Public resource at SAMBA
Thiago Amaury Ferraz
tferraz at romi.com.br
Wed May 25 16:18:04 UTC 2005
Hello All! I would like to thanks really the amazing Thomas Cameron's help
about SAMBA, It was great and help me so much! I was mistaking about the
global parameter "map to guest = Bad User".. you opened my eyes with your
clearness!
Thank you so much!
TAF
------------------------------------
From: Thomas Cameron
Subject: Re: Public resource at SAMBA
Message-ID: <1116626171.17739.19.
Content-Type: text/plain; charset=utf-8
On Fri, 2005-05-20 at 13:32 -0300, Thiago Amaury Ferraz wrote:
> Hello!
> Someone would know to say if there is a way to configure a resourse to be
> public.. by the way, having the security = user.. in global parameters!?
In Samba, a public share means that it is accessible by all, without a
password. Note that I think this is terribly dangerous.
>From the smb.conf man page:
public
This parameter is a synonym for guest ok.
guest ok (S)
If this parameter is yes for a service, then no password is
required to connect to the service. Privileges will be those of
the guest account.
This paramater nullifies the benifits of setting restrict
anonymous = 2
See the section below on security for more information about
this option.
Default: guest ok = no
> Is there some way to set up a samba guest user to be used by Windows guest
> users?
Also from the smb.conf man page:
guest account (G)
This is a username which will be used for access to services
which are specified as guest ok (see below). Whatever privileges
this user has will be available to any client connecting to the
guest service. This user must exist in the password file, but
does not require a valid login. The user account "ftp" is often
a good choice for this parameter.
On some systems the default guest account "nobody" may not be
able to print. Use another account in this case. You should test
this by trying to log in as your guest user (perhaps by using
the su - command) and trying to print using the system print
command such as lpr(1) or lp(1).
This parameter does not accept % macros, because many parts of
the system require this value to be constant for correct
operation.
Default: guest account = nobody # default can be changed at
compile-time
Example: guest account = ftp
So then you need to look at the entry in smb.conf called "map to guest:"
map to guest (G)
This parameter is only useful in security modes other than
security = share - i.e. user, server, and domain.
This parameter can take three different values, which tell smbd
(8) what to do with user login requests that don't match a valid
UNIX user in some way.
The three settings are :
* Never - Means user login requests with an invalid
password are rejected. This is the default.
* Bad User - Means user logins with an invalid password
are rejected, unless the username does not exist, in
which case it is treated as a guest login and mapped
into the guest account.
* Bad Password - Means user logins with an invalid
password are treated as a guest login and mapped into
the guest account. Note that this can cause problems as
it means that any user incorrectly typing their password
will be silently logged on as "guest" - and will not
know the reason they cannot access files they think they
should - there will have been no message given to them
that they got their password wrong. Helpdesk services
will hate you if you set the map to guest parameter this
way :-).
Note that this parameter is needed to set up "Guest" share
services when using security modes other than share. This is
because in these modes the name of the resource being requested
is not sent to the server until after the server has
successfully authenticated the client so the server cannot make
authentication decisions at the correct time (connection to the
share) for "Guest" shares.
For people familiar with the older Samba releases, this
parameter maps to the old compile-time setting of the
GUEST_SESSSETUP value in local.h.
Default: map to guest = Never
Example: map to guest = Bad User
As an example, I want to make a public share on my Linux box. First I
create the directory:
[root at wintermute ~]# mkdir /usr/local/export/public
Then I make it owned by nobody.nobody like this:
[root at wintermute ~]# chown nobody:nobody /usr/local/export/public/
So now I check to make sure it looks right:
[root at wintermute ~]# ls -ld /usr/local/export/public/
drwxr-xr-x 2 nobody nobody 4096 May 20 16:34 /usr/local/export/public/
Now I make sure that the share is enabled in my /etc/samba/smb.conf:
[public]
path = /usr/local/export/public
read only = No
guest ok = Yes
I also set up the map to guest entry in the [global] section of
my /etc/samba/smb.conf like this:
[global]
...
...
map to guest = Bad User
...
...
Then I restart the smb service:
[root at wintermute ~]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Now my Windows users can access the [public] share on my Linux box
without a login or password.
> Best regards,
> And thank´s a lot since now!
> TAF
Eu espero que este seja útil!
Thomas
More information about the users
mailing list