Jason Bailey
2013-Dec-18 01:27 UTC
[Samba] Samba4 as AD DC, with one anonymous read-only share
Hello all, I have several Samba4 DCs that host various production shares. I need one share, however, available as a read-only guest share (anonymous) that will be used as a software distribution share point. I have been unable to make it work (the servers prompt me for a valid username and password on that share). I have done some googling and it seems that this functionality might be broken at the moment (search results are almost a year old). I'm wondering if any of you have run into a similar situation and have some kind of solution. Note that I am using the acl_xattr vfs module, but I am loading it only on the read-write shares (defining it on a share by share basis), so I would imagine that wouldn't be causing an issue with my anonymous share. Thoughts? Help is appreciated. -- Jason Bailey Region IT/IS Manager Gull Communications jason.bailey at sunad.com (435) 637-0732 x31 (435) 637-2716 Fax * Emery County Progress * Richfield Reaper * Sun Advocate * Uintah Basin Standard * Vernal Express
Harry Jede
2013-Dec-18 12:32 UTC
[Samba] Samba4 as AD DC, with one anonymous read-only share
On 12:30:22 wrote Jason Bailey:> Hello all, > > I have several Samba4 DCs that host various production shares. I need > one share, however, available as a read-only guest share (anonymous) > that will be used as a software distribution share point. I have been > unable to make it work (the servers prompt me for a valid username > and password on that share)....> Thoughts? Help is appreciated.This is from samba 3.6.x on Debian. Should also work on samba4 on any Linux OS. Settings in smb.conf: [global] guest account = nobody map to guest = Bad User [install] comment = Installation Service path = /srv/z browseable = no guest ok = yes read only = yes [install2] copy = install guest ok = no acl group control = Yes write list = +administrators Guest account is set to the unix user nobody. "map to guest" is not so important. The install share is unvisible, readonly and allows guest access. The install2 share points to the same path. I use the "+" sign instead of the "@" sign as group indicator. This prevents the unnecessary NIS lookup. # getent passwd guest # getent passwd nobody nobody:x:65534:65534:nobody:/nonexistent:/bin/sh There us no user guest in unix. # pdbedit -Lv guest Username not found! Nor in samba # pdbedit -Lv nobody Unix username: nobody NT username: nobody Account Flags: [NU ] User SID: S-1-5-21-3958726613-3318811842-4132420312-501 Primary Group SID: S-1-5-21-3958726613-3318811842-4132420312-514 Full Name: nobody Home Directory: \\capella\nobody HomeDir Drive: U: Logon Script: UNKNOWN.bat Profile Path: \\capella\profile\nogroup\nobody\UNKNOWN Domain: EUROPA Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Mo, 30 Apr 2012 14:22:04 CEST Password can change: Mo, 30 Apr 2012 14:22:04 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # ldapsearch -xLLL uid=nobody dn: uid=nobody,ou=people,ou=accounts,dc=europa,dc=xx cn: nobody sn: nobody objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: nobody uidNumber: 65534 gidNumber: 65534 homeDirectory: /dev/null sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-514 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-501 loginShell: /bin/false sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1335788524 sambaAcctFlags: [NU ] The guest account must have the wellknown DomainSI-501 and DomainSID-514 for primary group. Password changes are forbidden as N in sambaAcctFlags indicates. I use this setup to install Windows 7 pro via pxe boot with WindowsPE 3.0 and to install software with wpkg-gp as service. -- Gruss Harry Jede