Michael Tokarev
2023-Sep-27 15:58 UTC
[Samba] anonymous samba server with unauthenticated guest access policy
27.09.2023 13:09, Rowland Penny via samba :> On Wed, 27 Sep 2023 12:56:19 +0300 > Michael Tokarev via samba <samba at lists.samba.org> wrote: > >> 27.09.2023 12:38, Rowland Penny via samba: >>> On Wed, 27 Sep 2023 11:39:00 +0300 >>> Michael Tokarev via samba <samba at lists.samba.org> wrote: >>> >>>> Hi! >>>> >>>> What's the best way to have an anonymous samba server (with >>>> read-only shares only, users can't modify anything) with todays >>>> windows which block unauthenticated guest access by default and >>>> require signing? >>>> >>>> Is the only solution (besides unblocking which is not nice) is to >>>> add this server to the domain in question? >> >>> Hi Michael, it is my understanding that if it is the Windows machine >>> that has guest access turned off, then there is nothing that Samba >>> can do to re-enable it, so you must use authenticated users. >> >> Heh. It's as good answer as useless. But ok :) > > No, it isn't useless, it is a fact. If guest access is turned off on a > Windows machine (currently win10 pro and up, I believe), then nothing > you can do on or with a Samba server will turn it back on again, you > have to turn it on again in Windows. > > You can run Samba as a standalone server, AD DC, Domain member etc and > have all the required guest parameters set correctly and you still will > not get anonymous access from a Windows machine if it is turned off on > the Windows machine.Rowland, are we using the same language? Or maybe you just don't understand what I'm asking about? (from the "win10 pro and up" I believe you do understand.) Just to clarify: windows refuses to connect to a (samba) server which does not have authentication turned on, which allows "unauthenticated guest access". This is a windows _client_ settings. What I'm asking is how to turn "unauthenticated" server into something to which modern win is "more friendly". This is a question exactly about the samba _server_ not about client, it is entirely a server thing, - how to become a fried to current win. /mjt
Rowland Penny
2023-Sep-27 16:18 UTC
[Samba] anonymous samba server with unauthenticated guest access policy
On Wed, 27 Sep 2023 18:58:13 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> 27.09.2023 13:09, Rowland Penny via samba : > > On Wed, 27 Sep 2023 12:56:19 +0300 > > Michael Tokarev via samba <samba at lists.samba.org> wrote: > > > >> 27.09.2023 12:38, Rowland Penny via samba: > >>> On Wed, 27 Sep 2023 11:39:00 +0300 > >>> Michael Tokarev via samba <samba at lists.samba.org> wrote: > >>> > >>>> Hi! > >>>> > >>>> What's the best way to have an anonymous samba server (with > >>>> read-only shares only, users can't modify anything) with todays > >>>> windows which block unauthenticated guest access by default and > >>>> require signing? > >>>> > >>>> Is the only solution (besides unblocking which is not nice) is to > >>>> add this server to the domain in question? > >> > >>> Hi Michael, it is my understanding that if it is the Windows > >>> machine that has guest access turned off, then there is nothing > >>> that Samba can do to re-enable it, so you must use authenticated > >>> users. > >> > >> Heh. It's as good answer as useless. But ok :) > > > > No, it isn't useless, it is a fact. If guest access is turned off > > on a Windows machine (currently win10 pro and up, I believe), then > > nothing you can do on or with a Samba server will turn it back on > > again, you have to turn it on again in Windows. > > > > You can run Samba as a standalone server, AD DC, Domain member etc > > and have all the required guest parameters set correctly and you > > still will not get anonymous access from a Windows machine if it is > > turned off on the Windows machine. > > Rowland, are we using the same language? > Or maybe you just don't understand what I'm asking about? (from the > "win10 pro and up" I believe you do understand.) > > Just to clarify: windows refuses to connect to a (samba) server which > does not have authentication turned on, which allows "unauthenticated > guest access". This is a windows _client_ settings. > > What I'm asking is how to turn "unauthenticated" server into something > to which modern win is "more friendly". > > This is a question exactly about the samba _server_ not about client, > it is entirely a server thing, - how to become a fried to current win. > > /mjt >Lets see if I understand this correctly, you have a Samba server that is/was running with 'map guest = bad user' in global and 'guest ok yes' in a share, this would allow unknown (to Samba) users to connect to the share. However, the latest Windows no longer will allow anonymous shares, so you are looking to use authentication and are looking for the best way of doing this. In my opinion, you have two choices, you run Samba as a standalone server and create the required users in Unix and Samba, or join the computer to the domain and use the 'rid' idmap backend. The first is only really viable if there are only a few users, the second will make every AD user a Unix user. Once you have decided which way to go, you can then use a group and allow the group read access to the share, but without write permission. Rowland