Public resource at SAMBA

Thiago Amaury Ferraz tferraz at romi.com.br
Wed May 25 16:18:04 UTC 2005


Hello All! I would like to thanks really the amazing Thomas Cameron's help 
about SAMBA, It was great and help me so much! I was mistaking about the 
global parameter "map to guest = Bad User".. you opened my eyes with your 
clearness!

Thank you so much!
TAF

------------------------------------
From: Thomas Cameron
Subject: Re: Public resource at SAMBA
Message-ID: <1116626171.17739.19.
Content-Type: text/plain; charset=utf-8

On Fri, 2005-05-20 at 13:32 -0300, Thiago Amaury Ferraz wrote:
> Hello!
> Someone would know to say if there is a way to configure a resourse to be
> public.. by the way, having the security = user.. in global parameters!?

In Samba, a public share means that it is accessible by all, without a
password.  Note that I think this is terribly dangerous.

>From the smb.conf man page:

public

        This parameter is a synonym for guest ok.

guest ok (S)

        If this parameter is yes for a service, then no password is
        required to connect to the service. Privileges will be those of
        the guest account.

        This paramater nullifies the benifits of setting restrict
        anonymous = 2

        See the section below on security for more information about
        this option.

        Default: guest ok = no


> Is there some way to set up a samba guest user to be used by Windows guest
> users?

Also from the smb.conf man page:

guest account (G)

        This is a username which will be used for access to services
        which are specified as guest ok (see below). Whatever privileges
        this user has will be available to any client connecting to the
        guest service. This user must exist in the password file, but
        does not require a valid login. The user account "ftp" is often
        a good choice for this parameter.

        On some systems the default guest account "nobody" may not be
        able to print. Use another account in this case. You should test
        this by trying to log in as your guest user (perhaps by using
        the su - command) and trying to print using the system print
        command such as lpr(1) or  lp(1).

        This parameter does not accept % macros, because many parts of
        the system require this value to be constant for correct
        operation.

        Default: guest account = nobody # default can be changed at
        compile-time

        Example: guest account = ftp

So then you need to look at the entry in smb.conf called "map to guest:"

map to guest (G)

        This parameter is only useful in security modes other than
        security = share - i.e. user, server, and domain.

        This parameter can take three different values, which tell smbd
        (8) what to do with user login requests that don't match a valid
        UNIX user in some way.

        The three settings are :

              * Never - Means user login requests with an invalid
                password are rejected. This is the default.

              * Bad User - Means user logins with an invalid password
                are rejected, unless the username does not exist, in
                which case it is treated as a guest login and mapped
                into the guest account.

              * Bad Password - Means user logins with an invalid
                password are treated as a guest login and mapped into
                the guest account. Note that this can cause problems as
                it means that any user incorrectly typing their password
                will be silently logged on as "guest" - and will not
                know the reason they cannot access files they think they
                should - there will have been no message given to them
                that they got their password wrong. Helpdesk services
                will hate you if you set the map to guest parameter this
                way :-).


        Note that this parameter is needed to set up "Guest" share
        services when using security modes other than share. This is
        because in these modes the name of the resource being requested
        is not sent to the server until after the server has
        successfully authenticated the client so the server cannot make
        authentication decisions at the correct time (connection to the
        share) for "Guest" shares.

        For people familiar with the older Samba releases, this
        parameter maps to the old compile-time setting of the
        GUEST_SESSSETUP value in local.h.

        Default: map to guest = Never

        Example: map to guest = Bad User


As an example, I want to make a public share on my Linux box.  First I
create the directory:

[root at wintermute ~]# mkdir /usr/local/export/public

Then I make it owned by nobody.nobody like this:

[root at wintermute ~]# chown nobody:nobody /usr/local/export/public/

So now I check to make sure it looks right:

[root at wintermute ~]# ls -ld /usr/local/export/public/
drwxr-xr-x  2 nobody nobody 4096 May 20 16:34 /usr/local/export/public/

Now I make sure that the share is enabled in my /etc/samba/smb.conf:

[public]
        path = /usr/local/export/public
        read only = No
        guest ok = Yes

I also set up the map to guest entry in the [global] section of
my /etc/samba/smb.conf like this:

[global]
...
...
        map to guest = Bad User
...
...

Then I restart the smb service:

[root at wintermute ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]

Now my Windows users can access the [public] share on my Linux box
without a login or password.

> Best regards,
> And thank´s a lot since now!
> TAF

Eu espero que este seja útil!

Thomas 





More information about the fedora-list mailing list