Page 1 of 1

samba home share allows (!) access without password

Posted: Mon Oct 07, 2019 2:11 am
by oksage
I've had this rpi3 set up as a samba server for years, and the default 'homes' share config requires me to use my password to log in, whether I browse to the home share or if I type in user@ip/homes into thunar's 'location' bar. However lately, when I access the home share by typing user@ip/homes, it's not prompting me for a password. But if I browse to the share, it asks for a password.

Not sure if it makes a difference, but I've got cifs-utils and smbclient installed. And here's the relevant part of /etc/samba/smb.conf , having used grep to remove comments:

Code: Select all

[global]
   workgroup = WORKGROUP
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
[homes]
   comment = Home Directories
   browseable = yes
   read only = no
   create mask = 0775
   directory mask = 0775
   valid users = %S
   
Any ideas? I don't think it was an update that messed with my config, because my usb share is still in the config.

Re: samba home share allows (!) access without password

Posted: Mon Oct 07, 2019 9:52 am
by thagrol
I'm not the samba expert on here and I don't use thunar but three things spring to mind:
  1. In the default config [homes] is not browseable.
  2. Have you previously logged in to the samba server as the same user?
  3. In my experience the expected way to access the homes share is by (using windows explorer syntax) \\server\user not \\server\homes then logging in as the desired user.

Re: samba home share allows (!) access without password

Posted: Mon Oct 07, 2019 4:35 pm
by hippy
I had problems with Samba which sound similar to your own.

I recall the issue was that it was defaulting to being guest access, gave every impression of having connected as I had expected but without the permissions.

For me, not using 'thunar', that came down to a mismatch in user\hostname in the connection field and what the pi actually knew it was, "pi\raspberrypi" versus "pi\Pi3B".

I recall disabling guest access revealed the issue.

Not sure if that's the problem here but it might be worth checking.

Re: samba home share allows (!) access without password

Posted: Thu Oct 10, 2019 3:59 am
by oksage
thagrol wrote:
Mon Oct 07, 2019 9:52 am
I'm not the samba expert on here and I don't use thunar but three things spring to mind:
  1. In the default config [homes] is not browseable.
  2. Have you previously logged in to the samba server as the same user?
  3. In my experience the expected way to access the homes share is by (using windows explorer syntax) \\server\user not \\server\homes then logging in as the desired user.
1) Homes not browseable by default? I must have changed that at some point. Shouldn't matter to my problem either way though, unless I'm missing something.
2) I have previously logged on. Been using this pi as a samba server for years. Sometimes browsing thunar ('go' in menu > browse network), doesn't work, but typing directly into thunar's 'location' bar does.
3) To log in without browsing, I type in smb://ip/share (from linux to pi). I listed the wrong syntax in my original post.

I wonder if thunar is storing the password somehow. But you'd think any stored passwords would be lost when restarting my laptop.

Re: samba home share allows (!) access without password

Posted: Thu Oct 10, 2019 4:05 am
by oksage
hippy wrote:
Mon Oct 07, 2019 4:35 pm
I had problems with Samba which sound similar to your own.

I recall the issue was that it was defaulting to being guest access, gave every impression of having connected as I had expected but without the permissions.

For me, not using 'thunar', that came down to a mismatch in user\hostname in the connection field and what the pi actually knew it was, "pi\raspberrypi" versus "pi\Pi3B".

I recall disabling guest access revealed the issue.

Not sure if that's the problem here but it might be worth checking.
I added 'guest ok = no' to the homes section of smb.conf and restarted smbd and nmbd on the pi, but the problem still persists.

Re: samba home share allows (!) access without password

Posted: Thu Oct 10, 2019 8:11 am
by hortimech
oksage wrote:
Thu Oct 10, 2019 4:05 am
I added 'guest ok = no' to the homes section of smb.conf and restarted smbd and nmbd on the pi, but the problem still persists.
It would, you just added a default line.

This is your 'homes' share:

Code: Select all

[homes]
   comment = Home Directories
   browseable = yes
   read only = no
   create mask = 0775
   directory mask = 0775
   valid users = %S
Would it help if I told you that you are shooting yourself in the foot ?
By setting 'browseable = yes' you are unhiding the 'homes' share and it is allowing you to browse to the share, change its value to 'no'.
Your masks are allowing anyone read access to the share, change the value to '0700'