samba - Sep 2023 - anonymous samba server with unauthenticated guest access policy

On Wed, 27 Sep 2023 18:58:13 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> 27.09.2023 13:09, Rowland Penny via samba :
> > On Wed, 27 Sep 2023 12:56:19 +0300
> > Michael Tokarev via samba <samba at lists.samba.org> wrote:
> > 
> >> 27.09.2023 12:38, Rowland Penny via samba:
> >>> On Wed, 27 Sep 2023 11:39:00 +0300
> >>> Michael Tokarev via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>> Hi!
> >>>>
> >>>> What's the best way to have an anonymous samba server
(with
> >>>> read-only shares only, users can't modify anything)
with todays
> >>>> windows which block unauthenticated guest access by
default and
> >>>> require signing?
> >>>>
> >>>> Is the only solution (besides unblocking which is not
nice) is to
> >>>> add this server to the domain in question?
> >>
> >>> Hi Michael, it is my understanding that if it is the Windows
> >>> machine that has guest access turned off, then there is
nothing
> >>> that Samba can do to re-enable it, so you must use
authenticated
> >>> users.
> >>
> >> Heh.  It's as good answer as useless.  But ok :)
> > 
> > No, it isn't useless, it is a fact. If guest access is turned off
> > on a Windows machine (currently win10 pro and up, I believe), then
> > nothing you can do on or with a Samba server will turn it back on
> > again, you have to turn it on again in Windows.
> > 
> > You can run Samba as a standalone server, AD DC, Domain member etc
> > and have all the required guest parameters set correctly and you
> > still will not get anonymous access from a Windows machine if it is
> > turned off on the Windows machine.
> 
> Rowland, are we using the same language?
> Or maybe you just don't understand what I'm asking about? (from the
> "win10 pro and up" I believe you do understand.)
> 
> Just to clarify: windows refuses to connect to a (samba) server which
> does not have authentication turned on, which allows "unauthenticated
> guest access".  This is a windows _client_ settings.
> 
> What I'm asking is how to turn "unauthenticated" server into
something
> to which modern win is "more friendly".
> 
> This is a question exactly about the samba _server_ not about client,
> it is entirely a server thing, - how to become a fried to current win.
> 
> /mjt
> 
Lets see if I understand this correctly, you have a Samba server that
is/was running with 'map guest = bad user' in global and 'guest ok
yes' in a share, this would allow unknown (to Samba) users to connect
to the share.

However, the latest Windows no longer will allow anonymous shares, so
you are looking to use authentication and are looking for the best way
of doing this.

In my opinion, you have two choices, you run Samba as a standalone
server and create the required users in Unix and Samba, or join the
computer to the domain and use the 'rid' idmap backend.

The first is only really viable if there are only a few users, the
second will make every AD user a Unix user.

Once you have decided which way to go, you can then use a group and
allow the group read access to the share, but without write permission.
 
Rowland

27.09.2023 19:18, Rowland Penny via samba wrote:
...
> Lets see if I understand this correctly, you have a Samba server that
> is/was running with 'map guest = bad user' in global and 'guest
ok > yes' in a share, this would allow unknown (to Samba) users to
connect
> to the share.
> 
> However, the latest Windows no longer will allow anonymous shares, so
> you are looking to use authentication and are looking for the best way
> of doing this.
Yes, exactly.
> In my opinion, you have two choices, you run Samba as a standalone
> server and create the required users in Unix and Samba, or join the
> computer to the domain and use the 'rid' idmap backend.
> 
> The first is only really viable if there are only a few users, the
> second will make every AD user a Unix user.
> 
> Once you have decided which way to go, you can then use a group and
> allow the group read access to the share, but without write permission.
I was thinking about entirely opposite way: to run samba under non-root
uid so it just can not write to these files at all.

Or at the very least, to map all domain users to a fixed uid, similar
to `map to guest = bad user` (with *all* users being bad).

Samba server can be a domain member server too, that's ok if it's a
must.

There's just no place for any "foreign" (domain) users here.  The
only
thing I need is to let samba server to be "known" to windows.

/mjt