samba - Jan 2015 - FW: desperate help needed - Samba and security = share

I posted this on the Fedora users list this morning, where it was suggested I 
post it here. I'm hoping someone will help me. I know that this is an old
and
probably worn out topic but I need a quick workable solution before the old 
server dies, which hopefully won't involve me redesigning everything and 
having to update 120+ client PCs:

Many years ago I built a server on Fedora 8 which became my core network 
server running all the network servers (DNS etc) as well as a host of custom 
services over inetd, However it's main purpose was to service Samba shares.

That server is now failing so I've just spent a week building a new F20
server
and converting everything from F8 to F20 - amazing number of changes needed 
but also an amazing number of things are still the same.

Last of the things to move because the old server is still live and serving is 
SAMBA.  This is where I need the help.

All of my servers run the same type of setup and it's all based 
around "security = share". Why is this so universally declared as
bad??

I know when I built some F16 servers it said that "security = share"
was
depreciated but it still let me use it. Now with F20 it just refuses.

The problem is that security = share did *exactly* what I wanted and now I 
can't seem to achieve the same effect any other way.

Very simply, I use the [homes] section and have about 10 users defined on the 
server - service, parts, admin etc.

Then for each user PC (approx 120 - 150) I then map a network drive to each 
service that is required. Many only have one or two but some people such as 
admin have access to sales, accounts, wages and admin.

All very simple and faultless for 8 years.

Now, when I try some of the examples found online, client PCs seem to be able 
to connect to the first share ok but then whenever I try to connect a second 
share it complains about having to log out of the first share first.

Can anyone please help me here. If I can't get it working I'll have to
scrap
my week's work and install F16 on this box.

Fingers crossed

On 23/01/15 14:08, Gary Stainburn wrote:
> I posted this on the Fedora users list this morning, where it was suggested
I
> post it here. I'm hoping someone will help me. I know that this is an
old and
> probably worn out topic but I need a quick workable solution before the old
> server dies, which hopefully won't involve me redesigning everything
and
> having to update 120+ client PCs:
>
> Many years ago I built a server on Fedora 8 which became my core network
> server running all the network servers (DNS etc) as well as a host of
custom
> services over inetd, However it's main purpose was to service Samba
shares.
>
> That server is now failing so I've just spent a week building a new F20
server
> and converting everything from F8 to F20 - amazing number of changes needed
> but also an amazing number of things are still the same.
>
> Last of the things to move because the old server is still live and serving
is
> SAMBA.  This is where I need the help.
>
> All of my servers run the same type of setup and it's all based
> around "security = share". Why is this so universally declared as
bad??
>
> I know when I built some F16 servers it said that "security =
share" was
> depreciated but it still let me use it. Now with F20 it just refuses.
>
> The problem is that security = share did *exactly* what I wanted and now I
> can't seem to achieve the same effect any other way.
>
> Very simply, I use the [homes] section and have about 10 users defined on
the
> server - service, parts, admin etc.
>
> Then for each user PC (approx 120 - 150) I then map a network drive to each
> service that is required. Many only have one or two but some people such as
> admin have access to sales, accounts, wages and admin.
>
> All very simple and faultless for 8 years.
>
> Now, when I try some of the examples found online, client PCs seem to be
able
> to connect to the first share ok but then whenever I try to connect a
second
> share it complains about having to log out of the first share first.
>
> Can anyone please help me here. If I can't get it working I'll have
to scrap
> my week's work and install F16 on this box.
>
> Fingers crossed
This was dropped from samba with version 4, there was a discussion on 
the technical list, see here:

https://lists.samba.org/archive/samba-technical/2012-February/081832.html

Rowland

On Fri, 2015-01-23 at 14:08 +0000, Gary Stainburn wrote:
> I posted this on the Fedora users list this morning, where it was suggested
I
> post it here. I'm hoping someone will help me. I know that this is an
old and
> probably worn out topic but I need a quick workable solution before the old
> server dies, which hopefully won't involve me redesigning everything
and
> having to update 120+ client PCs:
> 
> Many years ago I built a server on Fedora 8 which became my core network 
> server running all the network servers (DNS etc) as well as a host of
custom
> services over inetd, However it's main purpose was to service Samba
shares.
> 
> That server is now failing so I've just spent a week building a new F20
server
> and converting everything from F8 to F20 - amazing number of changes needed
> but also an amazing number of things are still the same.
> 
> Last of the things to move because the old server is still live and serving
is
> SAMBA.  This is where I need the help.
> 
> All of my servers run the same type of setup and it's all based 
> around "security = share". Why is this so universally declared as
bad??
> 
> I know when I built some F16 servers it said that "security =
share" was
> depreciated but it still let me use it. Now with F20 it just refuses.
> 
> The problem is that security = share did *exactly* what I wanted and now I 
> can't seem to achieve the same effect any other way.
> 
> Very simply, I use the [homes] section and have about 10 users defined on
the
> server - service, parts, admin etc.
> 
> Then for each user PC (approx 120 - 150) I then map a network drive to each
> service that is required. Many only have one or two but some people such as
> admin have access to sales, accounts, wages and admin.
> 
> All very simple and faultless for 8 years.
> 
> Now, when I try some of the examples found online, client PCs seem to be
able
> to connect to the first share ok but then whenever I try to connect a
second
> share it complains about having to log out of the first share first.
> 
> Can anyone please help me here. If I can't get it working I'll have
to scrap
> my week's work and install F16 on this box.
You will need to define your 150 users on your server, give them Samba
passwords and give them access to those shares via standard unix groups
and group permissions on the share folders, or (less preferred) the
valid users entry in smb.conf.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Tuesday 27 January 2015 06:43:13 Andrew Bartlett
wrote:
> You will need to define your 150 users on your server, give them Samba
> passwords and give them access to those shares via standard unix groups
> and group permissions on the share folders, or (less preferred) the
> valid users entry in smb.conf.
>
> I hope this helps,
>
> Andrew Bartlett
Hi Andrew,  

That is exactly what I don't want to have to do.

The work required initially plus the ongoing maintenance because of the 
turnover in staff here make that unworkable.

I have installed CentOS and now have a version of Samba that still supports 
security = share

I now have my fingers crossed that I can get it working because last time I 
used CentOS I couldn't get Samba to work properly either which is why I 
stayed with Fedora.