# Setting up security for Samba shares

## phoric

I'm trying to setup a Samba server with user-level security. These shares will be accessed via mostly Windows XP machines. I want to be able to create a user on the Gentoo box, and use that login and password to access the shares. WinXP users should be prompted with a Login and Password dialog box when accessing the share. I can get open public access to work fine, but when I try to set it up with user-level security, it wont let anyone in. Here is my smb.conf:

```

[global]

   workgroup = workgroup

   hosts allow = 127.0.0.1 192.168.0.0/24

   interfaces = lo eth0

   bind interfaces only = yes

   wins support = yes

   dns proxy = no

   log file = /var/log/samba/log.%m

   max log size = 1000

   log level = 3

   syslog = 1

   panic action = /usr/share/samba/panic-action %d

   security = user

   encrypt passwords = true

   smb passwd file = /etc/samba/private/smbpasswd

   guest account = nobody

   guest ok = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   domain master = no

[lab]

   comment = Labshare

   browseable = yes

   public = no

   create mode = 0766

   path = /labshare

   writable = yes

   valid users = root ed
```

I have tried using smbpasswd to create Samba users and set the password as well with no results. For example:

```
smbpasswd -a ed
```

With this configuration, when I browse to the Samba server with WinXP station and click on the share, it does ask for the name and password, but when the login is typed in, I get the following error:

 *Quote:*   

> \\labserver is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
> 
> Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

 

Thanks for your help.

----------

## magic919

 *Quote:*   

> Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

 

It doesn't seem to have forgotten the 'public' connection you already made.  Being Windows a reboot would probably clear it.

----------

## phoric

 *magic919 wrote:*   

> It doesn't seem to have forgotten the 'public' connection you already made.  Being Windows a reboot would probably clear it.

 

Negative... I tried a reboot, and tried accessing from another machine. Same message.

----------

## magic919

Do the XP machines belong to a domain?

----------

## phoric

I'm been checking the Samba logs, and the following is a exerpt. Despite asking me for a name and password, it seems to be looking for the EdB account (which is what my Windows domain account is), instead of accepting my entry for the login (I'm tryng to log in as linux users "root" or "ed"). I dont want it to try and authenticate the Windows account name, rather I'd prefer if I could just use my Linux user accounts to authenticate.

```
[2006/02/15 12:39:53, 3] auth/auth_sam.c:check_sam_security(257)

  check_sam_security: Couldn't find user 'EdB' in passdb.

[2006/02/15 12:39:53, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [EdB] -> [EdB] FAILED with error NT_STATUS_NO_SUCH_USER
```

Thanks.

----------

## phoric

 *magic919 wrote:*   

> Do the XP machines belong to a domain?

 

Yes, they do.

----------

## phoric

Interesting... If I create a linux username the same as my Windows domain account (Edb), with the same password, and then a smbpasswd account with the same credentials, I can then access the shares without any prompting for names or passwords. For some reason, it is checking it against my Windows credentials.

I need to disable any checking against the Windows account and use just the linux users credentials.

----------

## infecticide

I want the same end result.   

1. Bring up a username/password box on the windows machine 

2. Authenticate against the linux users credentials, ex: not have to enter smbpasswd for every user.

----------

## robdd

On the Windoze client have you tried using the option in the "Map Network Drive" where you logon as a different user ?  In our office Samba is set up with user-level security. If I log in to the Samba file server without specifying a different user name then I can get in OK because I *do* have an identical logon/password on the Samba box (Gentoo, naturally). But we had a few permission problems, and the lazy fix was for everyone in our small office to use the same Samba login - then we could all delete each other's files   :Very Happy: 

IIRC, when XP came along it screwed us up by remembering the network drive mappings, by logging on automatically with the Windoze user name. Forget how we disabled that. God save me from a computer that tries to help me - Windoze nearly always gets it wrong !

----------

## infecticide

I have a class room of 14 students who all need a unique name and password to access their home directories on the server.

I was hoping to just use the linux credentials from /etc/passwd and not have to use smbpasswd, thats just a pain in the ass.

