samba - Jan 2015 - FW: desperate help needed - Samba and security = share

On Tuesday 27 January 2015 06:43:13 Andrew Bartlett
wrote:
> You will need to define your 150 users on your server, give them Samba
> passwords and give them access to those shares via standard unix groups
> and group permissions on the share folders, or (less preferred) the
> valid users entry in smb.conf.
>
> I hope this helps,
>
> Andrew Bartlett
Hi Andrew,  

That is exactly what I don't want to have to do.

The work required initially plus the ongoing maintenance because of the 
turnover in staff here make that unworkable.

I have installed CentOS and now have a version of Samba that still supports 
security = share

I now have my fingers crossed that I can get it working because last time I 
used CentOS I couldn't get Samba to work properly either which is why I 
stayed with Fedora.

From: Gary Stainburn <gary.stainburn at ringways.co.uk>
Subject: Re: [Samba] FW: desperate help needed - Samba and security = share
Date: Tue, 27 Jan 2015 09:37:35 +0000
> All of my servers run the same type of setup and it's all based 
> around "security = share". Why is this so universally declared as
bad??
> 
> I know when I built some F16 servers it said that "security =
share" was
> depreciated but it still let me use it. Now with F20 it just refuses.
"security = share" is based on Windows 9x architecture and cannot
support
modern protocols such as SMB2 or later and security features. This is why 
it became depreciated and was removed.

---
TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo 
                   facebook.com/takahashi.motonobu

On 01/27/15 04:37, Gary Stainburn wrote:
> On Tuesday 27 January 2015 06:43:13 Andrew Bartlett wrote:
>> You will need to define your 150 users on your server, give them Samba
>> passwords and give them access to those shares via standard unix groups
>> and group permissions on the share folders, or (less preferred) the
>> valid users entry in smb.conf.
>>
>> I hope this helps,
>>
>> Andrew Bartlett
> Hi Andrew,
>
> That is exactly what I don't want to have to do.
>
> The work required initially plus the ongoing maintenance because of the
> turnover in staff here make that unworkable.
>
> I have installed CentOS and now have a version of Samba that still supports
> security = share
>
> I now have my fingers crossed that I can get it working because last time I
> used CentOS I couldn't get Samba to work properly either which is why I
> stayed with Fedora.

So how are the users logging into the computers now?    At some point it 
may just be worth the pain to switch to a domain model?

Eventually you'll have to bite the bullet and modernize your configuration.
I'd say you have until 2020 when CentOS 6 goes past EOL but past experience
has shown that there can be compatibility issues with old Samba versions
and newer Windows clients/software.

Disabling/removing and adding members is rather easy.

samba-tool user disable olduser
samba-tool user add newuser Passw0rd
samba-tool group addmembers sales newuser

Create a basic group policy options for mapping drives, shortcuts,
printers, etc. and it should be touch free on the client side.

On Tue, Jan 27, 2015 at 4:37 AM, Gary Stainburn <
gary.stainburn at ringways.co.uk> wrote:
> On Tuesday 27 January 2015 06:43:13 Andrew Bartlett wrote:
> > You will need to define your 150 users on your server, give them Samba
> > passwords and give them access to those shares via standard unix
groups
> > and group permissions on the share folders, or (less preferred) the
> > valid users entry in smb.conf.
> >
> > I hope this helps,
> >
> > Andrew Bartlett
>
> Hi Andrew,
>
> That is exactly what I don't want to have to do.
>
> The work required initially plus the ongoing maintenance because of the
> turnover in staff here make that unworkable.
>
> I have installed CentOS and now have a version of Samba that still supports
> security = share
>
> I now have my fingers crossed that I can get it working because last time I
> used CentOS I couldn't get Samba to work properly either which is why I
> stayed with Fedora.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, Jan 27, 2015 at 10:43 AM, TAKAHASHI Motonobu <monyo at monyo.com>
wrote:
> From: Gary Stainburn <gary.stainburn at ringways.co.uk>
> Subject: Re: [Samba] FW: desperate help needed - Samba and security = share
> Date: Tue, 27 Jan 2015 09:37:35 +0000
>
> > All of my servers run the same type of setup and it's all based
> > around "security = share". Why is this so universally
declared as bad??
> >
> > I know when I built some F16 servers it said that "security =
share" was
> > depreciated but it still let me use it. Now with F20 it just refuses.
>
> "security = share" is based on Windows 9x architecture and cannot
support
> modern protocols such as SMB2 or later and security features. This is why
> it became depreciated and was removed.
>
> ---
> TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo
>                    facebook.com/takahashi.motonobu
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Gary, take a look at https://wiki.samba.org/index.php/Public_Samba_Server
and see if it will fit your needs.

Ryan, samba-tool only works if you are running samba as an AD DC, if he is
just wanting simple sharing, he will need to use the older binaries
(smbpasswd, pdbedit, etc.)

Good luck,
Ricky

On Tuesday 27 January 2015 16:45:51 Gaiseric Vandal
wrote:
> So how are the users logging into the computers now?    At some point it
> may just be worth the pain to switch to a domain model?
We are still using workgroups and local users. The local user is (usually) 
user1. Every time the staff member changes I simply change the display name 
locally on the Windows client.

Each PC connects to shares served by the old server using simple mapped 
network drives set up using the Windows GUI.  On a very small number of 
client PC's (3 or 4) I have connection problems and I get round this by 
having a BAT file with the required "net use" commands.

Gary

If you need a quick fix for a share setup.. 

This is what i use at home, so you can make your users happy again. 
and now you can have te time to setup a nice samba4 AD DC  ;-) 



#======================= Global Settings ======================
[global]

   workgroup = PRIVATE
   server string = %h server
   dns proxy = yes
;   name resolve order = lmhosts host wins bcast

#### Networking ####
#   interfaces = 127.0.0.0/8 eth0
#   bind interfaces only = yes

#### Debugging/Accounting ####
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######
## stand alone everything open.
   security = user
   guest ok = yes
   map to guest = bad password
####
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\
n *password\supdated\ssuccessfully* .
   pam password change = yes


########## Printing ##########
    #---- disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


#======================= Share Definitions ======================
[homes]
    comment = Home Directorie
    browseable = no
    read only = yes
    create mask = 0770
    directory mask = 0770
    valid users = %S

[downloads]
    path = /media/diverse/downloads
    read only = No
#    acl_xattr:ignore system acl = yes
    guest ok = yes
#    force user = xbmc



Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: gary.stainburn at ringways.co.uk 
>[mailto:samba-bounces at lists.samba.org] Namens Gary Stainburn
>Verzonden: dinsdag 27 januari 2015 18:08
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] FW: desperate help needed - Samba and 
>security = share
>
>On Tuesday 27 January 2015 16:45:51 Gaiseric Vandal wrote:
>> So how are the users logging into the computers now?    At 
>some point it
>> may just be worth the pain to switch to a domain model?
>
>We are still using workgroups and local users. The local user 
>is (usually) 
>user1. Every time the staff member changes I simply change the 
>display name 
>locally on the Windows client.
>
>Each PC connects to shares served by the old server using 
>simple mapped 
>network drives set up using the Windows GUI.  On a very small 
>number of 
>client PC's (3 or 4) I have connection problems and I get 
>round this by 
>having a BAT file with the required "net use" commands.
>
>Gary
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>