samba - May 2018 - Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share

So the guest account ignores the owner permissions of the files it
interacts with and relies only on group membership and world permissions?

Why do I need the sgid? Users will create files/directories that will
default to their default group from /etc/passwd, and that's the behavior I
want. Authenticated users should be able to make files/directories with
group membership different from guest accounts.

--
Raymond Page


On Fri, May 25, 2018 at 2:26 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 25 May 2018 14:10:26 -0400
> Raymond Page <pagerc at gmail.com> wrote:
>
> > I want to keep the 'nobody' account for NFS usage. For Samba,
I want
> > to use the 'guest' account as it is properly restricted.
> > I want everyone to connect to samba as the 'guest' user, but I
don't
> > want loose permissions on the directory location.
>
> Don't understand why you think the 'guest' user is
'properly
> restricted', it isn't a standard Unix user, so you must have
created
> it, so it is as restricted as you made it, but it is a member of the
> 'users' group, so it will have all the permissions of that group.
>
> >
> > I've been trying multiple variations and settings, changing to the
> > 'nobody' user doesn't fix the issue. The closest to
working I've
> > gotten is setting chmod g+w /mnt/share, which because the guest
> > account's default gid is 100 (users), allowed uid 405 to write to
gid
> > 100. However, I expect that uid 405 in samba should be able to write
> > to uid 405 on the share
> >
> > # ls -lad /mnt/share ; ls -land /mnt/share ; grep mnt /proc/mounts
> > drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share
> > drwxr-xr-x 5 405 100 4096 May 25 15:18 /mnt/share
> > /dev/mapper/storage /mnt ext4 rw,relatime,data=ordered 0 0
> >
>
> Did you know that a guest share has another name, it is 'A wide open
> share', the only way to get a guest share to work is to 'chmod
2775' on
> the share, if you want security, then do not use a guest share.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 25 May 2018 14:48:35 -0400
Raymond Page <pagerc at gmail.com> wrote:
> So the guest account ignores the owner permissions of the files it
> interacts with and relies only on group membership and world
> permissions?
> 
> Why do I need the sgid? Users will create files/directories that will
> default to their default group from /etc/passwd, and that's the
> behavior I want. Authenticated users should be able to make
> files/directories with group membership different from guest accounts.
> 
That isn't how the guest account works, anybody who connects to your
share must be the guest user (remember that you don't have any users
and unknown users are mapped to the guest account by 'map to guest Bad
User'). Now normally 'nobody' is the guest user and its group is
'nogroup', but you are using 'guest' with the group
'users' (this is a
bad move by the way). Because of all this and the way the share is set
up, all files and directories created in the share will belong to
'guest:users'

As I sort of said, having a share the way you have set it up, only
makes sense if you want/need a wide open share. Just about the only
way you could make it any less secure would be to allow wide links

Do you really need a standalone server ? or are the rest of the
computers in a domain ?

Rowland

Well I changed my config to use the 'nobody' user, and that worked. So I
then tried to get 'guest' to work. Managed to get it to work when I
changed
the 'guest' account uid from 405 to 400, when it started working too. I
toyed around with different names for the uid 405 account, and none of
those would work with samba. So there appears to be an issue with uid 405
on my environment, and nothing about the name 'guest' or even low
uid's as
I can use uid 400 and it works.

This seems bizzarre to me and I can't find any configuration that indicates
that uid 405 is in any way special or unique. If anyone has any insight on
where to look, I'm running Alpine Linux, I'd appreciate some direction.

--
Raymond Page


On Fri, May 25, 2018 at 3:20 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 25 May 2018 14:48:35 -0400
> Raymond Page <pagerc at gmail.com> wrote:
>
> > So the guest account ignores the owner permissions of the files it
> > interacts with and relies only on group membership and world
> > permissions?
> >
> > Why do I need the sgid? Users will create files/directories that will
> > default to their default group from /etc/passwd, and that's the
> > behavior I want. Authenticated users should be able to make
> > files/directories with group membership different from guest accounts.
> >
>
> That isn't how the guest account works, anybody who connects to your
> share must be the guest user (remember that you don't have any users
> and unknown users are mapped to the guest account by 'map to guest >
Bad User'). Now normally 'nobody' is the guest user and its group is
> 'nogroup', but you are using 'guest' with the group
'users' (this is a
> bad move by the way). Because of all this and the way the share is set
> up, all files and directories created in the share will belong to
> 'guest:users'
>
> As I sort of said, having a share the way you have set it up, only
> makes sense if you want/need a wide open share. Just about the only
> way you could make it any less secure would be to allow wide links
>
> Do you really need a standalone server ? or are the rest of the
> computers in a domain ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>