I've read you can accomplish this through 

smb.conf

```

passdb backend = plaintext

```

Here are the error msgs i'm getting:

/var/log/everything/current

```

Feb 17 11:12:37 [smbd] [2006/02/17 11:12:37, 0] passdb/pdb_interface.c:make_pdb$

Feb 17 11:12:37 [smbd] No builtin nor plugin backend for plaintext found_

Feb 17 11:12:37 [smbd] [2006/02/17 11:12:37, 0] smbd/server.c:main(829)_

Feb 17 11:12:37 [smbd] ERROR: failed to setup guest info._

Feb 17 11:12:37 [rc-scripts] Error: stopping services (see system logs)

Feb 17 11:12:37 [nmbd] [2006/02/17 11:12:37, 0] nmbd/nmbd.c:terminate(58)_

Feb 17 11:12:37 [nmbd] Got SIGTERM: going down..._

```

As you can see it says the backend type plaintext is not found.

I'm using Samba 3.0.21b.

Anybody know how to accomplish this?

smb.conf

```

[global]

        server string = Samba Server %v

        map to guest = Bad User

        passdb backend = plaintext

        pam password change = Yes

        passwd program = /usr/bin/passwd %u

        passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

        unix password sync = Yes

        log level = 5

        log file = /var/log/samba/log.%m

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        load printers = No

        printcap name = cups

        preferred master = No

        local master = No

        domain master = No

        dns proxy = No

        message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

        printer admin = @adm

        printing = cups

        print command = lpr -P'%p' %s; rm %s

        lppause command = lp -i '%p-%j' -H hold

        lpresume command = lp -i '%p-%j' -H resume

        queuepause command = disable '%p'

        queueresume command = enable '%p'

[homes]

        comment = Home Directories

        read only = No

        browseable = No

```

----------

## phoric

 *infecticide wrote:*   

> I was hoping to just use the linux credentials from /etc/passwd and not have to use smbpasswd, thats just a pain in the ass.

 

I am still struggling with this.. I actually wouldn't mind creating the smbpasswd along with the user account, as only a few users will need access to this.. But when using any security on Samba, I can't seem to get it to stop Samba from somehow comparing authentication to the user's Windows account. Just want a totally seperate box from the Windows domain.

----------

## pgjensen

sharing ONLY WORKS FOR ME from xp -> linux samba if i have the same username on unix as the logged in user of XP

even if i put in a username it won't change it, it will still try to auth w/ logged on username ONLY

----------

## phoric

Weird... I guess no one has gotten this to work.

----------

## Dikkiedik

Believe it or not, here's another person trying to do the same thing. Didn't get it to work.

----------

## rojanu

Has anyone found a solution yet, I am trying to reach the same solution to no avail

----------

## snekiepete

Try this:

```

# mkdir /etc/samba/private

# smbpasswd -a "username"

```

----------

## bjd

My memory is a little hazy on this, but I was having similar issues with the Windows username fiasco. What I believe you can do, when using the "Map Network Device" dialog to mount the share, is the prefix the username you supply with the name of the Samba server, then it will check the server for the username. I can't remember the correct syntax, It was something like 

```

MACHINENAME/username

```

The / may have been \ or // or something similar. The machine name may have been the NETBIOS name not the DNS hostname too. As I said, been a while since I tried this and been a while since I used 'doze to access my Samba server. Pretty sure I found this info on this forum so a search may yield more.

----------

## giant

Hmmm ...

from my experience - what works is that you first create the  user on the linux machine and  then add the uservia smbpasswd -a username to the smb password file.

If you use the same username as the xp login name it should work  like a charm.

Still if you need to authenticate it doesn't  really matter if the username is different, when you put in the right  user/pw.

Now if you got a larger user base with changing users / passwords I recommend to use either Active  Directory (if you already have  an AD Service  running) or LDAP as backend.

For  both configurations you should find howtos in the forum. Its a bit more work but once  you have it running you don't want to miss it  :Smile: 

Good luck !

----------

## cibonato

Using Win9x and Win2k I had no problems with samba shares. 

If the client is an Win9x machine, the client will send to the server the same username used to open the session and try to validate this user against the server. If the password is the same at the serve and at the client, the connection is done. If not, you'll be prompted for a password.

If the client is an Win2k machine, the process is quite the same, but if the password is not the same or the user doesn't exist, you'll be prompted for an valid username and/or a valid password.

Probably it's old news to most people here... 

And now let's talk about WinXP clients. The connection is done very similar with respect to Win2k client, but if the username/password isn't the same, you'll be prompted for a valid username and/or password and at this time you can tell to the server where to check if the username/password is really valid. This happens because the client is an domain member.

You can put a username like this IF\miguel, where IF is the domain and miguel the username. If the client is not a domain member, then you can use PINGA\miguel, where PINGA is the server name and miguel an valid user (an user that exist on the server database).

----------

## jure1873

I think you can disable this behaviour somewhere in the registry... but I forgot where

----------

