• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

need password for some samba mounts, no password for others

I want to have a samba mountpoint that requires no ID/password if mounted from the LAN, but does require a user ID and password if mounted from outside. My current configuration is shown below. This works fine for the internal LAN mountpoint 'webcontent', intra-LAN mounting does not require a PW and access is denied outside of 192.168.2.

The problem is that I can mount the externally accessible mountpoint 'website' from outside the LAN, also without entering a password. This is bad! I added the 'security = users' directive to the 'website' mountpoint configuration, but that didn't help.

How can I do what I want? I'd like to user the same user ID for both (smith) to keep created file ownership consistent.

   workgroup = WORKGROUP
   security = share
  guest account = smith
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
guest account = cantleys
create mask = 0002

[website]
path = /shared/folder
security = user
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0002

Open in new window

0
jmarkfoley
Asked:
jmarkfoley
  • 6
  • 6
1 Solution
 
arnoldCommented:
When you say you can mount without a password, did you open up a port on the firewall to allow the access or are the access is via a VPN?
The connection via VPN
You have guest allowed.

Not sure what it is you are trying to do, an alternative might be to use a web based document management interface that will provide versioning control of changed documens as well as a managed access to the data.
0
 
jmarkfoleyAuthor Commented:
I'm going through a firewall, no VPN.

I have guest allowed because I believe I need that in order to have mounting with no password.

What I'm trying to do is simply permit /shared/folder to be accessed by 'smith' inside 192.168.2. without an ID/PW and this same folder to be accessed outside 192.168.2 using a ID/PW. I.e. password not needed inside the office, password needed outside.

I just want to map the drive. I don't need a document management system.
0
 
arnoldCommented:
Setup two paths to the same resource.
One accessed locally, the other remotely.
Locally no password, remote with password
The problem there is no way to force a user who internally uses one to use another remotely.

You could look into using NTLM within samba.
http://www.linuxquestions.org/questions/linux-security-4/samba-and-ntlmv2-authentication-536973/

Locally it will auto-authenticate while remote it will prompt the user for password when ntlm authentication is not available.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jmarkfoleyAuthor Commented:
Did you look at the current smb.conf I posted? I *think* I have 2 paths to the same resource, but neither ask for a password. What do I need to do to get the 'website' config to ask for a password?

I am using the samba password file, not NTLM and I am not authenticating with a Windows domain, just a plain 'ole Linux hosting the samba mount with Windows workstations mapping the drive.
0
 
arnoldCommented:
Your major issue is that you define your guest account in the global section as smith
guest account = smith

You then specify that the only user who has access to the website related share is smith:
valid users = smith
0
 
jmarkfoleyAuthor Commented:
so, how would I fix this? I'd like both the remote, password required user to be smith AND the local, no password user to also be smith. Is that possible? How would I modify my smb.conf?
0
 
arnoldCommented:
You could try what you are doing within the local guest account = cantleys while removing the global definition of the global guest account mapping to smith.
Look at the samba log
/var/log/samba.*
0
 
jmarkfoleyAuthor Commented:
I modified my smb.conf as shown below. This modification made it so that I have to specify a password either locally (webcontent) or remotely (website), so that's not quite it. I want webcontent to be accessible on the 192.168.0.2 subnet w/o password and website accessible  outside 192.168.0.2 with password. Suggestions?

[global]
   workgroup = WORKGROUP
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
security = share
guest account = smith
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

[website]
path = /shared/folder
security = user
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
jmarkfoleyAuthor Commented:
more info: The samba.smbd log shows complaints about putting the security and guest account parameters in the service sections versus the Global section:

Global parameter security found in service section!
Global parameter guest account found in service section!

Perhaps I misunderstood that you suggested I do this. I've remove these. My current configuration is below. So, is there is, or is there ain't a way to configure what I want to do without using NTLM?

I'll repeat my desire: I want [webcontent] to be accessible on the 192.168.0.2 subnet as user Id smith w/o password, and [website] accessible  outside 192.168.0.2 as user Id smith with password. Doable? How?

[global]
   workgroup = WORKGROUP
   security = share
 load printers = no
  printcap name = /dev/null
   printing = bsd
disable spoolss = yes
guest account = smith
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

[website]
path = /shared/folder
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
arnoldCommented:
If you want to have website require a password while webcontent deny all,
Do one of the following.
Eighter define the guest account in the global section as anything other then smith (currently smith is the required user to gain access to the website share)
Or change the valid user parameter in the website section to be anything other than smith (which is currently what the guest account represent)

For purposes of illustration.

There are two doors into a room.  You advised the Guards at the guest to treat all guests as SMITH. You then tell Guards at door number two that they can only let SMITH in.
Rule one anyone accessing door1 following a certain path are guests and are automatically accepted and allowed in.

Now I do not follow the path to door1, I get to door 2. When the guards ask for my name, I say I am a guest. Will the guards let me in or not? ( by your settings. Guards at door two having been present at the initial meeting where you directed them to treat all guests as SMITH, will/should assign a person claiming to be a guest the same rights as they would if I said, "I am SMITH")
0
 
jmarkfoleyAuthor Commented:
OK, looks like we have a winner! Here's what I did: I understood from the last posting (ID: 38344326) that the same user cannot both login as a guest AND as a user requiring a password, correct? So I created a new user: guest,  in /etc/passwd with the same UID and GID as smith (using the 'useradd -o' option). That way, any files created in the same target folder will have the same UID. Then I make user 'guest' my guest user and left smith as my login user. I tried this both locally and remotely. Locally, (guest), no password was asked for I the drive mounted, no problem. Files created in this folder have 'smith' as the owner. Remotely, mapping denied the connection to the local share [webcontent], as hoped, and I was able to mount the share [website] with user ID smith and smith's pw. The new, working smb.conf is shown below.

So, it looks that that configuration is solved. Now! If you want to try your hand a another samba quandry, I've just posted a new samba question for yet another machine: http://www.experts-exchange.com/OS/Linux/Q_27847327.html

Maybe by the end of this I'll have a rudimentary understanding of samba!

[global]
   workgroup = WORKGROUP
   security = share
 load printers = no
  printcap name = /dev/null
   printing = bsd
disable spoolss = yes

guest account = guest
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

#########################################
# This is the local share that does not require a password
#########################################
[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

#########################################
# This is the share accessible outside the LAN with ID/PW
#########################################
[website]
path = /shared/folder
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
arnoldCommented:
I do not believe it is necessary nor advisable to have two username that reference the same UID.
Samba manages the access when defined no matter which users was used.

If you are still experimenting, create a new testuser, then update smb.conf setting guest as testuser.
Then see whether you can locally map the share and access all the files within, etc/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now