Samba and Guest Shares [SOLVED]

lucytheboydog · 2011-02-01 12:35:09

Greetings fellow Archers,

I have this peculiar problem with samba, it appears it doesn't want to allow guest connections. What I would like to do is have a top level folder that requires a login (/home/nay/) and a folder that allows read only access without a login (/home/nay/share). The folder with the logon works fine, however the read only public folder only works with authentication. The following is my hacked up script that I butchered out of frustration, mainly because I don't think I need a billion options yet:

**NOTE; i know there are some wrong settings here, especially one big one in the /share folder definition, but it doesn't matter what i try, its a no go...

[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = LINSRV

# server string is the equivalent of the NT Description field
server string = Linux Dom Server

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = user

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = 192.168.1. 192.168.2. 127.

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
guest account = nobody

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
max log size = 50

dns proxy = no

#============================ Share Definitions ==============================
;[homes]
; comment = Home Directories
; browseable = no
; writable = yes

# A publicly accessible directory, but read only, except for people in
# the "users" group
[nay]
comment = Test Share
path = /home/nay
public = yes
writable = no
printable = no
write list = @users

[share]
comment = Read Only Video Access
path = /home/nay/share/
browsable = yes
read only = no
guest ok = yes
guest only = yes
available = yes

Last edited by lucytheboydog (2011-02-04 05:20:36)

perbh · 2011-02-01 14:47:32

are you not biting your own tail here - /home/nay/share is a subdirectory of /home/nay and as such is part of it and is automagically included in [nay] ...

I would try to make a /home/share and a /home/nay and see if that works.
Also - you have "read only = no" for the "read only video access" - should this not be "read only = yes" ?

eldragon · 2011-02-01 15:28:30

and you need to add a guest account too.

guest account = <insert name of owner of the folder you want to share>

lucytheboydog · 2011-02-02 03:07:59

@Perbh, I made a directory in "/home/share/" and gave it a "chown -R nay shared" as well as "chmod 664 shared" and a "chgrp -G users shared". I also tried to setting "chgrp -G guest shared" and Im still getting access denied even if i try to authenticate. I can still get into "/home/nay/" if I authenticate though.

@eldragon, I thought this parameter goes in the global section, I have the user "nobody" in there at the moment, although I tried putting "nay" in there as well with no luck.

I did notice however that it appears my home directory is RWX for "nay" only, ill try to chmod 744 it and see what happens...

In any case, a tip of the hat to youre speedy replies, mucho appreciado!

>>EDIT: 744 didnt help, didnt make things worse though... I imagine that anything sensitive id need to leave in a 700'd directory but im happy to leave /nay as a 744....

>>EDIT 2: @eldragon, I know this isnt correct, but i tried adding "guest account = nay" to the share description and it didnt work.

Last edited by lucytheboydog (2011-02-02 03:17:20)

lucytheboydog · 2011-02-02 04:10:02

Hello again, I have tried all i can to get this going and though I can access the shares with authentication, i cannot as a guest.

I continued hacking away and this is what my config file looks like (i disabled the username map as it didn't help). I understand /nay/share/ is accessible within /nay, I couldn't get it to mount /home/share/ even after messing with chmod and chgrp etc..
I also created the user smbguest with: useradd -g smbguest -d /dev/null -s /bin/false smbguest

[global]
netbios name = ablanck
workgroup = LINSRV
server string = Linux Dom Server

# Security mode.
security = user
null passwords = true
; username map = /etc/samba/smbusers

# Restrict access to local network
hosts allow = 192.168.1. 127.0.0.1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

guest ok = yes
guest account = smbguest
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = no

#============================ Share Definitions ==============================
[nay]
comment = Test Share
path = /home/nay
public = yes
writable = no
printable = no
write list = @users

[share]
comment = Read Only Video Access
path = /home/nay/share
public = yes
read only = yes
valid users = @users @guest
directory mask = 0664

madeye · 2011-02-02 19:01:54

If you create an extra user that you want to use as guest, then you need to make sure that user is also present in the samba user database.
If you use tdbsam as your passdb backend, you can use pdbedit to add the guest user account.

pdbedit -L

will list the users currently in the database.

The share you want guest to have access to needs a

guest ok = yes

and you can also try a

guest only = yes

.
I would not include the setting valid user in that kind of share. It might interfere with the guest access.

lucytheboydog · 2011-02-03 05:55:58

Hey MadEye:
I see what you mean here, i don't think i sufficiently set up the guest user however it still isn't working.

At this stage functionality hasn't changed, i can still access if i authenticate but no guest access. From what i can tell the folder permissions are set correctly and I believe the guest account is set up, is there anything i can do/provide to verify this?

I tried to provide all relevant info I thought may be useful and broke it up for easier reading.

