Samba share setup

bigbigpig
bigbigpig used Ask the Experts™
on
I'm having trouble finding out how to set up samba file sharing to allow everyone read access but certain users write access.  I had imagined this would be done by setting up 2 shares; the first called "share" being read only accessible to anyone on my network, and the second called "share2" going to the same directory but having write access to certain users.  How is this done?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sudeep SharmaTechnical Designer

Commented:
Could you post the smb.conf file here so that we could suggest specific queries and also let us know what are you trying to achieve which your configuration.

Sudeep

Author

Commented:
Here's the smb.conf.  It's pretty much the example conf that comes in the debian package but I changed security=user and put a shared folder just to test it.

I'd like to drop some images in a directory... say /home/shares/images and let everyone read it.  Then allow only a few users access to modify that content or add new content.
[global]
   workgroup = WORKGROUP
   server string = %h server
   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes

#======================= Share Definitions =======================

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   valid users = @users
   force group = users
   create mask = 0660
   directory mask = 0771
   writeable = yes

Open in new window

Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Sudeep SharmaTechnical Designer

Commented:
Are you able to see the folders from the windows machine when you do

\\ip address\

or

\\hostname\ ?

You are using PAM for the authentication here, so you would need to create those users in Linux who are going to access the Samba share on Linux.

Also you have shared only one folder and a group named "user" (valid users = @user) has been give the access to write on that folder. So when you add any new user to the linux machine you would need to assign a group named "user" (without quuptes) to that user.

To create the folder readable with no write access make another section in shared and change the following:

directory mask = 0551
writable = no

"create mask" would not be required since these users on second share are not going to write anything.

Also you would need to specify a different "valid users" and "force group" and the member of this new group would only have the read-only access.

Sudeep

Author

Commented:
I see what you're saying but I'm looking for the read-only share to not require authentication.  Anyone on the network should be able to read the contents of the share without being prompted for authentication.  Sorry I wasn't more clear when phrasing the question, and thank you for your help.
Add this line to your share:

 guest ok = Yes

so it would look like this:

#======================= Share Definitions =======================

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   valid users = @users
   force group = users
   create mask = 0660
   directory mask = 0771
   writeable = yes
OOps... Sorry, I mean look like this:

#======================= Share Definitions =======================

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   valid users = @users
   force group = users
   create mask = 0660
   directory mask = 0771
   writeable = yes
   guest ok = yes
This is from the man page:

usershare allow guests (G)

    This parameter controls whether user defined shares are allowed to be accessed by non-authenticated users or not. It is the equivalent of allowing people who can create a share the option of setting guest ok = yes in a share definition. Due to its security sensitive nature, the default is set to off.

    Default: usershare allow guests = no

Author

Commented:
I get prompted for authentication with this setup.  In the [global] section of the smb.conf I have security = user.  If I change that to 'share' then it doesn't prompt for authentication.

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   valid users = @users
   force group = users
   create mask = 0660
   directory mask = 0771
   writeable = yes
   guest ok = yes
Sudeep SharmaTechnical Designer

Commented:
>> I see what you're saying but I'm looking for the read-only share to not require authentication.
If you not authenticating any user then there is no need to "force group" and "valid users" and make sure writable = no since you don't want anyone to write to the share.

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   directory mask = 0771
   writeable = no
   guest ok = yes

Sudeep

Author

Commented:
Ok I have these 2 shares set up.  In the global section if I change 'security = user' then I get prompted for authentication as soon as I enter the UNC path \\servername.  If I change 'security = share' then I can see the shares under the UNC path \\servername, and I can read all the data in 'shared'.  But I get an error when trying to open the 'shared2' share.

[shared]
   comment = Shared network directory
   path = /home/shares/allusers
   valid users = @users
   force group = users
   create mask = 0660
   directory mask = 0771
   writeable = yes

[shared2]
   comment = writeable share
   read only = yes
   guest ok = yes

Author

Commented:
Several typo's above... disregard that entire post.  I can't seem to edit or delete it.
Sudeep SharmaTechnical Designer

Commented:
No issues with the wrong post.

