samba - Jan 2007 - samba security question

Hi,

I've setup a Samba server running on FreeBSD in a small company I just 
joined.  I'd like to have some shares on the server be accessible to 
everyone, without the need to connect with a username and password. This 
is important for backwards compatibility with the current Windows PC 
fileserver they have (which I want to migrate them away from).

I'd also like to have other shares that only certain users or groups can 
access, such as home directory shares.

What security setting can I set Samba to so that I can accomplish both 
of these? It seems that the "user" setting will always require a 
username, so this is not good unless I can work around this for the 
public shares. But the "share" setting seems like it just associates a
password with the share itself. This would be okay for home directories, 
but not very good for shares accessed by an entire group of users.

Any other ideas for how this can be done? Windows can do it by adding 
the user EVERYONE. Does Samba have such a user? Please CC me in the 
email response (dave@transducertech.com).

Thanks,
Dave

-- 

Dave Abouav
Product Manager & Software Engineer
KWJ Engineering
Phone: (510) 791-0951
Fax: (510) 794-4330
Email: dave@transducertech.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2007 10:19 PM, Dave Abouav escreveu:
> Hi,
> 
> I've setup a Samba server running on FreeBSD in a small 
> company I just joined.  I'd like to have some shares on
> the server be accessible to everyone, without the need
> to connect with a username and password. This is
> important for backwards compatibility with the current
> Windows PC fileserver they have (which I want to migrate
> them away from).
> 
> I'd also like to have other shares that only certain 
> users or groups can access, such as home directory shares.
> 
> What security setting can I set Samba to so that I can 
> accomplish both of these? It seems that the "user"
> setting will always require a username, so this is not
> good unless I can work around this for the public
> shares. But the "share" setting seems like it just
> associates a password with the share itself. This would
> be okay for home directories, but not very good for shares
> accessed by an entire group of users.
	Recently, there is a recommendation to not use the
'security = share' in your smb.conf, considering that I would
say that you should use 'security = user'.

	Samba has a special share called [homes], you can
add the 'valid users = %S' on it, that will make the $HOME
appear to the logged user and also restrict the access to
him, that's usually already configured in example smb.conf
all around.

	For shares that you don't want a user/password
check, you can use 'public = yes', that will allow people
to connect as guests.

	For shares that you want to be restricted you can
use ACLs on the filesystem or you can use groups in the
'valid users' parameter.

	You can find more details and examples in the
smb.conf man page. And you can also find useful information
and lots of tips in the Samba Official HOWTO and in the
Samba By Example:

		http://samba.org/samba/docs/


> Any other ideas for how this can be done? Windows can do 
> it by adding the user EVERYONE. Does Samba have such a
> user? Please CC me in the email response
> (dave@transducertech.com).
	No, the 'everyone' user does not exist, but you can
achieve a similar behaviour by using the above options and
having a guest account properly configured.

> Thanks,
> Dave
	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFsMziCj65ZxU4gPQRAlkYAJ4qcF5VuFtLJU7e3CY/3xuvEouQkQCfeTPM
oAa9qOO/pesjtwO+gVr7hZs=1DBG
-----END PGP SIGNATURE-----