Michael Tokarev
2023-Sep-27 16:30 UTC
[Samba] anonymous samba server with unauthenticated guest access policy
27.09.2023 19:18, Rowland Penny via samba wrote: ...> Lets see if I understand this correctly, you have a Samba server that > is/was running with 'map guest = bad user' in global and 'guest ok > yes' in a share, this would allow unknown (to Samba) users to connect > to the share. > > However, the latest Windows no longer will allow anonymous shares, so > you are looking to use authentication and are looking for the best way > of doing this.Yes, exactly.> In my opinion, you have two choices, you run Samba as a standalone > server and create the required users in Unix and Samba, or join the > computer to the domain and use the 'rid' idmap backend. > > The first is only really viable if there are only a few users, the > second will make every AD user a Unix user. > > Once you have decided which way to go, you can then use a group and > allow the group read access to the share, but without write permission.I was thinking about entirely opposite way: to run samba under non-root uid so it just can not write to these files at all. Or at the very least, to map all domain users to a fixed uid, similar to `map to guest = bad user` (with *all* users being bad). Samba server can be a domain member server too, that's ok if it's a must. There's just no place for any "foreign" (domain) users here. The only thing I need is to let samba server to be "known" to windows. /mjt
Achim Gottinger
2023-Sep-27 18:14 UTC
[Samba] anonymous samba server with unauthenticated guest access policy
Am 27.09.23 um 18:30 schrieb Michael Tokarev via samba:> 27.09.2023 19:18, Rowland Penny via samba wrote: > ... >> Lets see if I understand this correctly, you have a Samba server that >> is/was running with 'map guest = bad user' in global and 'guest ok >> yes' in a share, this would allow unknown (to Samba) users to connect >> to the share. >> >> However, the latest Windows no longer will allow anonymous shares, so >> you are looking to use authentication and are looking for the best way >> of doing this. > > Yes, exactly. > >> In my opinion, you have two choices, you run Samba as a standalone >> server and create the required users in Unix and Samba, or join the >> computer to the domain and use the 'rid' idmap backend. >> >> The first is only really viable if there are only a few users, the >> second will make every AD user a Unix user. >> >> Once you have decided which way to go, you can then use a group and >> allow the group read access to the share, but without write permission. > > I was thinking about entirely opposite way: to run samba under non-root > uid so it just can not write to these files at all. > > Or at the very least, to map all domain users to a fixed uid, similar > to `map to guest = bad user` (with *all* users being bad). > > Samba server can be a domain member server too, that's ok if it's a must. > > There's just no place for any "foreign" (domain) users here.? The only > thing I need is to let samba server to be "known" to windows. > > /mjt > >You need to define an gpo on the client. See here learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default ......................... Resolution Configure your third-party SMB server device to require a username and password for SMB connections. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials. If you can't configure your third-party device to be secure, you can enable insecure guest access with the following Group Policy settings: Open the Local Group Policy Editor (gpedit.msc) on your Windows device. In the console tree, select Computer Configuration > Administrative Templates > Network > Lanman Workstation. For the setting, right-click Enable insecure guest logons and select Edit. Select Enabled > OK.