*******************output of pdbedit is now:

[nay@ablanck home]$ sudo pdbedit -L
smbguest:1002:
nay:1000:Nathan

*******************More info on "SMBGUEST":

Password:
Unix username: smbguest
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1324253957-3100716135-4201011365-501
Primary Group SID: S-1-5-21-1324253957-3100716135-4201011365-513
Full Name: smbguest
Home Directory: \\ablanck\smbguest
HomeDir Drive:
Logon Script:
Profile Path: \\ablanck\smbguest\profile
Domain: ABLANCK
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Thu, 03 Feb 2011 16:03:29 EST
Password can change: Thu, 03 Feb 2011 16:03:29 EST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

***************************I have also added "passdb backend = tdbsam" as ***************************indicated and my smb.conf is:

[global]
netbios name = ablanck
workgroup = LINSRV
server string = Linux Dom Server

# Security mode.
security = user
passdb backend = tdbsam
null passwords = true

# Restrict access to local network
hosts allow = 192.168.1. 127.0.0.1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

guest ok = yes
guest account = smbguest
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = no

#============================ Share Definitions ==============================
[nay]
comment = Test Share
path = /home/nay
public = yes
writable = no
printable = no
write list = @users

[download]
comment = Downloads
path = /home/download
public = yes
writable = no
printable = no
write list = @users

[share]
comment = Read Only Video Access
path = /home/share
public = yes
read only = yes
guest ok = yes
; guest only = yes
; directory mask = 0664

**********************************Also, i dont know if this helps, but:

[nay@ablanck ~]$ cat /etc/passwd
<irrelevant output>
smbguest:x:1002:1002::/dev/null:/bin/false (edited)

[nay@ablanck ~]$ groups smbguest
guest smbguest

Last edited by lucytheboydog (2011-02-03 05:57:41)

madeye · 2011-02-03 08:50:17

I am not sure what's going wrong here. I would say your settings are correct. Are the permissions on /home/share set to allow smbguest to enter?
Perhaps you can set the folder permission (chmod) to 777, just to make sure the problem is not here.

Unfortunately I will not be able to verify my own settings until I come home tomorrow evening. But I will get back to you then.
Meanwhile are you familiar with this link: http://oreilly.com/catalog/samba/chapte … index.html

It might not help you, but it contains some info on shares and security. Especially chapter 6 might be of interest.

lucytheboydog · 2011-02-03 09:57:36

[nay@ablanck home]$ ls -l
total 28
drwxrwxr-- 3 nay users 4096 Feb 3 16:28 download
drwx------ 2 root root 16384 Feb 1 14:32 lost+found
drwxr--r-- 4 nay users 4096 Feb 3 16:42 nay
drwxrwxr-- 2 root root 4096 Feb 3 16:07 share

I gave it a "chmod 774" earlier which should give it read access to guests (as far as I know).
I have come across the link a while ago, but i'll have another good read to see if im missing something.
Thanks again MadEyes!

madeye · 2011-02-03 10:23:53

You should give other execute access on the folder. Else only the owner and group members can cd into it.

chmod o+x /home/share

There is also an option for the global section in smb.conf called map to guest = bad user
It will map any non existing users to the guest account.

Windows will always send the username to the server, and this can give failures when the user is not available on the server.

lucytheboydog · 2011-02-03 10:48:08

I played with it some more and the best ive gotten so far without authentication is:

[nay@apollo mnt]$ sudo mount -t cifs //192.168.1.7/download /mnt/dload
Password:
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

And that was by using "force group = @guest" under download and "map to guest = bad password".

Still no action though... the settings in post #7 are where im at still. Any help would be appreciated.

lucytheboydog · 2011-02-03 11:39:32

Hey MadEyes, I posted the last message before I got youre last one, ill give it a go tomorrow when i finish work, thanks again! (it sounds like why i was getting input/output errors when using map to guest and force group).

jochen · 2011-02-03 15:48:00

Hi,

in my setup these are the essential (but incomplete) lines for a guest-share:

[global]
        guest account = nobody
        map to guest = Bad User


[share]
        path = /home/share
        read only = No
        guest ok = Yes

regards,
jochen

eldragon · 2011-02-03 16:04:53

your guest account has to be a VALID account in your system, it can belong to the global parameter or per share. but this user has to have read/write access to the share in question.

remember, samba can only grant as much access as the user it represent has.

[nay]
    comment = Test Share
    path = /home/nay
    guest acount = <insert your username>
    public = yes
    writable = no
    printable = no
    write list = @users

the username inserted there, has to be the owner of the shared resource, or someone with enough privileges

imatechguy · 2011-02-04 02:54:43

I notice a few things that might need to be changed. My Server doesn't have a public share so I can only go by the default smb.conf file and the wiki.

First, according to the wiki if you want a public share and if you want to use the "map to guest = Bad User" then it should be right after the "security = user" entry

Option 2 - Allow guest and User connections
Edit /etc/samba/smb.conf and add the following line:
map to guest = Bad User
After this line
security = user

Otherwise your Security setting needs to be "share" not "user"

Share files for your LAN without user and password
Option 1 - Force guest connections
Edit /etc/samba/smb.conf and change the following line:
security = user
to
security = share

Second, according to the wiki if you're trying to mount a Samba Share as a user you need to allow it in /etc/fstab

Allowing users to mount
Before enabling access to the mount commands, fstab needs to be modified. Add the users options to the entry in /etc/fstab:
//SERVER/SHARENAME /path/to/SHAREMOUNT cifs users,noauto,noatime,username=USER,password=PASSWORD,workgroup=WORKGROUP 0 0
Note: The option is users (plural). For other filesystem types handled by mount, this option is usually user; sans the "s".

Also check that your network IP prefix is actually "192.168.1.", mine isn't so I always have to check those things, likewise if you use a nonstandard netmask.

Lastly look at the default smb.conf and review the two [Public] and the [myshare] setups to see if you can use that to help get you going.

Those are the only things that stand out to me.

Last edited by imatechguy (2011-02-04 02:55:23)

lucytheboydog · 2011-02-04 05:18:32

DIRECTED DIRECTLY AT MADEYES AND JOCHEN:

I NOW HAVE UNAUTHENTICATED READ ONLY ACCESS TO DOWNLOADS USING:
sudo mount -t cifs //192.168.1.7/download /mnt/dload

I HAVE READ WRITE ACCESS VIA:
sudo mount -t cifs -o user=XXXXX,password=XXXXX //192.168.1.7/download /mnt/dload

It was a cross between advice from MadEyes comment #10 and Jochen's comment #13.

In case anyone needs this; make sure to set a username in samba using "smbpassword", making sure it is a VALID user account on your system (if your user name is nay, then make a user in smbpassword named nay)
There may be some additional steps, but I assure all the information needed is in this thread (at least things to check anyway...)
The working settings file is as follows (includes /home/download/ example):

[global]
netbios name = ablanck
workgroup = LINSRV
server string = Linux Dom Server

# Security mode.
security = user
passdb backend = tdbsam

# Restrict access to local network
hosts allow = 192.168.1. 127.0.0.1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

guest account = nobody
map to guest = Bad User

log file = /var/log/samba/%m.log
max log size = 50
dns proxy = no

#============================ Share Definitions ==============================

[download]
comment = Downloads
path = /home/download
public = yes
writable = no
printable = no
read only = yes
guest ok = yes
write list = @users

lucytheboydog · 2011-02-04 05:25:42

A VERY big thank you to all who replied and spent some of they're time trying to help a poor schmuck out!

*bows*

vajorie · 2013-04-01 14:24:34

In case someone like me comes accross this post, just to post the solution I found:

To get a Mac to connect to an Arch samba server using the Guest account, I had to add

   encrypt passwords = true

right after (in a new line) it says

security = user

which I found by comparing a working Ubuntu samba configuration file to the Arch one.

sorry to wake up a solved zombie post

Arch Linux

#1 2011-02-01 12:35:09

Samba and Guest Shares [SOLVED]

#2 2011-02-01 14:47:32

Re: Samba and Guest Shares [SOLVED]

#3 2011-02-01 15:28:30

Re: Samba and Guest Shares [SOLVED]

#4 2011-02-02 03:07:59

Re: Samba and Guest Shares [SOLVED]

#5 2011-02-02 04:10:02

Re: Samba and Guest Shares [SOLVED]

#6 2011-02-02 19:01:54

Re: Samba and Guest Shares [SOLVED]

#7 2011-02-03 05:55:58

Re: Samba and Guest Shares [SOLVED]

#8 2011-02-03 08:50:17

Re: Samba and Guest Shares [SOLVED]

#9 2011-02-03 09:57:36

Re: Samba and Guest Shares [SOLVED]

#10 2011-02-03 10:23:53

Re: Samba and Guest Shares [SOLVED]

#11 2011-02-03 10:48:08

Re: Samba and Guest Shares [SOLVED]

#12 2011-02-03 11:39:32

Re: Samba and Guest Shares [SOLVED]

#13 2011-02-03 15:48:00

Re: Samba and Guest Shares [SOLVED]

#14 2011-02-03 16:04:53

Re: Samba and Guest Shares [SOLVED]

#15 2011-02-04 02:54:43

Re: Samba and Guest Shares [SOLVED]

#16 2011-02-04 05:18:32

Re: Samba and Guest Shares [SOLVED]

#17 2011-02-04 05:25:42

Re: Samba and Guest Shares [SOLVED]

#18 2013-04-01 14:24:34

Re: Samba and Guest Shares [SOLVED]

Board footer