?
Solved

need password for some samba mounts, no password for others

Posted on 2012-08-23
12
Medium Priority
?
720 Views
Last Modified: 2012-08-29
I want to have a samba mountpoint that requires no ID/password if mounted from the LAN, but does require a user ID and password if mounted from outside. My current configuration is shown below. This works fine for the internal LAN mountpoint 'webcontent', intra-LAN mounting does not require a PW and access is denied outside of 192.168.2.

The problem is that I can mount the externally accessible mountpoint 'website' from outside the LAN, also without entering a password. This is bad! I added the 'security = users' directive to the 'website' mountpoint configuration, but that didn't help.

How can I do what I want? I'd like to user the same user ID for both (smith) to keep created file ownership consistent.

   workgroup = WORKGROUP
   security = share
  guest account = smith
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
guest account = cantleys
create mask = 0002

[website]
path = /shared/folder
security = user
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0002

Open in new window

0
Comment
Question by:jmarkfoley
  • 6
  • 6
12 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 38327961
When you say you can mount without a password, did you open up a port on the firewall to allow the access or are the access is via a VPN?
The connection via VPN
You have guest allowed.

Not sure what it is you are trying to do, an alternative might be to use a web based document management interface that will provide versioning control of changed documens as well as a managed access to the data.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38329121
I'm going through a firewall, no VPN.

I have guest allowed because I believe I need that in order to have mounting with no password.

What I'm trying to do is simply permit /shared/folder to be accessed by 'smith' inside 192.168.2. without an ID/PW and this same folder to be accessed outside 192.168.2 using a ID/PW. I.e. password not needed inside the office, password needed outside.

I just want to map the drive. I don't need a document management system.
0
 
LVL 81

Expert Comment

by:arnold
ID: 38329367
Setup two paths to the same resource.
One accessed locally, the other remotely.
Locally no password, remote with password
The problem there is no way to force a user who internally uses one to use another remotely.

You could look into using NTLM within samba.
http://www.linuxquestions.org/questions/linux-security-4/samba-and-ntlmv2-authentication-536973/

Locally it will auto-authenticate while remote it will prompt the user for password when ntlm authentication is not available.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 38329588
Did you look at the current smb.conf I posted? I *think* I have 2 paths to the same resource, but neither ask for a password. What do I need to do to get the 'website' config to ask for a password?

I am using the samba password file, not NTLM and I am not authenticating with a Windows domain, just a plain 'ole Linux hosting the samba mount with Windows workstations mapping the drive.
0
 
LVL 81

Expert Comment

by:arnold
ID: 38329632
Your major issue is that you define your guest account in the global section as smith
guest account = smith

You then specify that the only user who has access to the website related share is smith:
valid users = smith
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38329934
so, how would I fix this? I'd like both the remote, password required user to be smith AND the local, no password user to also be smith. Is that possible? How would I modify my smb.conf?
0
 
LVL 81

Expert Comment

by:arnold
ID: 38329970
You could try what you are doing within the local guest account = cantleys while removing the global definition of the global guest account mapping to smith.
Look at the samba log
/var/log/samba.*
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38343710
I modified my smb.conf as shown below. This modification made it so that I have to specify a password either locally (webcontent) or remotely (website), so that's not quite it. I want webcontent to be accessible on the 192.168.0.2 subnet w/o password and website accessible  outside 192.168.0.2 with password. Suggestions?

[global]
   workgroup = WORKGROUP
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
security = share
guest account = smith
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

[website]
path = /shared/folder
security = user
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38344150
more info: The samba.smbd log shows complaints about putting the security and guest account parameters in the service sections versus the Global section:

Global parameter security found in service section!
Global parameter guest account found in service section!

Perhaps I misunderstood that you suggested I do this. I've remove these. My current configuration is below. So, is there is, or is there ain't a way to configure what I want to do without using NTLM?

I'll repeat my desire: I want [webcontent] to be accessible on the 192.168.0.2 subnet as user Id smith w/o password, and [website] accessible  outside 192.168.0.2 as user Id smith with password. Doable? How?

[global]
   workgroup = WORKGROUP
   security = share
 load printers = no
  printcap name = /dev/null
   printing = bsd
disable spoolss = yes
guest account = smith
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

[website]
path = /shared/folder
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 38344326
If you want to have website require a password while webcontent deny all,
Do one of the following.
Eighter define the guest account in the global section as anything other then smith (currently smith is the required user to gain access to the website share)
Or change the valid user parameter in the website section to be anything other than smith (which is currently what the guest account represent)

For purposes of illustration.

There are two doors into a room.  You advised the Guards at the guest to treat all guests as SMITH. You then tell Guards at door number two that they can only let SMITH in.
Rule one anyone accessing door1 following a certain path are guests and are automatically accepted and allowed in.

Now I do not follow the path to door1, I get to door 2. When the guards ask for my name, I say I am a guest. Will the guards let me in or not? ( by your settings. Guards at door two having been present at the initial meeting where you directed them to treat all guests as SMITH, will/should assign a person claiming to be a guest the same rights as they would if I said, "I am SMITH")
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38348215
OK, looks like we have a winner! Here's what I did: I understood from the last posting (ID: 38344326) that the same user cannot both login as a guest AND as a user requiring a password, correct? So I created a new user: guest,  in /etc/passwd with the same UID and GID as smith (using the 'useradd -o' option). That way, any files created in the same target folder will have the same UID. Then I make user 'guest' my guest user and left smith as my login user. I tried this both locally and remotely. Locally, (guest), no password was asked for I the drive mounted, no problem. Files created in this folder have 'smith' as the owner. Remotely, mapping denied the connection to the local share [webcontent], as hoped, and I was able to mount the share [website] with user ID smith and smith's pw. The new, working smb.conf is shown below.

So, it looks that that configuration is solved. Now! If you want to try your hand a another samba quandry, I've just posted a new samba question for yet another machine: http://www.experts-exchange.com/OS/Linux/Q_27847327.html

Maybe by the end of this I'll have a rudimentary understanding of samba!

[global]
   workgroup = WORKGROUP
   security = share
 load printers = no
  printcap name = /dev/null
   printing = bsd
disable spoolss = yes

guest account = guest
   log file = /var/log/samba.%m
   max log size = 50
   dns proxy = no

#########################################
# This is the local share that does not require a password
#########################################
[webcontent]
hosts allow = 192.168.2.
hosts deny = ALL
path = /shared/folder
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

#########################################
# This is the share accessible outside the LAN with ID/PW
#########################################
[website]
path = /shared/folder
valid users = smith
writeable = yes
browseable= yes
printable = no
public = yes
create mask = 0660

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 38348292
I do not believe it is necessary nor advisable to have two username that reference the same UID.
Samba manages the access when defined no matter which users was used.

If you are still experimenting, create a new testuser, then update smb.conf setting guest as testuser.
Then see whether you can locally map the share and access all the files within, etc/
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month16 days, 20 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question