Hello, Until now, I let Samba use nobody:nogroup to access shares from Windows with no account in Samba. I wanted to try the "guest account" option to tell it to use a specific Unix account… but it fails with "Access denied". The solution is to either give up on the "guest account" directive, or add "force user" to the share. Why is that? ===== smb.conf [global] security = USER map to guest = Bad User guest account = www-data [myshare] ;/myshare is rwx for www-data path = /myshare guest ok = Yes read only = No === FWIW, it's Samba 4.5.12 running on Debian 9.4. Thank you.
On Wed, 9 May 2018 14:07:12 +0200 Gilles via samba <samba at lists.samba.org> wrote:> Hello, > > Until now, I let Samba use nobody:nogroup to access shares from > Windows with no account in Samba. > > I wanted to try the "guest account" option to tell it to use a > specific Unix account… but it fails with "Access denied". The > solution is to either give up on the "guest account" directive, or > add "force user" to the share. Why is that?The default Samba 'guest account' is 'nobody' and this seems to be hard coded into Samba and when an unknown user connects and 'map to guest' is set to 'Bad User', the unknown user is silently mapped to 'nobody'. Without checking the source, I think this would happen even if 'nobody' tried to connect. Bad User: Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account. Taking the above into account, the problem with 'www-date' is that it does exist, so it will not be allowed access. You could try to prove this by changing 'Bad User' to 'Bad Password', but I wouldn't leave it like this. Rowland
It looks like "service samba reload" and/or not disconnecting from Windows explains the problem I had. After… 1. Using this, with no need for "force user" at the share level: [global] map to guest = Bad User guest account = www-data 2. Running "/etc/init.d/samba restart" … I can a) connect, and b) write files as www-data, as expected. The reason I use the init.d script is because of this: ~# service samba reload [ ok ] Reloading smbd configuration (via systemctl): smbd.service. ~# service samba restart Failed to restart samba.service: Unit samba.service is masked. Thank you. On 09/05/2018 15:29, Rowland Penny via samba wrote:> On Wed, 9 May 2018 14:07:12 +0200 > Gilles via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> Until now, I let Samba use nobody:nogroup to access shares from >> Windows with no account in Samba. >> >> I wanted to try the "guest account" option to tell it to use a >> specific Unix account… but it fails with "Access denied". The >> solution is to either give up on the "guest account" directive, or >> add "force user" to the share. Why is that? > The default Samba 'guest account' is 'nobody' and this seems to be > hard coded into Samba and when an unknown user connects and 'map to > guest' is set to 'Bad User', the unknown user is silently mapped to > 'nobody'. > Without checking the source, I think this would happen even if 'nobody' > tried to connect. > > Bad User: > Means user logins with an invalid password are rejected, unless the > username does not exist, in which case it is treated as a guest login > and mapped into the guest account. > > Taking the above into account, the problem with 'www-date' is that it > does exist, so it will not be allowed access. > You could try to prove this by changing 'Bad User' to 'Bad Password', > but I wouldn't leave it like this. > > Rowland > >
What you want to know is.. ## For a standalone server/Member server. systemctl stop samba-ad-dc samba systemctl disable samba-ad-dc samba systemctl mask samba-ad-dc samba systemctl unmask smbd winbind nmbd systemctl enable smbd winbind nmbd systemctl start smbd winbind nmbd ## For an AD-DC setup. systemctl stop smbd nmbd winbind systemctl disable smbd nmbd winbind systemctl mask smbd nmbd winbind systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc This works as of Debian Jessie en up. Same for Ubuntu as of 16.04 but adviced as of 17.x and up. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Gilles via samba > Verzonden: woensdag 9 mei 2018 16:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [4.5.12] "guest account" doesn't work > > It looks like "service samba reload" and/or not disconnecting from > Windows explains the problem I had. > > After… > > 1. Using this, with no need for "force user" at the share level: > > [global] > map to guest = Bad User > guest account = www-data > > 2. Running "/etc/init.d/samba restart" > > … I can a) connect, and b) write files as www-data, as expected. > > The reason I use the init.d script is because of this: > > ~# service samba reload > [ ok ] Reloading smbd configuration (via systemctl): smbd.service. > ~# service samba restart > Failed to restart samba.service: Unit samba.service is masked. > > Thank you. > > On 09/05/2018 15:29, Rowland Penny via samba wrote: > > On Wed, 9 May 2018 14:07:12 +0200 > > Gilles via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> Until now, I let Samba use nobody:nogroup to access shares from > >> Windows with no account in Samba. > >> > >> I wanted to try the "guest account" option to tell it to use a > >> specific Unix account… but it fails with "Access denied". The > >> solution is to either give up on the "guest account" directive, or > >> add "force user" to the share. Why is that? > > The default Samba 'guest account' is 'nobody' and this seems to be > > hard coded into Samba and when an unknown user connects and 'map to > > guest' is set to 'Bad User', the unknown user is silently mapped to > > 'nobody'. > > Without checking the source, I think this would happen even > if 'nobody' > > tried to connect. > > > > Bad User: > > Means user logins with an invalid password are rejected, unless the > > username does not exist, in which case it is treated as a > guest login > > and mapped into the guest account. > > > > Taking the above into account, the problem with 'www-date' > is that it > > does exist, so it will not be allowed access. > > You could try to prove this by changing 'Bad User' to 'Bad > Password', > > but I wouldn't leave it like this. > > > > Rowland > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >