Set up Samba without using Deprecated “share” Security Setting

I was trying to set up Samba file sharing in the office. It works somehow but there are two things I don’t quite happy about.

  1. The setting I tried uses the “share” as the security setting which is deprecated.
  2. When the user click on a password protected folder, the user name is pre-filled in Windows XP and is grey out, not allowing to change.

After searching in the Internet more deeply I found this post which solved my problems.

Below are the summary of what I have done.

Objective

  1. Set up Samba file sharing
  2. Allow no-login listing of shared resources (That is, able to access \\192.168.1.1 without entering any password)
  3. Allow no-login access of specified resources
  4. Allow login access of restricted resources
  5. Avoid the use of the deprecated “share” security setting

Procedure

Edit 2013-06-18: While I was trying to answer a comment from the reader on this post, I went thought the Samba documentation and tried on my new Raspberry Pi (at the time I wrote this article I was setting up Samba on Red Hat 5). I found out that a file and some options are actually not necessary and therefore I have strike through those parts in this update.

  1. In /etc/samba/smbusers, editing the file with the present of the following line. This create a user name mapping between SMB user name (guest) and Linux user name (nobody).
    nobody = guest
  2. In the [global] section of /etc/smb.conf, do the following
    1. Set the security to user, by including the line security = user
    2. Set on invalid user login information, map the login to SMB guest account, by including the line Map to guest = Bad User
    3. Make sure the previous SMB to Linux user name mapping is in effect by including the line username map = /etc/samba/smbusers
    4. Allow no-login user to list shared resources by including guest ok = yes to the resources you want to be public
  3. For each shared resources, add a section in /etc/smb.conf. If it is password protected, remember to include the line valid users = authenticated_user under the section.

Sample smb.conf

[global]
    workgroup = workgroup
    server string = MY-SERVER
    security = user
    passdb backend = tdbsam
    cups options = raw
    map to guest = Bad User
    username map = /etc/samba/smbusers
    guest ok = yes

[tom_password_protected_folder]
    path = /share/tom
    writeable = yes
    valid users = tom

[no_password_folder]
    path = /share/nobody
    writeable = yes

Reference

About these ads

4 responses to “Set up Samba without using Deprecated “share” Security Setting

  1. when you put guest ok = yes in your global part, won’t this allow everybody to see the password protected part? I put the guest ok only in parts I want to be seen by guests.

    • Actually it won’t
      This is because “guest ok” will map the logged in user to Linux user account “nobody”
      Since the account “nobody” is not in the list of “valid users”, the user is therefore not allowed to see the content

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s