Can't access guest-only samba share!

[commi1993@…]

Hey,

System: Ubuntu 10.04.1 with launchpad ppa for 1.5 and manually installed ebox (packet ebox from ppa and configured over web-page)

Problem: I've created a share - with guest access and no acls - the smb.conf has:

[Transfer]

comment = Dateitransfer path = /home/samba/shares/transfer guest only = yes guest ok = yes read only = No browseable = Yes force create mode = 0660 force directory mode = 0660 vfs objects = full_audit vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

but every time i want to connect from a windows client it shows an login-screen.

Some ideas? all ebox-packages are up-to-date directly from the ppa/1.5

[commi1993@…]

Hey, again.

Some updates here???

[jsoriano@…]

Hi,

Sorry for the late response, we have confirmed this issue and find a couple of possible solutions but we cannot assure to have it ready for 2.0.

Thanks for reporting!

[commi1993@…]

Chance to see it in 2.0.1?

[commi1993@…]

Thanks for confirming this. It's really a problem that i can setup a guest-share but still must login :-/

Chance to see that in the next ebox-samba version?

[jacalvo@…]

Yes, as you can see the milestone is set to 2.0.X, so we will fix it and release it for the 2.0 series as soon as possible.

[commi1993@…]

Hey,

something new here? Is there a chance to see it this weekend? :)

[anonymous]

Found the solution after 2 days digging & debugging & tcpdumping The magic option for samba is, in particular with windows 7 client: map to guest = bad user No reg file nor gpedit nor secpolicy for windows. Just that simple line

[ineiti@…]

Hi,

I added the line

security = share

in /usr/share/ebox/stubs/samba/smb.conf.mas

too bad it gets lost with the next update of ebox.

[jacalvo@…]

Can you confirm if adding security = share doesn't break the rest of the Zentyal samba module functionality? It would be great if you describe us a bit your configuration, what kind of shares do you have, etc.

[commi1993@…]

Hey

I thought there was already a solution ready, jacalvo?

I dont know if security = share is the best way - but the description for security = user is "A user needs to be logged in to use any service from samba", so security = user isnt the best way, right?

Are there some samba-nerds? :P

[ineiti@…]

At least for the simplest use of Samba it works here: having a public share with everybody read/write access, and a private where one needs to have a username/password. Under Windows XP one has to "map network drive" in order to get it to work. Under MacOSX it works nicely.

I couldn't get the printer to work, though. But I saw other tickets which could be in relation to that one.

Is there a possibility that I keep my hack with newer versions of ebox? The last update overwrote my addition...

[anonymous]

Replying to ineiti@markas-al-nour.org:

At least for the simplest use of Samba it works here: having a public share with everybody read/write access, and a private where one needs to have a username/password. Under Windows XP one has to "map network drive" in order to get it to work. Under MacOSX it works nicely.

I couldn't get the printer to work, though. But I saw other tickets which could be in relation to that one.

Is there a possibility that I keep my hack with newer versions of ebox? The last update overwrote my addition...

Thanks for the info. I add security = share to the section [global] in /usr/share/ebox/stubs/samba/smb.conf.mas and it works.

[commi1993@…]

new samba-module updates but no bugfix for this problem??

No idea how to fix that? Ot still testing?

[jacalvo@…]

Yes, the new version of samba module has been released to fix a problem in the backup restoration. This has not been included yet because we haven't had time to test it. You'll have to wait until the next version. Sorry for any inconvenience.

BTW, have you tried to add the "security = share" line at /usr/share/ebox/stubs/samba/smb.conf.mas ?

[commi1993@…]

No,

does that change any functionality to the ebox-samba functions?

[jacalvo@…]

Fixed in [19190]

Also released in 2.0.3 version.

[commi1993@…]

Not for me :-(

Windows login still appear :-/

What I've done: upgrade to samba 2.0.3 - go to zentyal UI - enabled guest-share's:

 http://cl.ly/8f42885d730fb3ee976e

Set up a few permissions:

 http://cl.ly/ac5e4c91fc3944238736

Saved - still login there...

I've set-up a test-share with only guest enabled and without any acl's - the same. Everytime a login-box.

btw:  http://cl.ly/450107491a857378baa9

Isn't both possible? This would be a nice feature, too.

[anonymous]

try this: map to guest = bad user it solved my problems

[jacalvo@…]

That's strange, according to the smb.conf manpage:

map to guest (G)

This parameter is only useful in SECURITY = security modes other than security = share and security = server

Anyway, we'll look at it.

[anonymous]

Replying to jacalvo@ebox-platform.com:

That's strange, according to the smb.conf manpage:

map to guest (G)

This parameter is only useful in SECURITY = security modes other than security = share and security = server

Anyway, we'll look at it.

Thank you!

[anonymous]

Replying to jacalvo@ebox-platform.com:

That's strange, according to the smb.conf manpage:

map to guest (G)

This parameter is only useful in SECURITY = security modes other than security = share and security = server

Anyway, we'll look at it.

I don't use pdc feature in ebox, and security parameter is not set...

security (G)
The default is security = user

So map to guest is usefull!

[ineiti@…]

After having some problems on Mac-computers with

security = share

I changed back to

security = user
map to guest = Bad User

which finally did what I expect it to do. Now, if I understand the whole sharing-thing correctly, this is what Windows will do:

1. send the current username and password to the server

2.a. if the username exists on Zentyal (samba), and the password is correct, access is granted

2.b. if the username exists on Zentyal (samba), but with a different password, an error will pop up, and the correct password has to be entered

2.c. if the username doesn't exist on Zentyal (samba), the "map to guest" takes over and puts the user as "guest account" (defaults to "nobody" which works fine on Zentyal), which has access, if "Guest sharing" is enabled in the Zentyal interface.

So depending on your configuration, "map to guest" might work or it might not - especially if the username you're using on windows also exists on Zentyal.

And I couldn't get it to work with a user on Windows that doesn't have a password...

[cperez@…]

(In [19209]) NN: Don't ask for password in guest shares (closes #2129)

[commi1993@…]

Thanks,

I'll try that and give response..

[commi1993@…]

Hey - doenst work!

I have a guest-share but there is no map to guest = bad user entry in my smb.conf after 2 updates!

i have to add in manually - and now it works!

my smb.conf.mas has the new if-line - but it seems that the variable is always false - so no map to guest was inserted.

another bug? :)

anyway, after add it manually it works. but it had to write the config correct but zentyal doenst do that at this time

[jacalvo@…]

Are you sure you are using the 2.0.4 version of the package?? Check it with "apt-cache policy ebox-samba".

The variable is not false if you have any share marked as guest on the interface... it works perfectly for me, the line is added to smb.conf after saving changes on the interface or executing "/etc/init.d/ebox samba restart"

Please, reopen only if you can provide a clear way to reproduce it.

Thanks for your testing efforts.

[commi1993@…]

1) ebox-samba ist up-to-date:  http://cl.ly/12626dbd34bcdc6e2db4

2) My shares:  http://cl.ly/be31b250938b61939af2

The shares who have "guest access" enabled, have one acl, but the're disabled because the guest-access.

3) Save.... samba was restarted..

4) Now windows want a login! Why? -->  http://cl.ly/5a99b148880eeadbc2d2

Did you see any map to guest?

My smb.conf.mas says:

-->  http://cl.ly/10176429ff2d9ff44010

but this isnt set-up in the smb.conf after saving!

I've deleted the acl's for te guest-shares - no map to guest...

Sorry, but my zentyal doesnt like the option :)

[jacalvo@…]

Hi,

Let's try to debug your issue...

Could you please copy the attached script to your Zentyal server, execute it and paste the output?

If any error occurs during its execution, please have a look at /var/log/ebox/ebox.log to see more detail.

[commi1993@…]

Same shares - same guest-settings enabled as shown in my picture above:

Checking share Transfer... guest. guestShares value = 1

[commi1993@…]

Edit: in log:

Command output: .

Exit value: 2

2010/10/29 18:55:43 DEBUG> SambaShares?.pm:310

EBox::Samba::Model::SambaShares::ANON - Couldn't enable ACLs for /home/samba

/shares/backup

2010/10/29 18:55:43 DEBUG> SambaShares?.pm:305 EBox::Samba::Model::SambaShares::createDirs - setfacl -m /home/samba/shares/filme and setfacl -m d: /home/samba/shares/filme

2010/10/29 18:55:43 ERROR> Sudo.pm:212 EBox::Sudo::_rootError - root command setfacl

-m /home/samba/shares/filme failed.

Error output: setfacl: Option -m: Invalid argument near character 1

[jacalvo@…]

I get the same error, but it's not related, it still works for me even having ACLs on guest shares.

Maybe do you have the File Sharing module disabled and that's why /etc/smb.conf is not being properly rewritten?

[jacalvo@…]

In case the module is enabled, try to disable and enable it again. Maybe it will ask you for confirmation when saving changes due to the manual changes you made before...

[commi1993@…]

Module is enabled - dis and enabled it again - nothing...

now I does a reboot - disabled all guest shares, saved it, enabled they again, saved - nothing!

Why is your tool listing only one share?

Checking share Transfer... guest. guestShares value = 1

I dont know where the error could be else...

[commi1993@…]

I have found the thing who makes me angry:

In % if ($pdc) {

is: % if ($guest_shares) {

map to guest = Bad User

% }

but $pdc is false, because i dont have in enabled! so the content of the if fr $pdc is never reached!

So, i think this is the mistake ha! :P

correct me if i'm wrong.

[anonymous]

you're not wrong

It has been said two or three time in this ticket, but not fixed

[commi1993@…]

See:  http://cl.ly/adee48d9b83aad5e77bc

i placed the if over the $pdc if - it works - wow, its magical!

So, this are things which are overlooked - I'm programmer, too and i know such things, too ;)

[jacalvo@…]

Thank you very much for spotting it. Hope this fix will be the definitive :)

[jacalvo@…]

(In [19330]) NN: Bug fix: guest shares also work if PDC not enabled (closes #2129)

[commi1993@…]

Thanks,

I've test it by manually changing the .mas - works fine, so I think this should it do, too :)