samba - Mar 2011 - Samba authentication problem

Hi, I have asked around in other forums but no one seems to know why
this doesn't work.

I have a backup server with samba on it and am trying to set it up to
only allow write access when a user authenticates but to allow reading
from anyone (guest). At this time I have guest disabled and a minimal
config set up as shown below to try to narrow down the problem.

I have added the user "xamindar" using smbpasswd on the server. I then
tried to mount the backup share from another machine with the following
command:
mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar

But I keep getting the following response:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Can anyone tell me what I am doing wrong here? I am sure I have missed
something. It is possible to authenticate per share with share level
security is it not? I just can't get authentication to work no matter
what I have tried on this machine. With guest enabled it will just use
the guest account and that works fine.
Thanks for any help, I am pulling my hair out here.


***smb.conf***
[global]
        server string = Backup and Multimedia server
        security = SHARE
        smb passwd file = /etc/samba/private/passdb.tdb
        load printers = No
        disable spoolss = Yes
        show add printer wizard = No
        write list = xamindar
        printing = bsd
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        map hidden = Yes
        map system = Yes

[backup]
        path = /mnt/user/backup

**************

In further testing, changing security to user gets authentication
working. Does anyone know why the Samba team removed the possibility to
authenticate with share based security? I would find it very usefull to
be able to see the shares and then authenticate when connecting to one.
Also, the help file (from swat) needs to be correctede to reflect this.
The sections on security in the help file still states "Instead, the
clients send authentication information (passwords) on a per-share
basis, at the time they attempt to connect to that share" which
apparently no longer works.

On 03/24/2011 01:00 PM, Xamindar wrote:
> Hi, I have asked around in other forums but no one seems to know why
> this doesn't work.
> 
> I have a backup server with samba on it and am trying to set it up to
> only allow write access when a user authenticates but to allow reading
> from anyone (guest). At this time I have guest disabled and a minimal
> config set up as shown below to try to narrow down the problem.
> 
> I have added the user "xamindar" using smbpasswd on the server. I
then
> tried to mount the backup share from another machine with the following
> command:
> mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar
> 
> But I keep getting the following response:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> Can anyone tell me what I am doing wrong here? I am sure I have missed
> something. It is possible to authenticate per share with share level
> security is it not? I just can't get authentication to work no matter
> what I have tried on this machine. With guest enabled it will just use
> the guest account and that works fine.
> Thanks for any help, I am pulling my hair out here.
> 
> 
> ***smb.conf***
> [global]
>         server string = Backup and Multimedia server
>         security = SHARE
>         smb passwd file = /etc/samba/private/passdb.tdb
>         load printers = No
>         disable spoolss = Yes
>         show add printer wizard = No
>         write list = xamindar
>         printing = bsd
>         print command = lpr -r -P'%p' %s
>         lpq command = lpq -P'%p'
>         lprm command = lprm -P'%p' %j
>         map hidden = Yes
>         map system = Yes
> 
> [backup]
>         path = /mnt/user/backup
> 
> **************

On Thu, Mar 24, 2011 at 03:14:54PM -0700, Xamindar
wrote:
> In further testing, changing security to user gets authentication
> working. Does anyone know why the Samba team removed the possibility to
> authenticate with share based security? I would find it very usefull to
> be able to see the shares and then authenticate when connecting to one.
> Also, the help file (from swat) needs to be correctede to reflect this.
> The sections on security in the help file still states "Instead, the
> clients send authentication information (passwords) on a per-share
> basis, at the time they attempt to connect to that share" which
> apparently no longer works.
No, share level security, warts and all, still exists and
works in 3.5.8.

Jeremy.

That is the version of samba that I am running, but it does not work.
This is an Arch system and I doubt they would have changed it.

On 03/24/2011 03:16 PM, Jeremy Allison wrote:
> No, share level security, warts and all, still exists and
> works in 3.5.8.
>
> Jeremy.

On Thu, Mar 24, 2011 at 01:00:51PM -0700, Xamindar
wrote:
> Hi, I have asked around in other forums but no one seems to know why
> this doesn't work.
> 
> I have a backup server with samba on it and am trying to set it up to
> only allow write access when a user authenticates but to allow reading
> from anyone (guest). At this time I have guest disabled and a minimal
> config set up as shown below to try to narrow down the problem.
> 
> I have added the user "xamindar" using smbpasswd on the server. I
then
> tried to mount the backup share from another machine with the following
> command:
> mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar
> 
> But I keep getting the following response:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> Can anyone tell me what I am doing wrong here? I am sure I have missed
> something. It is possible to authenticate per share with share level
> security is it not? I just can't get authentication to work no matter
> what I have tried on this machine. With guest enabled it will just use
> the guest account and that works fine.
> Thanks for any help, I am pulling my hair out here.
Share level security doesn't automatically mean no password.
Either use the password for user xamindar, or add 

"map to guest = Bad Password"

in the [global] section of your smb.conf. See the
smb.conf man page for details.

Jeremy.

I'm coming back to this problem after giving it a rest for a while. I 
find it hard to believe that no one sets up authentication with security 
set to share. Is that really the case? Is share security deprecated and 
untested or something? As no one was able to point out what I did wrong 
in my config before, I decided to try setting this scenario up on a 
completely different system which runs a different distro (same version 
of samba afaik).  I am having the same exact problem on this other 
machine so it must be a config issue or samba just doesn't work this 
way. This time I am testing it by trying to connect to it from a windows 
xp and vista machine. Both machines keep re-prompting me for the userid 
and password of the share over and over again after I type the correct 
password. Why is it so impossible to have a simple username authenticate 
to a share? At this point to have a little security, I have to make them 
all guest access read only as nothing else works in this mode. I don't 
mean to sound a little frustrated but I would have thought samba would 
be a little more robust than that by now.

If it just isn't meant to work this way can someone help me out a little 
and explain it? I have read through the docs and explanations of the 
different options many times and can't find a reason it shouldn't work. 
Thanks for any help, I don't know what else to do.

On 3/24/2011 1:00 PM, Xamindar wrote:
> Hi, I have asked around in other forums but no one seems to know why
> this doesn't work.
>
> I have a backup server with samba on it and am trying to set it up to
> only allow write access when a user authenticates but to allow reading
> from anyone (guest). At this time I have guest disabled and a minimal
> config set up as shown below to try to narrow down the problem.
>
> I have added the user "xamindar" using smbpasswd on the server. I
then
> tried to mount the backup share from another machine with the following
> command:
> mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar
>
> But I keep getting the following response:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> Can anyone tell me what I am doing wrong here? I am sure I have missed
> something. It is possible to authenticate per share with share level
> security is it not? I just can't get authentication to work no matter
> what I have tried on this machine. With guest enabled it will just use
> the guest account and that works fine.
> Thanks for any help, I am pulling my hair out here.
>
>
> ***smb.conf***
> [global]
>          server string = Backup and Multimedia server
>          security = SHARE
>          smb passwd file = /etc/samba/private/passdb.tdb
>          load printers = No
>          disable spoolss = Yes
>          show add printer wizard = No
>          write list = xamindar
>          printing = bsd
>          print command = lpr -r -P'%p' %s
>          lpq command = lpq -P'%p'
>          lprm command = lprm -P'%p' %j
>          map hidden = Yes
>          map system = Yes
>
> [backup]
>          path = /mnt/user/backup
>
> **************

Little update.
I just found that if I chose "Map Network Drive" on the vista machine
it
will authenticate and connect the share as a network drive. Why does it 
fail when just browsing through network neighborhood?
It looks like it is still read only this way. But guest access for this 
share should be disabled so it makes no sense.