A bit about

Hello, everyone! All you can see below is just my bank of information. Some material I've found in the fathomless net, some I've learned myself. Don't think all of the information here is right or actual, but may be it could be of use for you :) All feedback is welcome, especially constructive ones :)

Friday, August 19, 2011

Samba: no password access

Probably I'm a newbie to SMB protocol and Samba server, but it turns to be a problem to organize a comfortable access to Samba server.

What I mean comfortable? Ok, to me it's, for example, several directories which can be accessed without prompting for username or password (irritating one as soon as you want to organize media share free for all) and several directories which require authentication.

In this post it seemed that I resolved my problems by setting "security = share" in Samba server access, but then I found several things about this:

+ yes, it allows one to browse server directories and access public ones without password

- it doesn't provide True authentication. According to Samba's documentation for secured shares, it just receives password from client (ignoring username) and then tries to compare this password against users which are allowed to access that share. From my perspective, it's not fully secure

- strange, but I only succeeded in authentication from Windows. If only I tried to use Dolphin, Konqueror or even smbclient, I always got "NT_STATUS_WRONG_PASSWORD". I haven't succeeded in googling and troubleshooting this issue.

So, "security = share" doesn't seem to be a solution. On the other hand, if I apply "security = user", Windows clients always ask for password even if I try to access public shares (which would allow even without providing one).

I was able to find a "magic spell" here:
security = user
map to guest = Bad Password
guest account = guest

After that, both Linux and Windows clients (even consoles like IconBit) were able to authenticate correctly.

So, finally steps which were done (I assume here that system users "guest", "user1" and "user2" are available in the server system):

1) Add Samba users and set the same passwords as system ones:
# smbpasswd -a user1
# smbpasswd -a user2
# smbpasswd -a guest

Leave blank password for "guest" account. If any account already exists, just remove it with "smbpasswd -x ". Just to be sure.

2) Create several test shares and assign full access to them (or at least for those users, which are supposed to access these shares):
# mkdir -p /shares/public
# mkdir -p /shares/share1
# mkdir -p /shares/share2
# chmod 777 /shares/public
# chmod 777 /shares/share1
# chmod 777 /shares/share2

3) Put the following configuration into your [global] section of smb.conf:
workgroup = workgroup
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

security = user
map to guest = Bad Password
guest account = guest

encrypt password = true
passbd backend = tdbsam
obey pam restrictions = no
invalid users = root
unix password sync = yes
domain logons = no

Fields decorated with "####" are the most important ones. Other fields can be changed depending on system's security and other requirements.

4) Configure you shares the following way:
comment = Public Staff
path = /shares/public
guest ok = yes
writable = yes
browseable = yes
valid users =

comment = Share for user1
path = /shares/share1
guest ok = no
writable = yes
browseable = yes
valid users = user1

comment = Share for user2
path = /shares/share2
guest ok = no
writable = yes
browseable = yes
valid users = user2

5) Finally, restart your Samba server. In my Debian it's "/etc/init.d/samba restart"

Now all clients should be able to list shares on this server and access "public" directory without prompting password. At the same time, in order to access share1, user must be authenticated with "user1" and his password (similar way for share2).

The only problem I had is accessing from Windows XP. Originally it authenticated as "guest" and was able to access public, but when I tried to access "share1", it didn't prompt for password, but instead showed me a message saying that access is denied.

In log files of Samba server I could see that Windows XP still tries to authenticate with "guest". So, it seems to be a problem of Windows XP which doesn't close session and doesn't prompt for password within one session. It seems to me that reboot could fix this problem.

Anyway, this also look like a bug in SMB protocol. It says that upon establishing connection, server just tell the client its security level ('share', 'user', etc.) and then it's up to client - how and when to ask for password. Windows XP as usually does it wrong :)