Anyways, are you still facing issues?

Sudeep

Author

Commented:
We might be getting close... here's my config, only showing the security setting in the global section.

[global]
   security = share

[shared]
   path = /home/shares/allusers
   read only = yes
   guest ok = yes

[shared2]
   path = /home/shares/allusers
   writeable = yes


With this I can see the shares when I go to the path \\servername.  This is perfect.  I can open the 'shared' share and see all the data without being prompted for authentication.  This is perfect.  When I open 'shared2' I get prompted for authentication (yay!) but the user name field is disabled (grayed out) and the Guest ID is stuck there (no!).  I need to be able to put my user name and password there so I can modify the files.

The workstation I'm testing from is Windows XP.
Sudeep SharmaTechnical Designer

Commented:
>[shared2]
 >  path = /home/shares/allusers
>   writeable = yes

To make this work, you would first need to add some user to samba so that you would authenticate it.

So you need to add the user first in Linux (a Linus User) then add the same user for Samba Authentication.

1. Let say add a user named "power" command would be:
useradd power

2. Now here it depends if you want the user to have the access to linux or not. If you want him to access the linux box give some password for the user, else skip this step and move to point 3. Command to give password for linux access would be;
passwd power
You would get
New Password
Confirm Password

3. To let this user have the access to the Samba share, give the command
smbpasswd -a power
You would get
New password
Confirm password

4. Now change the smb.conf to let this user have the write access to the folder
[shared2]
   path = /home/shares/allusers
   valid users = power
   writeable = yes
As far as the prompt for the password is concerned I believe that you tried to access the both the folders from the same Windows machine and hence it has saved the password for you. So you need to clear the password from the cache or you could add the share folder a mapped drive and give different username and password for it.

Sudeep

Author

Commented:
I followed these steps but I still get the authentication window with servername\Guest as the user name and the field is disabled.  The only thing to note here is that I used an existing user account, we'll call 'user1', so I skipped steps 1 and 2.  I started with step 3 giving 'user1' an SMB password.

Author

Commented:
Here's my whole smb.conf file for another look.

[global]
   workgroup = WORKGROUP
   server string = %h server
   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = share
   guest account = nobody
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes


[shared]
   path = /home/shares/software
   read only = yes
   guest ok = yes

[shared2]
   path = /home/shares/software
   valid users = user1
   writeable = yes

Open in new window

Sudeep SharmaTechnical Designer

Commented:
Are you trying to access both the shares on same windows machine?

Sudeep

Author

Commented:
Yes.
Technical Designer
Commented:
Ok so for the read-only share you click on start --> run and type \\ip address\shared and you would get the read-only share. No issue here . Right !!

Now from the same machine if you want to write something on the share which is on same ip address you would need to do the following:

1. On your Desktop, Riht Click on My Computer and select "Map Network Drive"

2. A new Windows would open and it would have two columns Drive and Folder. Drive would have Z: alphabet on it and on Folder type the share address i.e. \\ip_address\shared2

3. Now before clicking Finish on this windows you would see a link which says "different usre name."

4. Click on it and it would ask the username and password that you would want to use for the share \\ip_address\shared2

5. Once username and password is typed and done click OK on this windows and Click Finish on the other Window behind to finish the setup. Now open the My Computer by doubling clicking on it and you would see a new drive named Z:. Now copy the stuff you want on shared2

Sudeep

Author

Commented:
Sorry this went ignored.. I've been out for a few days.  That worked.  My desire was to go to \\servername and see the list of shares.  When "shared" is opened it would allow anyone to read.  Then the user could go back to \\servername, open "shared2" and it would prompt for logon credentials.  It appears that it's not possible, at least using Windows XP, because after I've already visited "shared" and try to go to "shared2" it pre-fills the user name with SERVER\Guest and won't let me change it.  Thank you for your responses and for the working solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial