samba authentication dolphin/konq

Hi,

I have a server with a single samba share on it (just playing at the moment).
This server has a user called “foo” with password “bar”.
“foo” is in the group “testgroup”
samba is configured for local user auth (not anonymous/open).

Server:
Directory: /mnt/Music (owned by root, group testgroup, permissions rwx-rwx-r x)

The share is defined as browseable, inherit permissions (so that files created belong to the testgroup group) and allow anonymous (anon is mapped to nobody)

In dolphin, I go to smb://nas/Music
I can see the files in there, but I cannot add/delete/edit anything. Fine, because I’m not authenticated

I then go to smb://james@nas/Music
I expect to get asked for james’s password, but I’m not & again I’m in as anonymous!

If I modify the share to NOT allow anonymous access, and then visit smb://nas/Music I am asked for a username & password which I supply and then I get full write access. The path also changes to smb://james@nas/Music/

It seems I can’t get dolphin (or konq, tested that too) to access the share WITH AUTHENTICATION if the share is configured to allow anonymous access.
I’d like authorised users to be able to write to the share, but also allow anyone (random friends) to read it.

I can post conf files if required. btw, the server is a freenas box.

bump, sorry.

I don’t have an exact fix for you, but I found this:

There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connection request is rejected. However, if one of the steps succeeds, the following steps are not checked.
If the service is marked “guest only = yes” and the server is running with share-level security (“security = share”, steps 1 to 5 are skipped.

1.      If the client has passed a username/password pair and that username/password pair is validated by the UNIX          system's password programs, the connection is made as that username. This includes the         \\server\service%*username*
   

method of passing a username. > 1. If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed.

1.      The client's NetBIOS name and any previously used usernames are checked against the supplied password. If          they match, the connection is allowed as the corresponding user. 
   

2.      If the client has previously validated a username/password pair with the server and the client has passed          the validation token, that username is used. 
   

3.      If a user =  field is given in the smb.conf file for the         service and the client has supplied a password, and that password matches (according to the UNIX system's         password checking) with one of the usernames from the user = field, the connection is made as         the username in the user = line. If one of the usernames in the user = list         begins with a @, that name expands to a list of names in the group of the same name. 
   

4.      If the service is a guest service, a connection is made as the username given in the guest account         = for the service, irrespective of the supplied password. 
   

It was located here: smb.conf

And other good places to look include: openSUSE SuSE Linux HOWTOs and Tutorials by Swerdna and for setting up SWAT look here: Samba S.W.A.T. - Samba Web Administration Tool Setup for openSUSE - Blogs - openSUSE Forums

You could always post a copy of your smb.con for us to look at. Open a terminal session and type the command:

cat /etc/samba/smb.conf

Post it into a forum message here using the Advanced message editor, highlight the posted text and press the # code block command so it looks like the code field above.

Thank You,

Hi James

Thanks. Here is my smb.conf on the server (the freenas box):

smb.conf with anonymous access enabled (not guest only):

[james@nas ~]$ cat /usr/local/etc/smb.conf
[global]
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    deadtime = 15
    display charset = LOCALE
    max log size = 10
    syslog only = yes
    syslog = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    getwd cache = yes
    guest account = nobody
    map to guest = Bad Password
    netbios name = nas
    workgroup = WORKGROUP
    server string = FreeNAS Server
    use sendfile = yes
    large readwrite = no
    store dos attributes = yes
    local master = yes
    time server = yes
    security = user
    create mask = 0600
    create mask = 0600
    directory mask = 0700
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    aio read size = 1
    aio write size = 1


[Music]
    path = /mnt/Data/Music
    printable = no
    veto files = /.snap/.windows/
    writeable = yes
    browseable = yes
    inherit owner = no
    inherit permissions = yes
    vfs objects = zfsacl 
    guest account = nobody
    guest ok = yes
    inherit acls = Yes
    map archive = No
    map readonly = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes

