Cody Ross's picture

I'm experimenting with the File Server. I can successfully create shares for users that require a username and password. But in my environment, I need to have a folder available for generic, public use for any system attached to my LAN. It seems that even when I tell a share to not require a password, whenever a machine attemps to access that folder, it asks for username/password authentication.

What am I missing? BTW... I would like to be able to do this using the available GUI's as opposed to having to resort to the CLI. I need to have those unfamiliar with the CLI to be able to administer this.

Thanks... Cody

Forum: 
Jeremy Davis's picture

I've been flat out and now playing catch up...

Something to note, that just like in Windows, there are 2 levels to Samba shares permissions. One at the share level, the other at the file permission level. Often these 2 levels get forgotten as often in Windows directories are either shared or not and access is done via file permissions.

Personally in my use of Windows filesharing (using Samba) I do the same sort of thing. I grant users read access (or not) via Samba, then allow write access via file permissions.

TBH I'm not sure if any of that relates to your issue, but thought it worth sharing anyway...

TBH I'm not sure if Samba supports access without any credentials at all. AFAIK it does support guest access and also blank passwords, but you'd still need to log in with the guest account (i.e. username "guest" with no password).

Another thing to keep in mind is that in the Fileserver appliance, even though it includes Samba4, it uses the Samba3 style configuration. And that means that Samba users and Windows users are separate users which need to be synchronised. Samba4 uses a totally different method (which I haven't deeply investigated and can't tell you much about).

So what I suggest is that you create a share which is read/write to all and then set the file permissions on the corresponding directory to 777 and see how you go. You should be able ot connect with that no problem. Then tighten down the screws so it is as secure as you need.

Cody Ross's picture

Thanks for responding.

My purpose in testing this was to see how it would work in an end user environment. I've setup some file servers using Linux Mint successfully which allowed for guest access to specific folders without the need for any authentication.

I have found that in most SMB environments, they need a mix of authenticated users and guest access. I was hoping to utilize this Turnkey Fileserver as such without having to install a full blown distro, but unless I can get unauthenticated guest access (without using CLI) to work, then it won't be a feasible solution for any of my end users.

Thanks Much!

Jeremy Davis's picture

It sounds like you are much more experienced and familiar with Samba than I am then! I'm a Linux guy so avoid Windows and all it's trappings whenever possible! Most of my experience with Samba has come from testing TurnKey appliances and have never used it in production. :)

FWIW Mint is based on Ubuntu; which is in turn based on Debian. And Debian is what TurnKey is based on. So in theory (mostly depending on version matches) the config that worked for you in Mint should also work on TurnKey.

However, I guess that the Mint config is handled by a GUI. So the trick will be working out what you need to do to get the unauthenticated access working as it should. Then work out how to allow that without requiring CLI commands. I still suspect that it is a combo of Samba config and file permissions; but I could well be wrong...

If you dig a bit deeper and find a solution using TurnKey, please share your secrets as I'm sure it would be valuable to all of us! :)

Cody Ross's picture

If I figure it out, I'll post the procedure.

Thanks again.

Jonathan Struebel's picture

I've done something similar to what you're trying to do. Jeremy is right, you do have to pay attention to the file permissions on the server so that it works the way that you expect. It's a little bit simpler if you only want un-authenticated access. I'll describe my setup where I allow anyone to access the share (both read and write all files), but I also have authenticated users and I want to keep them as owner of any files they create.

In the [global] section of the Samba configuration you need to have the following settings:

guest account = nobody
map to guest = bad user
acl allow execute always = true

The "guest account = nobody" specifies the local user account that is used for file permissions on the server. The "map to guest = bad user" setting is what allows un-authenticated users to access the server. The "acl allow execute always = true" setting will allow you to run .exe files directly from the share.

Under the share definition section of the Samba configuration I have the following settings:

[storage]
    guest ok = yes
    force group = users
    force create mode = 0060
    force directory mode = 0060
    comment = Public Share
    path = /srv/storage/data
    browseable = yes
    read only = no
    create mask = 0644
    directory mask = 0755

The "guest ok = yes" setting allows the guest account to access this share, it sounds like you've already figured that part out. To maintain the user permissions while allowing guest access, I use the "force group = users" to ensure that all files and folders in the share belong to the "users" group. The "force create mode = 0060" and "force directory mode = 0060" ensure that all files and directories are writable and executable by anyone in the "users" group. The "create mask" and "directory mask" settings allow you to disable certain permissions on files and folder.

You can set and change any of these settings through the Webmin GUI for the Samba Server.

In looking at my settings for the file and directory permissions, I don't understand why I don't force the read for groups and why I have read/write masked. It is working for me as I described, but you may want to adjust them to 0070 for the force settings and 0674/0775 for the masks. If you don't care about restricting access to a specific group, you can also just force the modes for everyone, so it would be 0006 in my settings.

Hope this helps you get it setup.

 

Add new comment