samba - May 2014 - Behavior of deprecated share security with user security

Hi everyone, 

I have a question since the security type "share" has been removed.
How
a guest user can access/see the shared folders of a computer without
being prompted for its credentials with "security=user"? 

What I mean is... 

When I'm on a windows 7 computer and try to access an other Windows 7
computer that appears in "Network", I can see the shared folders. If I
try to access some of them, it asks me for an user/password or not
(depending how the sharing is made).

 Now, with the config below, the Samba server appears as expected in the
"Network" list of my Windows 7 computer. If I try to access the Samba
server, it ask directly for an user/password. I don't want to enter a
password at this level, so I enter something wrong (like "anonymous"
or
anything else) and I can see the shared folders available on my Samba
server. Then, I want to browse into "LocalW". Double-click on
"LocalW"
and another login pop-up appears. So now, I enter the right
username/password that exist on my Samba server (both in Linux and
smbpasswd). The result is that the access is denied, even with the good
username/password... 

The access to "Local" and "Public" share are working fine.
No "second"
credentials are asked and the folders are readable (and writable for
"Public") as expected. 

To sum up, I would like to remove the first user/password request.
First, because at this level (just a view on available shared folders )
I consider that everyone have the right to see/browse this list. Second,
because "Local" and "Public" shared folders are used by
guest users and
I want a transparent access to these shared folders (no authentication).
(This "sharing behavior" works fine with "security=share"
option.)

Thank you very much for your help. 

Ga?l 

PS: Sorry for my poor english... 

SMB.CONF 
> [global]
> include = /etc/samba/dhcp.conf
> 
> workgroup = WORKGROUP
> server string = %h server
> dns proxy = no
> interfaces = 192.168.1.0/24
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> 
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> 
> security = user
> encrypt passwords = true
> passdb backend = smbpasswd
> obey pam restrictions = no
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn
*passwordsupdatedssuccessfully* .
> pam password change = yes
> 
> map to guest = bad user
> guest account = nobody
> invalid users = root
> 
> usershare max shares = 0
> use sendfile = yes
> deadtime = 15
> 
> [Local]
> comment = Media Share
> path = /var/www/local
> browseable = yes
> guest ok = yes
> create mask = 0744
> inherit owner = yes
> hide dot files = yes
> writeable = no
> veto files = /lost+found/
> 
> [LocalW]
> comment = Media Share
> path = /var/www/local
> browseable = yes
> guest ok = no
> create mask = 0744
> inherit owner = yes
> hide dot files = yes
> writeable = yes
> veto files = /lost+found/
> 
> [Public]
> comment = Public Share
> path = /var/tmp/Common
> browseable = yes
> writeable = yes
> guest ok = yes
> create mask = 0744

hai, 

this setup sets the samba shares open so no password are asked. 
works for me on ubuntu 12.04 with windows 7 and 8.1 

compair it to your config. 


Louis


#======================= Global Settings ====================== 
[global]
## Browsing/Identification ###
   workgroup = HOME
   server string = storage server
   dns proxy = no

#### Networking ####
#   interfaces = 127.0.0.0/8 eth0
#   bind interfaces only = yes
 
#### Debugging/Accounting ####
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
 
####### Authentication #######
   security = share
   guest account = nobody
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\
n *password\supdated\ssuccessfully* .
   pam password change = no
########## Domains ###########
## nothing used. 
 
########## Printing ##########
   load printers = no

############ Misc ############
## test without the socket option and with. 
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
 
hide unreadable = yes
 
#======================= Share Definitions ====================== 
[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S
 
[Downloads]
   comment = Downloads
   path = /home/Downloads
   browseable = yes
   guest ok = yes
   read only = no
   hide files = /lost+found/
   force directory mode = 777
   force create mode = 666
   directory mask = 777
   create mask = 666
 
 
 
if you have a dns server and it works ok in resolving every host, then also
change.
   dns proxy = yes
 
>-----Oorspronkelijk bericht-----
>Van: gael.jobin at switzerlandmail.ch 
>[mailto:samba-bounces at lists.samba.org] Namens Jobin, Ga?l
>Verzonden: zaterdag 24 mei 2014 11:44
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Behavior of deprecated share security with 
>user security
>
> 
>
>Hi everyone, 
>
>I have a question since the security type "share" has been
removed. How
>a guest user can access/see the shared folders of a computer without
>being prompted for its credentials with "security=user"? 
>
>What I mean is... 
>
>When I'm on a windows 7 computer and try to access an other Windows 7
>computer that appears in "Network", I can see the shared folders.
If I
>try to access some of them, it asks me for an user/password or not
>(depending how the sharing is made).
>
> Now, with the config below, the Samba server appears as 
>expected in the
>"Network" list of my Windows 7 computer. If I try to access the
Samba
>server, it ask directly for an user/password. I don't want to enter a
>password at this level, so I enter something wrong (like
"anonymous" or
>anything else) and I can see the shared folders available on my Samba
>server. Then, I want to browse into "LocalW". Double-click on
"LocalW"
>and another login pop-up appears. So now, I enter the right
>username/password that exist on my Samba server (both in Linux and
>smbpasswd). The result is that the access is denied, even with the good
>username/password... 
>
>The access to "Local" and "Public" share are working
fine. No "second"
>credentials are asked and the folders are readable (and writable for
>"Public") as expected. 
>
>To sum up, I would like to remove the first user/password request.
>First, because at this level (just a view on available shared folders )
>I consider that everyone have the right to see/browse this 
>list. Second,
>because "Local" and "Public" shared folders are used by
guest users and
>I want a transparent access to these shared folders (no 
>authentication).
>(This "sharing behavior" works fine with
"security=share" option.)
>
>Thank you very much for your help. 
>
>Ga?l 
>
>PS: Sorry for my poor english... 
>
>SMB.CONF 
>
>> [global]
>> include = /etc/samba/dhcp.conf
>> 
>> workgroup = WORKGROUP
>> server string = %h server
>> dns proxy = no
>> interfaces = 192.168.1.0/24
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> 
>> log file = /var/log/samba/log.%m
>> log level = 3
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> 
>> security = user
>> encrypt passwords = true
>> passdb backend = smbpasswd
>> obey pam restrictions = no
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Entersnews*spassword:* %nn 
>*Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
>> pam password change = yes
>> 
>> map to guest = bad user
>> guest account = nobody
>> invalid users = root
>> 
>> usershare max shares = 0
>> use sendfile = yes
>> deadtime = 15
>> 
>> [Local]
>> comment = Media Share
>> path = /var/www/local
>> browseable = yes
>> guest ok = yes
>> create mask = 0744
>> inherit owner = yes
>> hide dot files = yes
>> writeable = no
>> veto files = /lost+found/
>> 
>> [LocalW]
>> comment = Media Share
>> path = /var/www/local
>> browseable = yes
>> guest ok = no
>> create mask = 0744
>> inherit owner = yes
>> hide dot files = yes
>> writeable = yes
>> veto files = /lost+found/
>> 
>> [Public]
>> comment = Public Share
>> path = /var/tmp/Common
>> browseable = yes
>> writeable = yes
>> guest ok = yes
>> create mask = 0744
>
> 
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>