[Samba] anonymous samba server with unauthenticated guest access policy
Michael Tokarev
mjt at tls.msk.ru
Wed Sep 27 16:30:36 UTC 2023
27.09.2023 19:18, Rowland Penny via samba wrote:
...
> Lets see if I understand this correctly, you have a Samba server that
> is/was running with 'map guest = bad user' in global and 'guest ok =
> yes' in a share, this would allow unknown (to Samba) users to connect
> to the share.
>
> However, the latest Windows no longer will allow anonymous shares, so
> you are looking to use authentication and are looking for the best way
> of doing this.
Yes, exactly.
> In my opinion, you have two choices, you run Samba as a standalone
> server and create the required users in Unix and Samba, or join the
> computer to the domain and use the 'rid' idmap backend.
>
> The first is only really viable if there are only a few users, the
> second will make every AD user a Unix user.
>
> Once you have decided which way to go, you can then use a group and
> allow the group read access to the share, but without write permission.
I was thinking about entirely opposite way: to run samba under non-root
uid so it just can not write to these files at all.
Or at the very least, to map all domain users to a fixed uid, similar
to `map to guest = bad user` (with *all* users being bad).
Samba server can be a domain member server too, that's ok if it's a must.
There's just no place for any "foreign" (domain) users here. The only
thing I need is to let samba server to be "known" to windows.
/mjt
More information about the samba
mailing list