Raymond Page
2018-May-25 18:48 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
So the guest account ignores the owner permissions of the files it interacts with and relies only on group membership and world permissions? Why do I need the sgid? Users will create files/directories that will default to their default group from /etc/passwd, and that's the behavior I want. Authenticated users should be able to make files/directories with group membership different from guest accounts. -- Raymond Page On Fri, May 25, 2018 at 2:26 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 25 May 2018 14:10:26 -0400 > Raymond Page <pagerc at gmail.com> wrote: > > > I want to keep the 'nobody' account for NFS usage. For Samba, I want > > to use the 'guest' account as it is properly restricted. > > I want everyone to connect to samba as the 'guest' user, but I don't > > want loose permissions on the directory location. > > Don't understand why you think the 'guest' user is 'properly > restricted', it isn't a standard Unix user, so you must have created > it, so it is as restricted as you made it, but it is a member of the > 'users' group, so it will have all the permissions of that group. > > > > > I've been trying multiple variations and settings, changing to the > > 'nobody' user doesn't fix the issue. The closest to working I've > > gotten is setting chmod g+w /mnt/share, which because the guest > > account's default gid is 100 (users), allowed uid 405 to write to gid > > 100. However, I expect that uid 405 in samba should be able to write > > to uid 405 on the share > > > > # ls -lad /mnt/share ; ls -land /mnt/share ; grep mnt /proc/mounts > > drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share > > drwxr-xr-x 5 405 100 4096 May 25 15:18 /mnt/share > > /dev/mapper/storage /mnt ext4 rw,relatime,data=ordered 0 0 > > > > Did you know that a guest share has another name, it is 'A wide open > share', the only way to get a guest share to work is to 'chmod 2775' on > the share, if you want security, then do not use a guest share. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-May-25 19:19 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
On Fri, 25 May 2018 14:48:35 -0400 Raymond Page <pagerc at gmail.com> wrote:> So the guest account ignores the owner permissions of the files it > interacts with and relies only on group membership and world > permissions? > > Why do I need the sgid? Users will create files/directories that will > default to their default group from /etc/passwd, and that's the > behavior I want. Authenticated users should be able to make > files/directories with group membership different from guest accounts. >That isn't how the guest account works, anybody who connects to your share must be the guest user (remember that you don't have any users and unknown users are mapped to the guest account by 'map to guest Bad User'). Now normally 'nobody' is the guest user and its group is 'nogroup', but you are using 'guest' with the group 'users' (this is a bad move by the way). Because of all this and the way the share is set up, all files and directories created in the share will belong to 'guest:users' As I sort of said, having a share the way you have set it up, only makes sense if you want/need a wide open share. Just about the only way you could make it any less secure would be to allow wide links Do you really need a standalone server ? or are the rest of the computers in a domain ? Rowland
Raymond Page
2018-May-25 20:08 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
Well I changed my config to use the 'nobody' user, and that worked. So I then tried to get 'guest' to work. Managed to get it to work when I changed the 'guest' account uid from 405 to 400, when it started working too. I toyed around with different names for the uid 405 account, and none of those would work with samba. So there appears to be an issue with uid 405 on my environment, and nothing about the name 'guest' or even low uid's as I can use uid 400 and it works. This seems bizzarre to me and I can't find any configuration that indicates that uid 405 is in any way special or unique. If anyone has any insight on where to look, I'm running Alpine Linux, I'd appreciate some direction. -- Raymond Page On Fri, May 25, 2018 at 3:20 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 25 May 2018 14:48:35 -0400 > Raymond Page <pagerc at gmail.com> wrote: > > > So the guest account ignores the owner permissions of the files it > > interacts with and relies only on group membership and world > > permissions? > > > > Why do I need the sgid? Users will create files/directories that will > > default to their default group from /etc/passwd, and that's the > > behavior I want. Authenticated users should be able to make > > files/directories with group membership different from guest accounts. > > > > That isn't how the guest account works, anybody who connects to your > share must be the guest user (remember that you don't have any users > and unknown users are mapped to the guest account by 'map to guest > Bad User'). Now normally 'nobody' is the guest user and its group is > 'nogroup', but you are using 'guest' with the group 'users' (this is a > bad move by the way). Because of all this and the way the share is set > up, all files and directories created in the share will belong to > 'guest:users' > > As I sort of said, having a share the way you have set it up, only > makes sense if you want/need a wide open share. Just about the only > way you could make it any less secure would be to allow wide links > > Do you really need a standalone server ? or are the rest of the > computers in a domain ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
- Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
- Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
- Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
- Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share