Archives Posts
Private and guest (no password prompt) Samba shares with security=user
I wanted to share out files from my Ubuntu Gutsy desktop “server” on to my home network. I wanted two different shares:
A private read/write share
Only I will have the credentials to access this share. This will host out my more precious files. I do not want my family either knowing about this share or accessing it and accidentally deleting everything I have.
A public read/write share
This will be used as an anonymous dumping ground to transfer files to/from the server. This will also be the share that my other family members will be using. For ease of use, I do not want them to have to specify a user or password to connect. There should be no password prompt. It should act like a public Windows share.
Every guide I found explained only how to do one kind of share or the other. Either you specified all shares to require a login -or- all shares to be public. I needed both served out at the same time. The key ended up being map to guest. Here’s a stripped down version of my smb.conf, but if you want explanations, read on.
Short Version
/etc/samba/smb.conf on server
[global]
# Browsing / Identification #
netbios name = fileserver
server string = %h server (Samba, Ubuntu)
# Authentication #
security = user
encrypt passwords = true
map to guest = bad user
guest account = nobody
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
# Public Share. Mount this on a Unix client with the following.
# sudo mount -t smbfs -o username=[username],password=[password],\
# rw,uid=[your Unix user],gid=[your Unix group] \
# //[netbios or ip of server]/private /path/to/mount/point
#
# Optionally use a credentials file and credentials=/path/to/credentials (see below)
[private]
comment = Private Share
path = /mnt/private
browseable = no
read only = no
create mask = 0640
directory mask = 0750
# Public Share. Mount this on a Unix client with the following.
# sudo mount -t smbfs -o username=,password=,\
# rw,uid=[your Unix user],gid=[your Unix group] \
# //[netbios or ip of server]/public /path/to/mount/point
[public]
comment = Public Share
path = /mnt/public
read only = no
create mask = 0640
directory mask = 0750
guest only = yes
guest ok = yes
After this is saved. Restart Samba with sudo /etc/init.d/samba restart
Set up samba user
Here smbprivate is the user that will have access to the Private share. Make sure that this user exists on the server and has appropriate permissions on the share directory. Then let Samba know about this user by executing the following.
$ sudo smbpasswd -a smbprivate
Using a credentials file to mount in Unix
You can create a credentials file so that your username and password aren’t sitting in plain text in /etc/fstab. Create this file on your client Linux machine (I put it in /etc/samba/credentails.fileserver).
username=[username]
password=[password]Give it only read access to root.
$ sudo chown root:root /path/to/credentials
$ sudo chmod 400 /path/to/credentialsThen the mount command becomes
sudo mount -t smbfs -o credentials=/path/to/credentials,\
rw,uid=[your Unix user],gid=[your Unix group] \
//[netbios or ip of server]/private /path/to/mount/pointLong Version
The Private Share
To set up private shares in Samba we need to do three things.
- Set
security = user. This tells Samba that we want to authenticate login attempts based on the Unix users on the server. - Set
encrypt passwords = yes. The newer versions of Windows require that share passwords be encrypted when transmitted over the network. This is default in Samba 3.0.26a, but if you’re running an older version of Samba you may have to define this explicitly. - Use
smbpasswdon the command line to create the encrypted password information for your private share user.
The deal is that you’re going to have to use encrypted passwords unless all the Windows computers on your network are running Windows 95. Samba can’t map directly to the Unix passwd file because Windows encrypts using a different algorithm. This is why the smbpasswd exists. It will store the passwords you supply it in a format that can be understood by Windows.
All of this comes down to putting this under the global section of your smb.conf.
security = user
encrypt passwords = yesAnd then executing this on the command line for each user you want access your private share. These users must be legitimate Unix users on the server.
smbpasswd -a usernameNote: It is possible to sync your Samba users with your Unix users. Ubuntu Gutsy Gibbon has this enabled with its default configuration of Samba. This can cause unexpected effects if your Windows users names are the same as the user names on your Samba server. See the Public Share section for more details. To see which users already exist in the Samba password database run this in a shell: pdbedit -L
All that is left is to define your private shares in smb.conf.
[private]
comment = Private Share
# Path to directory you want to share out
path = /mnt/private
# Allow writing to the share
read only = No
# Do not allow computers on the network to see that this share
# exists while browsing (i.e. Network Neighborhood)
browseable = No
# These two are optional.
# Sets the umask for files/directories created on this share.
create mask = 0640
directory mask = 0750
# This is also optional. Restrict access to only certain users.
# This gives access to Harry and to anyone in the group Family
valid users = harry @family
After restarting Samba with sudo /etc/init.d/samba restart, you should be able to access this private share.
- Windows Browse to \\[netbios or ip of server\private and provide a valid user and password
- Linux Mount the share with
sudo mount -t smbfs -o username=[username],password=[password],rw,uid=[your Unix user],gid=[your Unix group] //[netbios or ip of server]/private /path/to/mount/point
If this doesn’t work, I would suggest reading through this excellent troubleshooting guide. If you find something wrong with how I did things, drop me a comment.
Note: In Linux, if you can successfully mount the share but do not have write permissions to it, make sure that you have write permissions on the mount point on the client side. That is, if you specified the user smbuser as the uid in the mount command, make sure smbuser has write permissions to /path/to/mount/point.
Using a credentials file
You’re probably going to want to mount this share automatically at boot by putting it in your /etc/fstab file. Storing a password in plain text in fstab is probably a bad idea. Samba lets you specify a credentials file in the mount command to get around this. The format is a set of simple name=value pairs.
username=[username]
password=[password]Store this file where ever you want. I put it in /etc/samba/ because that seemed convenient. Give it only read access to root.
$ sudo chown root:root /path/to/credentials
$ sudo chmod 400 /path/to/credentialsThen the mount command becomes sudo mount -t smbfs -o credentials=/path/to/credentials,rw,uid=[your Unix user],gid=[your Unix group] //[netbios or ip of server]/private /path/to/mount/point
The Public Share
This was actually the hard part to figure out, even though in the end there isn’t much configuring to do. The key is the map to guest directive in smb.conf. This allows you to map invalid user/password attempts to the guest account. The guest account can be specified globally or per-share. map to guest has four options.
- never (default) If you give a bad user/password, the connection is rejected
- bad userIf a bad user is given, map the connection to the guest account
- bad password If a valid user but bad password is given, map the connection to the guest account.
- bad uid This is only applicable when you are using security = domain or security = ads
What we want here is map to guest = bad user. You see, when Windows connects to a Samba share it will provide the user and password of the currently logged on user. Since, usually, the account names on the Windows machine will not exist on the Samba server, the map to user directive will be triggered and the connection will be mapped to the guest account you specify. This lets Windows machines connect to the share with no password prompt. What’s even better, this will only work if you specify guest = ok in your share definition. Your private shares can remain private.
To set this up add this to the [global] section of smb.conf
map to guest = bad user
# Optionally, specify a global default guest
guest account = nobody
Here is the public share definition
[public]
comment = Public Share
# Path to directory you want to share out
path = /mnt/nas/public
# Allow writing to the share
read only = No
# Force connections as guests
guest only = Yes
guest ok = Yes
# Optionally, specify the guest account here
guest account = nobody
# These two are optional.
# Sets the umask for files/directories created on this share.
create mask = 0640
directory mask = 0750
After restarting Samba with sudo /etc/init.d/samba restart, you should be able to access this public share.
- Windows Browse to \\[netbios or ip of server\private. You shouldn’t be prompted for a password. Booyah.
- Linux Mount the share with
sudo mount -t smbfs -o username=,password=,rw,uid=[your Unix user],gid=[your Unix group] //[netbios or ip of server]/public /path/to/mount/point. Note the blank user and password.
If this doesn’t work, I would again suggest reading through this excellent troubleshooting guide.
Again, in Linux, make sure that your client-side user has write permissions to the mount point.
Caveat with duplicate user names and Unix/Samba password sync
This took me forever to figure out. With the public share does…
- Windows still prompt for a username and password when connecting?
- Linux successfully mounts the public share without specifying a user or password?
- Your Windows user name match your Unix user name on the Samba server?
- Your Windows password does not match your Unix password?
What is happening is that Windows is silently attempting to authenticate with the current Windows username and password. When that fails, it prompts for another set of credentials. But why is it failing? Because you are silently trying to login with a valid Samba user name.
Remember what map to guest = bad user does? It will map to the guest account if a bad user name is provided. However, Windows is giving the Samba server a valid user name with a invalid password. Samba will straight up reject the connection. The mount command given above will still work because you are giving an invalid user name (null).
But I didn’t explicitly use smbpasswd to set up this user? If password sync is enabled, which it is by default in Ubuntu Gutsy, all of your Unix users are already part of the Samba password database. Check out pdbedit -L to confirm. This is what perplexed me the longest. I ended up specifying debug level = 3 in the [global] section of smb.conf. In the logs I found when Windows tried to connect Samba would respond to NT_STATUS_WRONG_PASSWORD.
I find this terribly lame. This means if I have a friend over that brings their laptop and their Windows login happens to exist on the Samba server they won’t be able to access the public share. The easiest solution I found was to remove the duplicate user name from Samba’s database.
# See what users are set up with Samba
pdbedit -L
# Remove the duplicate user name
smbpasswd -x [username]
There is still a problem though. We just removed the Samba user that I was going to use to access my private shares. What I did was create a Unix and Samba user on the server, smbprivate. I use this account to access all of my private shares. Just make sure that this user has correct permissions on the files and directories that are shared.
References
Samba Security and Troubleshooting at linuxhomenetworking.com