samba - May 2018 - Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share

I want to keep the 'nobody' account for NFS usage. For Samba, I want to
use
the 'guest' account as it is properly restricted.
I want everyone to connect to samba as the 'guest' user, but I don't
want
loose permissions on the directory location.

I've been trying multiple variations and settings, changing to the
'nobody'
user doesn't fix the issue. The closest to working I've gotten is
setting
chmod g+w /mnt/share, which because the guest account's default gid is 100
(users), allowed uid 405 to write to gid 100. However, I expect that uid
405 in samba should be able to write to uid 405 on the share

# ls -lad /mnt/share ; ls -land /mnt/share ; grep mnt /proc/mounts
drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share
drwxr-xr-x 5 405 100 4096 May 25 15:18 /mnt/share
/dev/mapper/storage /mnt ext4 rw,relatime,data=ordered 0 0

--
Raymond Page


On Fri, May 25, 2018 at 1:56 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 25 May 2018 13:11:44 -0400
> Raymond Page <pagerc at gmail.com> wrote:
>
> > Rowland,
> >
> > The 'guest' user exists in /etc/passwd, and there are no users
> > defined in tdb backend.
> >
> > 1. /etc/passwd: guest:x:405:100:guest:/dev/null:/sbin/nologin
> > 2. pdbedit -L -v: ^$ EOL
> > 3. smb.conf updated as suggested - smbclient -U% //share/public -c
> > 'put test1.txt foobar'
> > NT_STATUS_ACCESS_DENIED opening remote file \foobar
> >
> >
> > Modifying the settings as suggested made no impact, functionally we
> > just disabled the global defaults and doubly defined the local share
> > settings. The person saying using 'read only = no' AND
'writable > > yes' is probably the same person suggesting
'guest ok = yes' AND
> > 'public = yes'. I like my redundant configuration settings to
> > reinforce what I'm stating so that if I'm thinking about
denying vs
> > enabling access, I have an option to clearly latch onto.
> >
> > Output from testparam:
> > [global]
> >         dns proxy = No
> >         guest account = guest
> >         log file = /var/log/samba/%m.log
> >         map to guest = Bad User
> >         netbios name = SHARE
> >         security = USER
> >         idmap config * : backend = tdb
> >
> >
> > [printers]
> >         browseable = No
> >         comment = All Printers
> >         path = /usr/spool/samba
> >         printable = Yes
> >
> >
> > [homes]
> >         comment = User Home Directories
> >         read only = No
> >
> >
> > [public]
> >         comment = Public Share
> >         create mask = 0644
> >         guest ok = Yes
> >         guest only = Yes
> >         path = /mnt/share
> >         read only = No
> >
>
> So you have no users, this means anybody that connects, gets mapped to
> guest (by the way, is there some reason not to use the default guest
> user 'nobody' ?). You have allowed the guest user to connect to the
> share [public] and then made it that only the guest user can connect, so
> anybody should be able to connect, but then there is this: 'path
> = /mnt/share'. This looks to me like you have mounted something on
> '/mnt/share', if so what and what are the permissions on this ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 25 May 2018 14:10:26 -0400
Raymond Page <pagerc at gmail.com> wrote:
> I want to keep the 'nobody' account for NFS usage. For Samba, I
want
> to use the 'guest' account as it is properly restricted.
> I want everyone to connect to samba as the 'guest' user, but I
don't
> want loose permissions on the directory location.
Don't understand why you think the 'guest' user is 'properly
restricted', it isn't a standard Unix user, so you must have created
it, so it is as restricted as you made it, but it is a member of the
'users' group, so it will have all the permissions of that group.
> 
> I've been trying multiple variations and settings, changing to the
> 'nobody' user doesn't fix the issue. The closest to working
I've
> gotten is setting chmod g+w /mnt/share, which because the guest
> account's default gid is 100 (users), allowed uid 405 to write to gid
> 100. However, I expect that uid 405 in samba should be able to write
> to uid 405 on the share
> 
> # ls -lad /mnt/share ; ls -land /mnt/share ; grep mnt /proc/mounts
> drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share
> drwxr-xr-x 5 405 100 4096 May 25 15:18 /mnt/share
> /dev/mapper/storage /mnt ext4 rw,relatime,data=ordered 0 0
> 
Did you know that a guest share has another name, it is 'A wide open
share', the only way to get a guest share to work is to 'chmod 2775'
on
the share, if you want security, then do not use a guest share.

Rowland

So the guest account ignores the owner permissions of the files it
interacts with and relies only on group membership and world permissions?

Why do I need the sgid? Users will create files/directories that will
default to their default group from /etc/passwd, and that's the behavior I
want. Authenticated users should be able to make files/directories with
group membership different from guest accounts.

--
Raymond Page


On Fri, May 25, 2018 at 2:26 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 25 May 2018 14:10:26 -0400
> Raymond Page <pagerc at gmail.com> wrote:
>
> > I want to keep the 'nobody' account for NFS usage. For Samba,
I want
> > to use the 'guest' account as it is properly restricted.
> > I want everyone to connect to samba as the 'guest' user, but I
don't
> > want loose permissions on the directory location.
>
> Don't understand why you think the 'guest' user is
'properly
> restricted', it isn't a standard Unix user, so you must have
created
> it, so it is as restricted as you made it, but it is a member of the
> 'users' group, so it will have all the permissions of that group.
>
> >
> > I've been trying multiple variations and settings, changing to the
> > 'nobody' user doesn't fix the issue. The closest to
working I've
> > gotten is setting chmod g+w /mnt/share, which because the guest
> > account's default gid is 100 (users), allowed uid 405 to write to
gid
> > 100. However, I expect that uid 405 in samba should be able to write
> > to uid 405 on the share
> >
> > # ls -lad /mnt/share ; ls -land /mnt/share ; grep mnt /proc/mounts
> > drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share
> > drwxr-xr-x 5 405 100 4096 May 25 15:18 /mnt/share
> > /dev/mapper/storage /mnt ext4 rw,relatime,data=ordered 0 0
> >
>
> Did you know that a guest share has another name, it is 'A wide open
> share', the only way to get a guest share to work is to 'chmod
2775' on
> the share, if you want security, then do not use a guest share.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>