# SAMBA server with both user and share level security.

## dE_logics

I'm not talking about virtual hosting.

Can it happen that a single server (i.e the client too sees it as a single server) can have both user and share level security?... or resource specific security level?

This's my current smb.com, and it doesn't workout well - 

```
[global]

workgroup = TEST

server string = testing

netbios name = MSERROR

guest account = ftp

security = user

[test]

path = /home/ftp

force user = ftp

force group = ftp

read only = no

guest ok = yes
```

Windows asks for username/password.

The user ftp (in smbpasswd) has not password.

----------

## VinzC

I think this is a security feature on the Windows' side in that it won't allow empty passwords. I think you have to tweak the registry to lower Windows' security checks but I'm not even sure. But what I'm certain is that Samba can only work in one mode at a time, either user or share level in your case.

----------

## salahx

You can only have 1 security level or the other.

However, in "user" mode. you can specify "map to guest = bad user" in the [global] section - any user not in Samba's account database with automatically be logged in as the "guest" user.

----------

## dE_logics

 *salahx wrote:*   

> You can only have 1 security level or the other.
> 
> However, in "user" mode. you can specify "map to guest = bad user" in the [global] section - any user not in Samba's account database with automatically be logged in as the "guest" user.

 

Not in? I added the user to the database then. Trying it out.

----------

## darkphader

See my blog:

http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html

----------

## dE_logics

Thanks, I'm trying it out. Not getting time apparently.

----------

## dE_logics

Using map to guest = bad user did work, but this appears to be more of a workaround.

----------

## darkphader

 *dE_logics wrote:*   

> Using map to guest = bad user did work, but this appears to be more of a workaround.

 

It's by design, works properly, and the recommended way to accomplish guest access; security = share is unofficially deprecated, the devs would like to see it go away but don't want to break many of the installs.

----------

## dE_logics

When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.

----------

## darkphader

 *dE_logics wrote:*   

> When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way.

 

Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.

----------

## alexchinalankey

 *darkphader wrote:*   

>  *dE_logics wrote:*   When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way. 
> 
> Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.

 

I think you have to tweak the registry to lower Windows' security checks but I'm not even sure. But what I'm certain is that Samba can only work in one mode at a time, either user or share level in your case.

----------

## dE_logics

 *darkphader wrote:*   

>  *dE_logics wrote:*   When a windows client connects to a resource it should pass on a default username/password when the secure model is user. Making smb.conf aware of this seems to be the proper way. 
> 
> Take it up with Microsoft. All Windows OS's allow guest access when configured to do so. Samba emulates this behavior.

 

That way samba guys should know. I thought it was a protocol 'standard'.

----------

## Cyker

For guest access, user mode really sucks.

It IS possible to run samba as both a user and a share mode server - See the second post here: 

Samba Hybrid Security mode

It's quite a clever kludge actually; I got it working but ultimately it didn't really help me do what I wanted to do and made things a bit more complicated so I went back to having share mode only again...

----------

