re: Public resource at SAMBA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello All! I would like to thanks really the amazing Thomas Cameron's help about SAMBA, It was great and help me so much! I was mistaking about the global parameter "map to guest = Bad User".. you opened my eyes with your clearness!

Thank you so much!
TAF

------------------------------------
From: Thomas Cameron
Subject: Re: Public resource at SAMBA
Message-ID: <1116626171.17739.19.
Content-Type: text/plain; charset=utf-8

On Fri, 2005-05-20 at 13:32 -0300, Thiago Amaury Ferraz wrote:
Hello!
Someone would know to say if there is a way to configure a resourse to be
public.. by the way, having the security = user.. in global parameters!?

In Samba, a public share means that it is accessible by all, without a password. Note that I think this is terribly dangerous.

From the smb.conf man page:

public

       This parameter is a synonym for guest ok.

guest ok (S)

       If this parameter is yes for a service, then no password is
       required to connect to the service. Privileges will be those of
       the guest account.

       This paramater nullifies the benifits of setting restrict
       anonymous = 2

       See the section below on security for more information about
       this option.

       Default: guest ok = no


Is there some way to set up a samba guest user to be used by Windows guest
users?

Also from the smb.conf man page:

guest account (G)

       This is a username which will be used for access to services
       which are specified as guest ok (see below). Whatever privileges
       this user has will be available to any client connecting to the
       guest service. This user must exist in the password file, but
       does not require a valid login. The user account "ftp" is often
       a good choice for this parameter.

       On some systems the default guest account "nobody" may not be
       able to print. Use another account in this case. You should test
       this by trying to log in as your guest user (perhaps by using
       the su - command) and trying to print using the system print
       command such as lpr(1) or  lp(1).

       This parameter does not accept % macros, because many parts of
       the system require this value to be constant for correct
       operation.

       Default: guest account = nobody # default can be changed at
       compile-time

       Example: guest account = ftp

So then you need to look at the entry in smb.conf called "map to guest:"

map to guest (G)

       This parameter is only useful in security modes other than
       security = share - i.e. user, server, and domain.

       This parameter can take three different values, which tell smbd
       (8) what to do with user login requests that don't match a valid
       UNIX user in some way.

       The three settings are :

             * Never - Means user login requests with an invalid
               password are rejected. This is the default.

             * Bad User - Means user logins with an invalid password
               are rejected, unless the username does not exist, in
               which case it is treated as a guest login and mapped
               into the guest account.

             * Bad Password - Means user logins with an invalid
               password are treated as a guest login and mapped into
               the guest account. Note that this can cause problems as
               it means that any user incorrectly typing their password
               will be silently logged on as "guest" - and will not
               know the reason they cannot access files they think they
               should - there will have been no message given to them
               that they got their password wrong. Helpdesk services
               will hate you if you set the map to guest parameter this
               way :-).


Note that this parameter is needed to set up "Guest" share services when using security modes other than share. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares.

       For people familiar with the older Samba releases, this
       parameter maps to the old compile-time setting of the
       GUEST_SESSSETUP value in local.h.

       Default: map to guest = Never

       Example: map to guest = Bad User


As an example, I want to make a public share on my Linux box. First I create the directory:

[root@wintermute ~]# mkdir /usr/local/export/public

Then I make it owned by nobody.nobody like this:

[root@wintermute ~]# chown nobody:nobody /usr/local/export/public/

So now I check to make sure it looks right:

[root@wintermute ~]# ls -ld /usr/local/export/public/
drwxr-xr-x  2 nobody nobody 4096 May 20 16:34 /usr/local/export/public/

Now I make sure that the share is enabled in my /etc/samba/smb.conf:

[public]
       path = /usr/local/export/public
       read only = No
       guest ok = Yes

I also set up the map to guest entry in the [global] section of
my /etc/samba/smb.conf like this:

[global]
...
...
       map to guest = Bad User
...
...

Then I restart the smb service:

[root@wintermute ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]

Now my Windows users can access the [public] share on my Linux box
without a login or password.

Best regards,
And thank´s a lot since now!
TAF

Eu espero que este seja útil!

Thomas



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux