Hello, I'm using Samba 4.5.12 on Debian 9.4, and would like to learn how to use the "valid users" option to limit read-write access to authorized users, which seems to require… 1. creating a Linux account in /etc/passwd, 2. creating a matching Samba account, 3. syncing both passwords using smbpasswd, where Samba sets its password, and then calls the Linux passwd utility to set the same password in /etc/shadow By default, Nginx creates a www-data user, which I'd like to use so I can edit its htdocs files directly from a Windows host: [code] # cat /etc/passwd … www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin [/code] Am I correct in understanding that a password is _required_ for the Unix account, because when trying to access a Samba share from Windows, it goes like this : Windows → Samba → Unix, where Samba will pass on the username + password to Linux when accessing the filesystem? Thank you. -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
On Fri, 4 May 2018 06:20:26 -0700 (MST) Winfried via samba <samba at lists.samba.org> wrote:> Hello, > > I'm using Samba 4.5.12 on Debian 9.4, and would like to learn how to > use the "valid users" option to limit read-write access to authorized > users, which seems to require… > 1. creating a Linux account in /etc/passwd, > 2. creating a matching Samba account, > 3. syncing both passwords using smbpasswd, where Samba sets its > password, and then calls the Linux passwd utility to set the same > password in /etc/shadow > > By default, Nginx creates a www-data user, which I'd like to use so I > can edit its htdocs files directly from a Windows host: > [code] > # cat /etc/passwd > … > www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin > [/code] > > Am I correct in understanding that a password is _required_ for the > Unix account, because when trying to access a Samba share from > Windows, it goes like this : Windows → Samba → Unix, where Samba will > pass on the username + password to Linux when accessing the > filesystem? >Wouldn't you be better off using a SSH login ? What you are proposing doesn't sound very secure to me. Rowland
On Fri, May 4, 2018 at 8:31 AM Winfried via samba <samba at lists.samba.org> wrote:> Hello, > > I'm using Samba 4.5.12 on Debian 9.4, and would like to learn how to use > the > "valid users" option to limit read-write access to authorized users, which > seems to require… > 1. creating a Linux account in /etc/passwd, > 2. creating a matching Samba account, > 3. syncing both passwords using smbpasswd, where Samba sets its password, > and then calls the Linux passwd utility to set the same password in > /etc/shadow > > By default, Nginx creates a www-data user, which I'd like to use so I can > edit its htdocs files directly from a Windows host: > [code] > # cat /etc/passwd > … > www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin > [/code] > > Am I correct in understanding that a password is _required_ for the Unix > account, because when trying to access a Samba share from Windows, it goes > like this : Windows → Samba → Unix, where Samba will pass on the username + > password to Linux when accessing the filesystem? > > Thank you. >technically it does not need a passwd, and you don't need to do password sync. i should work just fine. it would be better to use group permission on the files and use your normal user to edit. www-data should only have write permissions to your logging and upload areas anyway. the web server should never be able to overwrite your site code. it would be even better to use SSH, still with group permissions and your normal user. most editors can edit over ssh "live" these days, with the right plugin.
On 04/05/2018 15:46, Chris Weiss wrote:> technically it does not need a passwd, and you don't need to do > password sync. i should work just fine.Thanks. If the matching Unix account has no password, how come it doesn't trigger an error when Samba accesses the underlying Unix filesystem? Doesn't Linux prompt Samba for a uid + password?> it would be better to use group permission on the files and use your > normal user to edit. www-data should only have write permissions to > your logging and upload areas anyway. the web server should never be > able to overwrite your site code. it would be even better to use SSH, > still with group permissions and your normal user. most editors can > edit over ssh "live" these days, with the right plugin.Thanks, but I prefer to use Samba and a word process to edit files from Windows. It's more user-friendly than an SSH terminal window.