samba - Jun 2007 - Guest account access with User mode security?

Hi,

I have a Samba server that I have just transitioned from Samba v2 to v3
and at the same time I have changed from share mode security to user
mode security.

I having problems allowing guest access to some of my shares on the
server. I have some shares (such as apps and cdrom etc) that I would
like to allow anyone to access - even if they do not have an login
account on the Samba server. This worked fine in share mode security but
does not seem to work in user mode security.

If a user (who does not have a login account on the Samba server) tries
to map a guest share, the user gets presented with a login dialog asking
for a password for the Guest account - how can I just allow access
without the user being asked for a password?

Here is my smb.conf including a guest only share for the cdrom.

Any help gratefully received

Regards

Gary


[global]

workgroup = DFGSRV
server string = dfgsrv Samba Server %v
printcap name = /etc/printcap
load printers = yes
printing = cups
cups options = raw
log file = /var/log/samba/%m.log
max log size = 200
security = user
password level = 8
username level = 8
socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT
dns proxy = no 
log level = 9
deadtime = 30
oplocks = false
level2 oplocks = false
encrypt passwords = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
map to guest = Bad User


[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   create mode = 0664
   directory mode = 0775

[cdrom]
        path = /media/cdrom
        writeable = no
        browseable = yes
        guest ok = yes
        comment = dfgsrv CDROM Drive
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.If you
have received this e-mail in error please notify the sender immediately and
delete this e-mail from your system.Please note that any views or opinions
presented in this e-mail are solely those of the author and do not necessarily
represent those of Ricardo (save for reports and other documentation formally
approved and signed for release to the intended recipient).Only Directors are
authorised to enter into legally binding obligations on behalf of Ricardo.
Ricardo may monitor outgoing and incoming e-mails and other telecommunications
systems.
By replying to this e-mail you give consent to such monitoring.The recipient
should check e-mail and any attachments for the presence of viruses. Ricardo
accepts no liability for any damage caused by any virus transmitted by this
e-mail. "Ricardo" means Ricardo plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered
number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by
Sea, West Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -

I'm getting that same problem since upgrading my Debian server from 
Sarge to Etch. I've got the "map to guest = bad user" thing in my 
config, but it's like it doesn't work now.
In the end, since 99.9% of the access I needed was as guest anyway, I 
switched those shares over to share security. Of course that breaks 
having the ability to have separate RO/RW access for different people.

Unfortunately no one on the list could help with the actual problem, and 
I haven't had much time to really try and fix it.
I hope you can get a solution, because I really want to know too  :-)

TB

Mansell, Gary wrote:
> Hi,
>
> I have a Samba server that I have just transitioned from Samba v2 to v3
> and at the same time I have changed from share mode security to user
> mode security.
>
> I having problems allowing guest access to some of my shares on the
> server. I have some shares (such as apps and cdrom etc) that I would
> like to allow anyone to access - even if they do not have an login
> account on the Samba server. This worked fine in share mode security but
> does not seem to work in user mode security.
>
> If a user (who does not have a login account on the Samba server) tries
> to map a guest share, the user gets presented with a login dialog asking
> for a password for the Guest account - how can I just allow access
> without the user being asked for a password?
>
> Here is my smb.conf including a guest only share for the cdrom.
>
> Any help gratefully received
>
> Regards
>
> Gary
>
>
> [global]
>
> workgroup = DFGSRV
> server string = dfgsrv Samba Server %v
> printcap name = /etc/printcap
> load printers = yes
> printing = cups
> cups options = raw
> log file = /var/log/samba/%m.log
> max log size = 200
> security = user
> password level = 8
> username level = 8
> socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT
> dns proxy = no 
> log level = 9
> deadtime = 30
> oplocks = false
> level2 oplocks = false
> encrypt passwords = no
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = no
> map to guest = Bad User
>
>
> [homes]
>    comment = Home Directories
>    browseable = yes
>    writable = yes
>    create mode = 0664
>    directory mode = 0775
>
> [cdrom]
>         path = /media/cdrom
>         writeable = no
>         browseable = yes
>         guest ok = yes
>         comment = dfgsrv CDROM Drive
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
> This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.If you
have received this e-mail in error please notify the sender immediately and
delete this e-mail from your system.Please note that any views or opinions
presented in this e-mail are solely those of the author and do not necessarily
represent those of Ricardo (save for reports and other documentation formally
approved and signed for release to the intended recipient).Only Directors are
authorised to enter into legally binding obligations on behalf of Ricardo.
Ricardo may monitor outgoing and incoming e-mails and other telecommunications
systems.
> By replying to this e-mail you give consent to such monitoring.The
recipient should check e-mail and any attachments for the presence of viruses.
Ricardo accepts no liability for any damage caused by any virus transmitted by
this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies.
> Ricardo plc is a public limited company registered in England with
registered number 00222915.
> The registered office of Ricardo plc is Shoreham Technical Centre,
Shoreham-by Sea, West Sussex, BN43 5FG.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mansell, Gary wrote:
> If a user (who does not have a login account on the 
> Samba server) tries to map a guest share, the user gets
> presented with a login dialog asking for a password
> for the Guest account - how can I just allow access
> without the user being asked for a password?
Gary,  Please send me a level 10 debug log from smbd
with the failed login and failed guest access.
Thanks.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZ/jlIR7qMdg1EfYRAulhAJ40LsFB8YRKrTtAUtpQEa/Td1xnDACfToPB
HGWbpxOjOrgJ9NhST8C9bkg=1Waw
-----END PGP SIGNATURE-----

