Friday, December 10, 2010

Samba and guest shares with "security = user"

How to have a guest share on Samba without resorting to the deprecated "security = share" configuration.

This is a regular query on the Samba mailing list. When it comes to "security = share" just say no!
In a nutshell you need:
  • A username map file.
  • A valid 'nix "guest" user mapped to the Windows guest account ("nobody" in most distros).
  • Proper smb.conf configuration.
In this example our username map file is /etc/samba/smbusers. It maps a 'nix user to a Windows user.
In smbusers:
nobody = guest
In smb.conf:
[global]
  ...
  security = user
  Map to guest = Bad User
  username map = /etc/samba/smbusers
  ...
  -- no 'valid users =' line -- (means don't use a "valid user = " entry)

[theshare]
  ...
  guest ok = yes
  -- no 'valid users =' line --
  ...

13 comments:

  1. not working on my Samba 3.5 in ddwrt.

    ReplyDelete
  2. Has worked on every Samba install I've seen for years - but they have all been on "standard" Linux distros. I have a version of ddwrt running on an AP but it doesn't have the memory to run Samba. It's possible the available Samba packages for ddwrt are crippled in some way to reduce their memory footprint.

    ReplyDelete
  3. Found this: DD-WRT does not include user nobody (I did mention that you need a valid 'nix guest user to map to) at startup (user nobody is the Linux default for "guest").
    http://www.dd-wrt.com/wiki/index.php/Optware

    ReplyDelete
  4. i'm still being prompted for a password for my public share below is the contents of my smb file. any ideas??


    [global]

    netbios name = STORA
    workgroup = WORKGROUP
    server string = Stora

    #netbios aliases = STORA2


    security = user
    #security = share
    encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd
    use sendfile = yes
    username map = /etc/samba/smbusers
    guest account = nobody

    printcap name = cups

    dns proxy = no

    browseable = yes
    Map to guest = Bad User

    domain master = no
    local master = yes
    preferred master = yes
    os level = 2
    unix charset = UTF8
    mangled names = no

    [Public]
    comment = Stora (Public)
    browseable = yes
    writable = yes
    path = /home/public
    guest ok = yes
    public = yes

    my smbusers file shows nobody = guest

    ReplyDelete
  5. @Rob
    Nothing jumping out at me here.
    Although removing the the "public = yes" from your share is a good idea as it is just a synonym for "guest ok = yes", which you already have.
    You may want to read the man file regarding "preferred master = yes" - maybe not a great idea to set that, and the same for "mangled names = no". Also "browseable = yes" is a default and no need to place it in the global section. When troubleshooting simplify using defaults.
    Always do a "testparm" to make sure your smb.conf shows no errors and that the values assigned to the parameters are what you expect.
    Do double check that "nobody" is an actual user on your system. I get this:
    # grep 'nobody' /etc/passwd
    nobody:x:65534:65534:nobody:/:/bin/false

    Chris

    ReplyDelete
  6. its still not working but thanks for your help

    ReplyDelete
  7. @Rob
    Sorry about that - I've never had an install where it didn't work. Maybe something else in your configuration. Did you post your complete smb.conf?
    Maybe you're already connected as another user. Try running:
    net use * /delete /yes
    in a command prompt first.
    Also try setting:
    guest only = yes
    in your share. Then you should get a credentials box (unless you're logged as guest - which isn't normal as that account is typically left disabled) requiring you to supply "guest" as the username.
    Another thing to check: make sure you didn't actually create a user named guest in Samba:
    pdbedit -L
    should not list a user named guest.

    ReplyDelete
  8. Something i should probably mention is i am using netgears stora for this which has a version of samba but i dont have the commands like pdbedit or testparm but i do have most of the other commands and i have sudo access so thats how i make the changes.

    i tried the above and none of it worked including the guest account which i enabled since that didnt work i tried the administrator account which i enabled and that worked like it was supposed to which got me to thinking so i created a admin account (which was listed in the smbusers file. the other accounts that were listed as well but were under the nobody = guest pcguest didnt work even though i created them inside windows. however anything that was listed as being under root = administrator , admin, and any other id i put in there saw the public folder fine. just not the people listed for nobody = which is just fine.

    ReplyDelete
  9. testparm can't parse this line:
    -- no 'valid users =' line --

    Using Ubuntu 11.04 Server everything is up2date

    ReplyDelete
  10. Doesn't work from Windows 7 client.

    ReplyDelete
  11. Seems to work for windows 7 after all, just make sure the username you use on the windows machine doesn't match any linux username.
    It does however still give me username/password popup. When I just enter some crap as password, it connects as guest.

    ReplyDelete
    Replies
    1. Glad I saw your note regarding the username. I had to deluser AND delgroup before samba stopped prompting for password on my writable guest share (on debian squeeze).

      Delete