On Tuesday 04 April 2006 18:46, Craig White wrote: > It doesn't matter if you use or don't use the defaults unless you > haven't a clue what the defaults are. For functionality, no. For security, yes, it does matter. > The easy way to figure out what > the true settings are (explicit and default supplied) is to issue > 'testparm -s -v > /tmp/samba.conf' and you can then see all of the > settings, including those supplied by default > True, testparm should always be used. > > > > security = share means that there are no users, no home directories and > > > login is a password with access/file permissions as the user specified > > > by smb.conf and thus a user name logging in is pointless when using > > > 'security = share' > > > > I think we can take it that John Terpstra knows what he is talking about. > > From "Samba-2 by Example': > > > > "This installation demands simplicity. Frequent turn-over of volunteer > > staff would indicate that a network environment that requires users to > > logon might be problematic. It is suggested that the best solution for > > this office would be one where the user can log onto any PC with any > > username and password..... > > > > This oranisation is a prime candidate for Share Mode security." > > > > He goes on to say that ownership of files created can be forced. > > > > Note that he is saying that they would not need a password to access the > > shares. > > ---- > your abbreviation removes the context that would make the last sentence > above meaningful. Not true. The quote was from p.25, should anyone care to check. I do find it difficult to type while holding a paperback open, so I cut the detail about how 'force user' can be applied. That does not change the context. > 'security = share' does not automatically mean there > is no password...only 'guest access = SOME_VALID_USER and guest ok = > yes' can accomplish that. > > > There is no such section in the man page, so I presume you are referring > > to another document. It would be helpful to know which one. > > ---- > man smb.conf (admittedly this is from FC-4 installation) perhaps you are > having trouble locating the section, which I will now quote... > > The different settings will now be explained. > > SECURITY = SHARE > None of what you quote is in the samba man page on this FC4 system, which is why I questioned your source. The man page I have merely lists a brief description of the components, directs you to the web pages, and mentions the contributors. > When clients connect to a share level security server they need not log > onto the server with a valid username and password before attempting to > connect to a shared resource (although modern clients such as Windows > 95/98 and Windows NT will send a logon request with a username but > no password when talking to a security = share server). Instead, the > clients send authentication information (passwords) on a per-share > basis, at the time they attempt to connect to that share. > > Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the > client, even in security = share level security. > So we are arguing about semantics. "They need not log onto the server with a valid username and password" but "smbd ALWAYS uses a valid UNIX user". They are, in effect, guest, unless the workgroup was set up by someone with knowledge of deeper security settings. My argument is that none of the simplistic tools or guides that would be used in a first implementation would set guest in the way you mention above, and simply setting 'guest ok' does not give satisfactory results. I'd be very interested to see the document you quote. I've been using samba in a mixed lan for several years now, and I've never come across it. Would you be prepared to send me a copy? I'd certainly like to read it. Most of my knowledge was gained in the first place from Using Samba, and lately by the 'by Example' book. Reading several different versions of documentation often leads to understanding something you would otherwise miss. Anne
Attachment:
pgp55Gp7hWzpl.pgp
Description: PGP signature
