partage/Echange/test
So I guess I have an issue with guest access in my Samba configuration.
workgroup = AYN
log file = /var/log/samba/log.%m
logging = file syslog at 1
server role = standalone server
map to guest = Bad User
guest account = nobody
path = /home/yvan/Partage
guest ok = yes
writable = yes
inherit acls = yes
$ getfacl Partage/*
# file: Partage/Consultation
# owner: yvan
# group: yvan
# file: Partage/Echange
# owner: yvan
# group: yvan
Any help would be appreciated :-)
More information about the samba