Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SAMBA server with both user and share level security.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sun Aug 07, 2011 10:22 am    Post subject: SAMBA server with both user and share level security. Reply with quote

I'm not talking about virtual hosting.

Can it happen that a single server (i.e the client too sees it as a single server) can have both user and share level security?... or resource specific security level?

This's my current smb.com, and it doesn't workout well -

Code:
[global]
workgroup = TEST
server string = testing
netbios name = MSERROR
guest account = ftp
security = user
[test]
path = /home/ftp
force user = ftp
force group = ftp
read only = no
guest ok = yes


Windows asks for username/password.

The user ftp (in smbpasswd) has not password.
_________________
My blog
Back to top
View user's profile Send private message
VinzC
Watchman
Watchman


Joined: 17 Apr 2004
Posts: 5084
Location: Dark side of the mood

PostPosted: Sun Aug 07, 2011 11:49 am    Post subject: Reply with quote

I think this is a security feature on the Windows' side in that it won't allow empty passwords. I think you have to tweak the registry to lower Windows' security checks but I'm not even sure. But what I'm certain is that Samba can only work in one mode at a time, either user or share level in your case.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Mon Aug 08, 2011 12:06 am    Post subject: Reply with quote

You can only have 1 security level or the other.

However, in "user" mode. you can specify "map to guest = bad user" in the [global] section - any user not in Samba's account database with automatically be logged in as the "guest" user.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Mon Aug 08, 2011 1:16 am    Post subject: Reply with quote

salahx wrote:
You can only have 1 security level or the other.

However, in "user" mode. you can specify "map to guest = bad user" in the [global] section - any user not in Samba's account database with automatically be logged in as the "guest" user.


Not in? I added the user to the database then. Trying it out.
_________________
My blog
Back to top
View user's profile Send private message
darkphader
Veteran
Veteran


Joined: 09 May 2002
Posts: 1199
Location: Motown

PostPosted: Tue Aug 09, 2011 5:54 pm    Post subject: Reply with quote

See my blog:
http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html
_________________
WYSIWYG - What You See Is What You Grep
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Thu Aug 11, 2011 12:53 pm    Post subject: Reply with quote

Thanks, I'm trying it out. Not getting time apparently.
_________________
My blog
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Fri Aug 12, 2011 1:39 pm    Post subject: Reply with quote

Using map to guest = bad user did work, but this appears to be more of a workaround.
_________________
My blog
Back to top
View user's profile Send private message
darkphader
Veteran
Veteran


Joined: 09 May 2002
Posts: 1199
Location: Motown

PostPosted: Fri Aug 12, 2011 4:55 pm    Post subject: Reply with quote

dE_logics wrote:
Using map to guest = bad user did work, but this appears to be more of a workaround.

It's by design, works properly, and the recommended way to accomplish guest access; security = share is unofficially deprecated, the devs would like to see it go away but don't want to break many of the installs.
_________________
WYSIWYG - What You See Is What You Grep
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sat Aug 13, 2011 3:53 am    Post subject: Reply with quote

When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.
_________________
My blog
Back to top
View user's profile Send private message
darkphader
Veteran
Veteran


Joined: 09 May 2002
Posts: 1199
Location: Motown

PostPosted: Sat Aug 13, 2011 4:13 am    Post subject: Reply with quote

dE_logics wrote:
When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.

Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.
_________________
WYSIWYG - What You See Is What You Grep
Back to top
View user's profile Send private message
alexchinalankey
n00b
n00b


Joined: 01 May 2011
Posts: 1

PostPosted: Sat Aug 13, 2011 1:06 pm    Post subject: All Windows OS's allow guest access Reply with quote

darkphader wrote:
dE_logics wrote:
When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.

Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.

I think you have to tweak the registry to lower Windows' security checks but I'm not even sure. But what I'm certain is that Samba can only work in one mode at a time, either user or share level in your case.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sat Aug 13, 2011 3:45 pm    Post subject: Reply with quote

darkphader wrote:
dE_logics wrote:
When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.

Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.


That way samba guys should know. I thought it was a protocol 'standard'.
_________________
My blog
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Mon Aug 15, 2011 6:22 pm    Post subject: Reply with quote

For guest access, user mode really sucks.

It IS possible to run samba as both a user and a share mode server - See the second post here:

Samba Hybrid Security mode

It's quite a clever kludge actually; I got it working but ultimately it didn't really help me do what I wanted to do and made things a bit more complicated so I went back to having share mode only again...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum