samba - Jan 2005 - Ver 3.0.4 Anonymous access, no Password required

I have searched the Docs, How-to's, and this news group/ Mailing list
and still haven't found what I am looking for, at least not an answer.

I am simply trying to allow access to public shares on my Linux PC
(slackware 10).  I have a directory setup but the only way to get in
is to send a Username and Password.  I am setting it up for WinXP and
Win2K PC's to access.  I have set up the nobody account, even gave it
a password of nothing and enabled it.  Still WinXP requests a userID
and password.

  I do have a mildly, but not outrageous, custom setting.  I have 2
nics and only want one of them to be accessed by windows request.  I
am not sure what account the WinXP tries to connect with by default.

I can make a share on Windows and tell it to allow read access by
anyone, so no one has to enter an ID or password.  Is this possible in
Samba and I passed some critical information to make this work?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; /etc/smb.conf
;
; Make sure and restart the server after making changes to this file, ex:
; /etc/rc.d/init.d/smb stop
; /etc/rc.d/init.d/smb start

[global]
; Uncomment this if you want a guest account
   workgroup = Trigun
   server string = Niles Server
   guest account = nobody
   log file = /var/log/samba/samba-log.%m
   lock directory = /var/lock/samba
   share modes = yes
   interfaces = X.X.X.225/29 ; 1 of 5 Statics, Subnet 255.255.255.248
   encrypt passwords = yes
   smb passwd file = /etc/smbpasswd
;   valid users = %s

[Upload]
   comment = Upload Area
   path = /var/ftp/pub/uploaded
   read only = no
   public = yes
   writable = yes
   printable = no

;[homes]
;   comment = Home Directories
;   browseable = no
;   read only = no
;   create mode = 0750

[Pub]
   comment = Public Folder
   path = /var/ftp/pub
   public = yes
   writable = no
   printable = no
   write list = midnight
~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any help would be appriciate, and sorry if seems I'm upset, frustrated
is more like it.  Every post I've seen has a couple of suggestions and
then no "yes it worked, no it didn't".  And there are only 3 or so
I
could find in the archive.

--Zane

P.S. On a side not, I would love to have the Homes sections un
commented but if I use an ID with no password for the time being, it
gives the home directory of the ID.  I hope if there is a solution to
the no password dialog box, that it will allow homes to be opened.  If
not, any suggestions?  All suggestions are welcome, as well as any
improvements to this config are welcome.  I know so little, I'm amazed
I got samba to work, last time and 1 week later I had nothing working.

Hi !

What is the setting for your security level ? From the look of your 
smb.conf, you have security=user, which means only users known to Samba 
(with smbpasswd -a) can even access the server, let alone write on its 
shares. Maybe you should switch to security=share, this might work. I 
wouldn?t apply this to the homes share, though.

J?rg

----- Original Message ----- 
From: "Zane Minninger" <zminninger@gmail.com>
To: <samba@lists.samba.org>
Sent: Monday, January 31, 2005 11:41 PM
Subject: [Samba] Ver 3.0.4 Anonymous access, no Password required

>I have searched the Docs, How-to's, and this news group/ Mailing list
> and still haven't found what I am looking for, at least not an answer.
>
> I am simply trying to allow access to public shares on my Linux PC
> (slackware 10).  I have a directory setup but the only way to get in
> is to send a Username and Password.  I am setting it up for WinXP and
> Win2K PC's to access.  I have set up the nobody account, even gave it
> a password of nothing and enabled it.  Still WinXP requests a userID
> and password.
>
>  I do have a mildly, but not outrageous, custom setting.  I have 2
> nics and only want one of them to be accessed by windows request.  I
> am not sure what account the WinXP tries to connect with by default.
>
> I can make a share on Windows and tell it to allow read access by
> anyone, so no one has to enter an ID or password.  Is this possible in
> Samba and I passed some critical information to make this work?
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ; /etc/smb.conf
> ;
> ; Make sure and restart the server after making changes to this file, ex:
> ; /etc/rc.d/init.d/smb stop
> ; /etc/rc.d/init.d/smb start
>
> [global]
> ; Uncomment this if you want a guest account
>   workgroup = Trigun
>   server string = Niles Server
>   guest account = nobody
>   log file = /var/log/samba/samba-log.%m
>   lock directory = /var/lock/samba
>   share modes = yes
>   interfaces = X.X.X.225/29 ; 1 of 5 Statics, Subnet 255.255.255.248
>   encrypt passwords = yes
>   smb passwd file = /etc/smbpasswd
> ;   valid users = %s
>
> [Upload]
>   comment = Upload Area
>   path = /var/ftp/pub/uploaded
>   read only = no
>   public = yes
>   writable = yes
>   printable = no
>
> ;[homes]
> ;   comment = Home Directories
> ;   browseable = no
> ;   read only = no
> ;   create mode = 0750
>
> [Pub]
>   comment = Public Folder
>   path = /var/ftp/pub
>   public = yes
>   writable = no
>   printable = no
>   write list = midnight
> ~
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Any help would be appriciate, and sorry if seems I'm upset, frustrated
> is more like it.  Every post I've seen has a couple of suggestions and
> then no "yes it worked, no it didn't".  And there are only 3
or so I
> could find in the archive.
>
> --Zane
>
> P.S. On a side not, I would love to have the Homes sections un
> commented but if I use an ID with no password for the time being, it
> gives the home directory of the ID.  I hope if there is a solution to
> the no password dialog box, that it will allow homes to be opened.  If
> not, any suggestions?  All suggestions are welcome, as well as any
> improvements to this config are welcome.  I know so little, I'm amazed
> I got samba to work, last time and 1 week later I had nothing working.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

remote wrote:
| Hi !
|
| What is the setting for your security level ? From
| the look of your  smb.conf, you have security=user, which means
| only users known to Samba  (with smbpasswd -a) can even access
| the server, let alone write on its  shares. Maybe you should
| switch to security=share, this might work. I
| wouldn?t apply this to the homes share, though.

My standing recommendation for guest access is

	security = user
	map to guest = bad user

It avoids the confusion associated with security = share.



cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB/3GvIR7qMdg1EfYRAhlkAJ4q/H25xjeuRjIHbNdY9NxRPbprdACfXaDN
vEuummQIVfsuW1VSB8TLLBw=RrCR
-----END PGP SIGNATURE-----

On Wed, 2 Feb 2005 11:52:18 -0700, John H Terpstra <jht@samba.org>
wrote:
> Zane,
>
> In your original post you asserted that the documentation is deficient.
> In what way are you offering to rectify the deficiency?
>
I have found, that my original question, was from lack of understaning
security.  It was to get users to view the public directories on my
Samba box without a password.  I believe remote fixed that by telling
me I should have Security = share in the global.  That part, I did
find in the documentation, particularly the Samba-guide.pdf, which I
hadn't seen or found before you mentioned it.
This caused my other desired function, to fail. (Samba based
permissions to give a user write access, and allow others only read)
> In the open source world there are many deficiencies - its just a fact of
> life. The rule with open source is that because you have the source you can
> fix the deficiency. That is something of an unwritten responsibility - when
> you find a problem you fix it so that the next person does not have to go
> through the same pain you did.
I know, and I would be glad to help in any way possible.  I love
finding solutions and posting them in an effort to help other resolve
their problems.  I unfortunantly I haven't gotten into
installing/usering the C++ compiler yet, although I think my 2 years
of programing would be highly inadequite to even attemt to fix a
problem (unless Very minor or small), I wouldn't be able to repair the
source code.
>
> So please help sort out the deficiencies. There are two official Samba
> documents: The Samba-HOWTO-Collection and the Samba-Guide.
> I welcome your documentation updates in any form you can provide them.
> You have my total attention and my commitment to fix the gaping holes.
>
> On Wednesday 02 February 2005 04:01, Zane Minninger wrote:
> > Ok, I have read that PDF, and is doesn't look like it goes into
what I
> > want, but there is SO much info there, I'll be taking it to bed a
for
> > a few nights.  Here is the basics that I have been able to
> > understand---
> >
> > I would like to have no username/password box appear when users on
> > Win2000 and WinXP browse to \\server\  I would also like certain
> > folders (\\server\pub\) to not require a username/password and only
> > have Read access.
>
> Windows opens a secure channel to a server. It authenticates only the first
> time that secure channel is opened. Subsequent connections from the client
> use only already established credentials. You therefore can not do what you
> want. In Windows NT4/200x/XPP an authentication failure may result in a
> pop-up asking for new credentials but you should not depend on that for
> access control as in many situations the client will not permit you access
> anyhow.
I agree, and concur.  If you use the same loging session on the client
box, the credientials are cached.  I have been re-logging in each time
after a successful attaching to the share, which does clear the
credentials.  The original though was if I needed to have write access
to a folder, before making any connection to it, I could map a drive
with crendentials and have the full access I needed.  If I didn't, I
just browse and could only read the data.
> >
> > The next step is the trick.
> >
> > Is there a way where in Windows I can Map a network drive and choose a
> > different Username/password to connect to the \\server\pub share to
> > give me permissions to add/delete.
>
> You just need to set your permissions and privileges in UNIX/Linux to work
> correctly, or create additional shares for the same directory share point.
That was the other way I was going to look into it.  I do have the
correct rights on the Unix system.  The default / generic user has
read to all folders in data (he has no rights but security is 775 for
all files / folders in the shared directory.  That should allow him
read and execute, and it does if security = Share is turned on.
> >
> > OR
> >
> > Is there a way I can setup one share to not prompt for a
> > Username/password and set another folder to prompt for a
> > Username/Password.
>
> Show me how you would do this in Windows - Samba works that same way that
> Windows does.
In windows, I have tested this just now, My 2003 domain server (The pc
is not attached, never has been, and there is no user accounts on it,
app testing box only) I created a share, data.  I gave permissions to
the share of User1 and everyone.  Everyone only has read.  User1 has
full control.  I further went into the file system properties, stipped
out all of MS's permissions and set User1 full control of all files
and everyone read, read & execute, and List folder contents.

I created 2 direcory below that.  One private, one public.  I kept the
same permissions on public, giving user1 full and everyone read,
read&execute, and list folder contents.  I took out the everyone
access to the private share and gave user1 full access.

So, in a Linux based system, it would should look like this (correct
me if I'm wrong)

DATA   (755) (I'm setting group access to 5 for now)
 |
 |------Public (755)
 |
 |------Private (700)

So, with this configuration on the Win2003 server, again, my Personal
PC is not part of the domain nor am I useing the same user name as the
user on the box,  I can log onto my WinXP pc, browse to \\server\data
and it shows me the folders public and private.  I can not copy a file
here.  I browse to public, I can not copy a file here either.  I can
not browse to private.  Error, no access/permission.

I log off my WinXP pc, and re login.  I then map a network drive to
z:\  \\server\data specifing a user of user1 and his password.  When I
browse my z:\ I can copy a file there (data directory), I can browse
to public and copy a file there, I can browse to Private and copy a
file there.

The original test, where I didn't map a drive, and I just browsed to
\\server\data gave me the access I needed, and just as importantly,
did not ask me for a username / password.  Again, this was my orignal
desire.

I don't like using windows, it doesn't house my large data structure,
and I don't like having to re-load the OS every couple of years,
trying to presuve the permissions, ETC so I want to use linux for
this.
> > -----------
> > From what I have seen, security = share will ignore all user login
> > information.  So, if I set the access to Share, Everyone can see
> > everything.  Period.  Essentially I can't control a particular
user
> > access to any share.
>
> You need to read and digest the documentation better. Share mode security
uses
> only a password. That password can be "no password" or a password
for read
> access or for "full control" access. Read the documentation -
that
> information is in the Samba-HOWTO-Collection.
I'll look samba's site as well as the how-to sites again for that, I
never saw a place for that, although I'm not sure if that will help,
I'm more than willing to learn.
> >
> > If I set the Security = User, it requires a username and password for
> > each connection, even to \\server\.  It won't let anyone connect
and
> > just view the certain shares.
> >
> > So, in senario terms, Bob can browse \\server\share1 from his PC and
> > can see everything in the folder with read writes but not
> > create/delete/modify rights.  He adds a drive mapping for
> > \\server\share1 and sets it to Z:, choosing to specify a username and
> > password.  He can now access \\server\share1 via Z:\ and has the
> > pemission to create/delete/modify the files/folders.
> >
> > OR
> >
> > Senario 2, Bob browses to \\server\share1 where he can read all files,
> > but doesn't have create/delete/modify rights, but he then browses
to
> > \\server\share2 which is the same directory as share1, but he is
> > promped for a username and password, which he puts in and has full
> > access to the folder.
> >
> > I hope this helps.  I understand if I get replys of "It
doesn't work
> > that way, you can't do it, ETC"  It would just be nice for
anonymous
> > read access, and then I can login and modfiy the files.
>
> How would you do all this with a Windows NT4/200x/XP server backend?
> Samba does it the same way!
I posted above a little more information about how I can attain the
results I want on a Windows 2003 server.  If need be, I'll put in my
Win2000 server HD and test on the OS as well, although I think it will
be the same.
> - John T.
Thank you for all your help John, as you probably notice I'm relativly
new to Linux as a whole ane even more so to samba.  Any help would be
greatfull.  If you would like, I have PC Anywhere setup on both my PC
and Win2003 server if you want to see what I'm talking about with my
example.

And thank you for your patience.