And again this time without anonymous access enabled:

[james@nas ~]$ cat /usr/local/etc/smb.conf
[global]
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    deadtime = 15
    display charset = LOCALE
    max log size = 10
    syslog only = yes
    syslog = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    getwd cache = yes
    guest account = nobody
    map to guest = Bad Password
    netbios name = nas
    workgroup = WORKGROUP
    server string = FreeNAS Server
    use sendfile = yes
    large readwrite = no
    store dos attributes = yes
    local master = yes
    time server = yes
    security = user
    create mask = 0600
    create mask = 0600
    directory mask = 0700
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    aio read size = 1
    aio write size = 1


[Music]
    path = /mnt/Data/Music
    printable = no
    veto files = /.snap/.windows/
    writeable = yes
    browseable = yes
    inherit owner = no
    inherit permissions = yes
    vfs objects = zfsacl 
    inherit acls = Yes
    map archive = No
    map readonly = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes

I will look at this tonight and give a more detail answer to your post. Its early Monday morning here in Austin and just looking to see what went on during the night.

Thank You,

And this is what happens:

Server: freenas

[james@nas ~]$ ls -las /mnt/Data/Music 
total 6
2 drwxrwxr-x   4 root   w_music   4 Jan 27 15:30 .
2 drwxrwxr-x  10 root   wheel    10 Jan 27 13:40 ..
2 drwxrwxr-x   2 james  w_music   2 Jan 27 13:42 df
2 drwxrwxr-x   2 danni  w_music   2 Jan 27 15:30 ffff

[james@nas ~]$ id james
uid=1002(james) gid=65533(nogroup) groups=65533(nogroup),0(wheel),20(staff),1002(w_video),1003(w_music),1004(w_tv),1005(w_photos)

Client: openSUSE 12.1

With Anonymous allowed on share (not guest only):

Open dolphin
go to smb://nas/Music
dolphin displays the files in that share.  I can read only (using anonymous access)
Close dolphin

Log out & log back in

Open dolphin
go to smb://james@nas/Music
dolphin displays the files in that share.  I can read only (assume using anonymous access)
**I expected to be challenged for james's password here, but was not.**

Edit share on server to turn off anonymous access. Restart smb service.
Log out & log in on client:

Open dolphin
go to smb://nas/Music
dolphin prompts for username & password
I supply user **james**, password ***
Dolphin lists the files on the share.  I can read & write & delete files.
Also, address in dolphin changes to smb://james@nas/Music/
Close dolphin

Log out & log back in

Open dolphin
go to smb://nas/Music
dolphin prompts for username & password
I supply user **danni**, password ***
Dolphin lists the files on the share.  I can read & write & delete files, including the one that was created with user james above.
Address in dolphin changes to smb://danni@nas/Music/

I guess I need to know how to force dolphin to connect using a username & password even though the share does allow anonymous access as well.
How might I go about supplying a username & password to dolphin?

smb://james:password/nas/Music does not work either…

Thanks for having a look for me - I appreciate it. I’m not sure what is going wrong, other than I am not accessing the share in the correct way, as from your post above it seems like it should work.

So what if you tried something more simple for nas like below?

[global]
    workgroup = WORKGROUP
    netbios name = nas
    server string = FreeNAS Server
    security = user
**    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private**
    guest account = nobody
    map to guest = Bad User
    name resolve order = bcast host lmhosts wins
    preferred master = Auto
    local master = yes
    domain master = No
    time server = yes
    wins support = No
    usershare allow guests = Yes
    usershare max shares = 100
    write raw = yes
    read raw = no

[Music]
    path = /mnt/Data/Music
    veto files = /.snap/.windows/
    writeable = yes
    browseable = yes
    guest ok = yes
    inherit acls = Yes
    use sendfile = yes

Can’t really determine if the two items shown in bold are correct or not. I wonder if you go to the server and try to use the shared folder as a standard user. Can you use it or must you be root to do so? I only ask because I normally make sure a standard user on the PC with the share can access the share and not be required to be root. So, just a couple of things to look at.

Thank You,

Hi,

I used your config above - I left a few other bits in, specifically I left in the “vfs objects = zfsacl” on the share, and I left out the part about “usershare” from Global.
Reason being, this is a freenas box running bsd and the share is located on a zfs filesystem. I thought it best to leave the zfs part in

Anyway, did that & restarted smb service.

I went to the laptop and visited smb://james@nas/Music
I wasn’t asked for a password, and again I am read only (so I assume that is anonymous access)

So, I edited smb.conf once again and simply removed the line “guest ok = yes” from the share. I restarted the service.
Visited smb://james@nas/Music again in dolphin, and was asked for the password for james (the username was already filled in). This time I got full rw access.

I may be being a bit naive, but I appears that dolphin simply won’t authenticate to a share if it can use anonymous instead. It is almost as if it is doing it backward, ie:
Can I get anonymous access? Yes? Ok, use then
No? Try authenticated access

Instead of:
Can I use authenticated access (has user passed a username in the url)? Yes? Ok ask for user/pass
No? Ok, try anonymous

As for accessing the shared directory as a local user, I logged in via ssh as james, cd to /mnt/Data/Music & did:
touch foo.txt

The file was created, but it has permissions
owner:rw, group:r, others:r (-rwr–r–)
instead of
owner:rwx, group rwx, others rx (-rwxrwxr-x)

I think that is expected though? I can also delete any file in there as a local user & create directories too.

May be time to restate my objectives here, in case there is a simpler way of doing it:

I would like to share this folder (Music) such that:
Me & my wife, on our separate laptops with separate users, have full access (rw) to the share via some authentication method, and be able to modify/create any file regardless of who originally created it.
I would like to share that same folder with read only access so that I can point a dumb device at it to list & play the music (a media player box).
The media player box can only use cifs, and I don’t want it to need a password.

I have the following available to me:
cifs
nfs (I don’t know how to do shared perms here though)
ssh (I could use sshfs I guess, although would I run into shared permissions problems)
iSCSI (no idea…)

At some point I’d also like to get the mounting done automagically on the laptops, thinking autofs for that.

Well having googled this for a few days now, I can’t seem to find anyone with similar issues.

So this means either there’s something wrong with my setup that everyone else has avoided, or no-one is trying to do what I’m doing.

As a simple workaround for it, I’m just going to create an Anonymous user with read permissions and log in as that. Hopefully the media box that I want to connect will be able to use authentication

So I setup Samba on every Linux computer I work on, but the usage seems to be either open to all or require a password. That is not to say what you want can’t be done, but as you noted, no one else has popped in with a solution so far, though there is still time for another response.

Thank You,

Just a quick question then, do you use NFS at all?

If I wanted to set this up using NFS, would I need to bugger about with uids & gids (ie make sure they are uniform across the server & both laptops) in order for permissions to work correctly?

I was thinking I could do rw via nfs, and set up all cifs shares as anonymous only, but I do not know how permissions work in NFS regarding usernames/uids and groups/gids

If all computers are Linux, then NFS is likely what you should use. Permissions on Linux drive types work the same local or remote. If you have to be root local, well so should it be remotely. If you have remote users, they need to be in the user database locally. Strictly speaking for me, all PC are desktops and not servers per say and so I am not sure if there are shortcuts for such setups, but if there are no Windows PC’s, consider going NSF.

Thank You,

Both our laptops are linux (openSUSE for me & ubuntu for the wife) so I was thinking NFS. There would still need to be at least read-only cifs access as well.

Do you know of a from-basics NFS guide that includes setting up an nfs export that two different users have rw access to by chance?
I’m a real newbie when it comes to NFS!

Here are a couple of links I found on the subject:

Chapter

openSUSE 12.1: Chapter

Thank You,