Hi,

I have finally had time to put up the test server and perform the
actions that you asked for with logging set to 10.

I would expect that a Windows machine should be able to access a public
share on the Samba server without the clear text password hack being
applied (it always worked fine with Samba 2.x and share mode security)
so the tar file No-Encrypted_PWD.tar has the logs for this
instance.
>From the client machine I tried to map the share \\172.30.50.247\nt
(which is public) and the error that I got back on the laptop was the
one that you would get to indicate that you need to apply the encrypted
password hack to the machine. This should not happen, the machine should
be able to map the drive without the encrypted password hack or
supplying a username/password.

For completeness, I then installed the encrypted password hack on the
Windows client and performed the same connection with a fresh set of
logfiles. This time it came straight back with a password dialog box
(wrong behaviour) so I entered in guest as the username with no password
and it came back with the password dialog box again

It seems that others on the Internet have mentioned that guest access
does not work for user mode authentications so it seems not to be just
me although it surprises me that such a fundamental feature seems to be
flawed???

Any advice that you can offer would be gladly received.

Regards

Gary Mansell





On Thu, 2007-06-07 at 07:24 -0500, Gerald (Jerry) Carter
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mansell, Gary wrote:
> 
> > If a user (who does not have a login account on the 
> > Samba server) tries to map a guest share, the user gets
> > presented with a login dialog asking for a password
> > for the Guest account - how can I just allow access
> > without the user being asked for a password?
> 
> Gary,  Please send me a level 10 debug log from smbd
> with the failed login and failed guest access.
> Thanks.
> 
> 
> 
> 
> cheers, jerry
> ====================================================================>
Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"     
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGZ/jlIR7qMdg1EfYRAulhAJ40LsFB8YRKrTtAUtpQEa/Td1xnDACfToPB
> HGWbpxOjOrgJ9NhST8C9bkg> =1Waw
> -----END PGP SIGNATURE-----
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.If you
have received this e-mail in error please notify the sender immediately and
delete this e-mail from your system.Please note that any views or opinions
presented in this e-mail are solely those of the author and do not necessarily
represent those of Ricardo (save for reports and other documentation formally
approved and signed for release to the intended recipient).Only Directors are
authorised to enter into legally binding obligations on behalf of Ricardo.
Ricardo may monitor outgoing and incoming e-mails and other telecommunications
systems.
By replying to this e-mail you give consent to such monitoring.The recipient
should check e-mail and any attachments for the presence of viruses. Ricardo
accepts no liability for any damage caused by any virus transmitted by this
e-mail. "Ricardo" means Ricardo plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered
number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by
Sea, West Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -