Samba administration headache

Hi All,

Sorry to be a complete newbie here (again!), but I've been bashing my
head against this configuration problem for ages, read numerous
configuration files and am rapidly loosing the one brain cell that I've
got left.

The various configuration systems (Yast and the localhost samba thingy)
have not been working as they should, which has left me editing the
smb.conf file by hand. The problem is, I'm getting it wrong ... oh, so
wrong.

The situation I would like, is this ...

When someone connects to a share, (whether Windows or Linux client) they
are prompted for a user name and password. If they are found to be a
member of the users group, then they are allowed through with the
accounts permission from the system passwords. (I don't want to maintain
a separate samba passwords file) If they are not validated, they then
pick up the permissions for the user, "anonymous," and are let through
with that account.

I wouldn't have initially thought this to be too hard, but now I'm
starting to want to cry.

If anyone can help me, it would save a grown woman from having yet
another nervous Linux breakdown.

Here is what I've got so far ... (Oh, SuSE 10.1, by the way. The server
is called Jaguar, in workgroup Big-Cats ... well, at least it isn't "the
Simpsons", or "3rd rock from the sun", like it is at work!)

[global]
workgroup = BIG-CATS
map to guest = Bad User
guest account = anonymous
server signing = auto
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine
-d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain master = No
ldap ssl = no
cups options = raw
include = /etc/samba/dhcp.conf
domain logons = No
netbios name = jaguar
security = user

[mirror]
path = /mirror
writeable = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
valid users = @users
hosts allow = 192.168.0.0/255.255.255.0
case sensitive = yes
browsable = Yes

michelle@msknight.com wrote:
> When someone connects to a share, (whether Windows or Linux client) they
> are prompted for a user name and password. If they are found to be a
> member of the users group, then they are allowed through with the
> accounts permission from the system passwords. (I don't want to maintain
> a separate samba passwords file) If they are not validated, they then
> pick up the permissions for the user, "anonymous," and are let through
> with that account.

Is there something wrong with just having a "guest" account for this
purpose? Samba is just like any other system (ftp, , if a user doesn't
exist, it will actively reject it. You should only be configuring the
front-end authentication in Samba. The permissions should be done on the
filesystem side, not within samba as far as what you're trying to
accomplish IMHO.

For /mirror chown it :users, and then set the "group" and "other"
permissions accordingly. For instance,

chown :users /mirror
chmod 775 /mirror

that will make it so that anyone in the "users" group can read and write
to the filesystem, and everyone else can read only.

You can also do more advanced stuff with POSIX ACLs if your filesystem
supports them.


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

> Is there something wrong with just having a "guest" account for this
> purpose? Samba is just like any other system (ftp, , if a user doesn't
> exist, it will actively reject it. You should only be configuring the
> front-end authentication in Samba. The permissions should be done on the
> filesystem side, not within samba as far as what you're trying to
> accomplish IMHO.

Hi Justin,

At the moment, nothing is working. Windows clients are rejected
immediately without asking for a user name or password. Other Linux
clients are prompted for authorisation, but it fails every time.

I run a small community, where everyone who hooks up to it can access basic
things, like HTML files for a community web site and stuff. However,
behind that I need authentication so that certain people can change files
and stuff.

This is why I need it so that people who have no specific authorisation,
can still read files.

.... but with the configuration I posted, nothing is now working. The only
way I can get it to work is if I set the guest account to an account that
has read/write privileges, and give the GUEST = YES command in the share
definition.

I've read so many configuration manuals on the web that my head is
spinning. It should just work, but ... argh.

> You should only be configuring the
> front-end authentication in Samba.

Sorry - missed this. From what I've read, Samba should be taking all the
authentication from the back-end, surely. I shouldn't have to specify
another set of users in a sambapasswd.cfg thingy. ? Don't tell me, I
missed a comma somewhere. I missed a comma and the whole space ship has
failed to launch.

(excuse my ramblings ... twenty years of computing and I get like this. So
many of my problems are down to missed commas and misplaced full stops.
It's the only way I can handle the insanity of it all!)

The only thing I don't like about this forum is that I can't edit things.

There is an account called "anonymous" which has specific rights. The
directory structure is already set up with group and other ownerships, so
that specific groups have specific access rights ... that has all been
tested. It has all been done with the user manager as if I was creating
users actually on the system (well, that is actually what I have done.)

I didn't enable the specifically defined "guest" account deliberately in
case I upset something that I don't yet understand.

The specific samba passwords file is empty. If I interpret what I have
read correctly, SAMBA goes through a series of places to check, and how I
understand it is that the Linux password file (or rather the background
engine) is used for authentication somewhere down the chain.

I understood that if the user failed to authenticate correctly, then the
nominated account for the guest, specified in the global area, is then used
instead. (in my case, the account called "anonymous")

.... or that is how I understood it.

As it happens, nothing seems to even be attempting authentication. Windows
clients come straight back with access denied and Linux clients fail to
authenticate (W2K in case you were wondering, so I shouldn't have any
password encryption setting problems)

I know I must be missing something, but I don't know what.

michelle@msknight.com wrote:
> At the moment, nothing is working. Windows clients are rejected
> immediately without asking for a user name or password. Other Linux
> clients are prompted for authorisation, but it fails every time.

OK, did you use smbpasswd to give the users Samba passwords? You have to
do this, samba passwords can't be pulled directly from /etc/passwd
because Samba uses an incompatible hashing mechanism.

> I run a small community, where everyone who hooks up to it can access basic
> things, like HTML files for a community web site and stuff. However,
> behind that I need authentication so that certain people can change files
> and stuff.

Why can't you just set the "others" access to whatever you need for
those people with no specific group like users? that's what it's there for.

for instance, say /mirror has the following subdirectories:

/mirror/users
/mirror/everyone
/mirror/private

In users, members of the "users" group are allowed to read/write, and
everyone else can read

In everyone, everyone can read and write files

In private, members of the "users" group can read/write, but everyone
else can't see anything in the directory.

Just set the permissions like this:

chown :users /mirror/users /mirror/everyone /mirror/private
chmod 775 /mirror/users
chmod 777 /mirror/everyone
chmod 770 /mirror/private

and then set the umasks accordingly in smb.conf for each share.

Now if you need more complicated setups like "people from users can
read/write, frank can only read, people from admins can read/write, and
everyone else can't do anything" then you need to look into using Posix
ACLs.


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

michelle@msknight.com wrote:
> There is an account called "anonymous" which has specific rights. The
> directory structure is already set up with group and other ownerships, so
> that specific groups have specific access rights ... that has all been
> tested. It has all been done with the user manager as if I was creating
> users actually on the system (well, that is actually what I have done.)

You'll want to remove the valid users line then, because that means that
ONLY members of the users group are allowed to access that partition.
You want everyone to be able to access it, and then use permissions to
set what they actually see. You probably don't need the "inherit" lines
either. The server signing line may be messing things up too.

Also, you have to turn on the "guest ok = yes" for each share that you
want the guest account to work. In this case, if people don't offer a
specific username, it will use the "anonymous" account. However, if they
offer specific authentication and are allowed in, they will still be
that user. There is no way to make these users be the "anonymous"
account short of doing a smbusers map file and do each user specifically:

anonymous = Juser
anonymous = Frank Willard
anonymous = JDoe


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

michelle@msknight.com wrote:

> then they are allowed through with the
> accounts permission from the system passwords. (I don't want to maintain
> a separate samba passwords file)

Then all of your system passwords have to be in cleartext somehow,
because Samba uses an incompatible hashing scheme for its passwords.
There's no way Samba can authenticate against /etc/passwd in the default
crypt/blowfish/md5/etc. formats.

FYI, here's a samba config from one of my local media servers. Notice
that you barely need anything fancy to get it working.

[global]
workgroup = valhalla
server string = "Da Stylin' Media Server"
hosts allow = 192.168.1.0/24
security = user

[homes]
comment = Home Directories
browseable = no
writable = yes
[music]
path = /srv/media/music/masters
comment = Masters Collection
writable = yes
valid users = rastan
[video]
path = /srv/media/mythvideo
comment = MythTV Video
writable = yes
valid users = rastan
[media]
path = /srv/media
comment = General Media
writable = yes
valid users = rastan
[usbhd]
path = /mnt/usbhd
comment = USB Hard Drive
writable = yes
valid users = rastan


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

Thanks Justin,

I'm starting to get there. I've used smbpasswd to create some accounts,
and stripped off a lot of the stuff that SWAT put in there, and brought
it more in to line with what you were saying. The Linux clients are now
working near enough as expected. The Windows clients, however, are
somewhat different.

First of all, this is the new configuration...

[global]
workgroup = BIG-CATS
guest account = anonymous
guest ok = true
printcap name = cups
cups options = raw
netbios name = jaguar
encrypt passwords = yes

[mirror]
path = /mirror
writeable = yes
inherit permissions = yes
inherit acls = yes
inherit owner = Yes
valid users = @users
hosts allow = 192.168.0.0/255.255.255.0
case sensitive = yes
browsable = yes

.... but the problem with the windows clients is that the local accounts
on the W2K machines won't match with any accounts held in the smbpasswd
file.

Now, however, the Windows box is giving a username password challenge box
on attempting to connect to the server, but is returning "The credentials
supplied conflict with an existing set of credentials." It won't even
connect with the anonymous account. I'm going to try the map to guest =
bad user and see if that helps, but if that does map to the guest user
account, then I've effectively got no way of changing the
authentication ... I guess I've got to get over the error message and get
the initial authentication working somehow.

Mind you, it's 11pm here, and I'm in for another nightmare of SMB
configuration parameters!

Michelle.

michelle@msknight.com wrote:

> Thanks Justin,
>
> I'm starting to get there. I've used smbpasswd to create some accounts,
> and stripped off a lot of the stuff that SWAT put in there, and brought
> it more in to line with what you were saying. The Linux clients are now
> working near enough as expected. The Windows clients, however, are
> somewhat different.
>
> First of all, this is the new configuration...
>
> [global]
> workgroup = BIG-CATS
> guest account = anonymous
> guest ok = true
> printcap name = cups
> cups options = raw
> netbios name = jaguar
> encrypt passwords = yes
>
> [mirror]
> path = /mirror
> writeable = yes
> inherit permissions = yes
> inherit acls = yes
> inherit owner = Yes
> valid users = @users
> hosts allow = 192.168.0.0/255.255.255.0
> case sensitive = yes
> browsable = yes
>
> ... but the problem with the windows clients is that the local accounts
> on the W2K machines won't match with any accounts held in the smbpasswd
> file.
>
> Now, however, the Windows box is giving a username password challenge box
> on attempting to connect to the server, but is returning "The credentials
> supplied conflict with an existing set of credentials." It won't even
> connect with the anonymous account. I'm going to try the map to guest =
> bad user and see if that helps, but if that does map to the guest user
> account, then I've effectively got no way of changing the
> authentication ... I guess I've got to get over the error message and get
> the initial authentication working somehow.
>
> Mind you, it's 11pm here, and I'm in for another nightmare of SMB
> configuration parameters!

Michelle and Justin, forgive me for popping in but Michelle seems to be
making this way harder than it needs to be. Here is my standard setting up
Samba blurb, which works well for a small private home network (I usually
have only 5 or 6 boxen on the network running XP Pro, Home, SUSE, and Win2k
- sometimes Win98) and for 170 laptops connecting to a Samba file server at
my kid's school. It's boilerplate, so forgive me for not tailoring it just
to you. IIRC Win2k doesn't have Simple Sharing.

A note on user accounts: obviously at my home with only 3 or 4 user
accounts, I don't mind making identical ones on all the boxen. For school,
we use generic user accounts such as "student" and "teacher" so we don't
need to maintain individual user accounts/passwords for each kid and each
teacher. Something like that might work for you.

1. On Windows boxen, make sure all accounts are properly named (no ****ed
spaces) and there are no null passwords. Configure any firewalls to allow
lan traffic. Create shares as desired. Note that if any boxen are XP Pro,
you should disable Simple Sharing (Folder Options>View).

2. On Linux, create identical user account/passwords with YaST.
3. Make sure you've installed Samba server/client with YaST.
4. Configure run levels so that the nmb and smb daemons start at bootup.
5. Now add your users to Samba. Make these match the ones on Windows. I
think the easiest way is from the console, so open one, su to root, and
type:
smbpasswd -a username [enter]
(enter password)
(enter password again)

6. Go to YaST and set your Samba server and client Identity to match your
Windows Workgroup name.

7. I use KDE, so if you use Gnome or another window manager you'll need to
figure this next bit out yourself. Open up the Control Center and go to
Internet/Network and then Samba. Click on the Administrator Mode (enter
root password). I use User security level. Check to make sure Shares (these
are for the Linux box of course) are the way you want them. Apply and close
that part.

8. Click on File Sharing and enable Administrator Mode. Check "Enable local
network file sharing". I have mine set on "Advanced sharing". Check the box
for "Use Samba" rather than NFS.

And that's pretty much it. Now if you want to make a new share - say a
folder that isn't in your /home, you can right-click it to set Sharing
Properties. If all you want to share is your /home, you're done.

Another note: for the kids' laptops, we make a shortcut to the Samba server
on their desktops so they can download handouts, upload homework, etc. We
don't map the drive because Windows will spend time looking for a
non-existent network resource when the laptop is not at school.

Note: To use a Linux firewall w/Samba - If you do not have WINS on the
network, then your network is relying on broadcasted browser announcements
for NetBios resolution. Configure your firewall to allow NetBios
broadcasts, with UDP and TCP ports 137-139 open.

HTH and again, I hope you didn't mind my putting in my oar. :-)

Malke
--
"I have a cunning plan..."