Topic: SME 7 Insecure as Server-only on LAN?

[MSmith]

Yep, I know it's secure, but I want to make it INsecure.  Because in a lot of small offices, much as we IT consultants try, they just don't want to fool around with passwords.  So it's useful in SOME specific instances to set up a SME server thrown "wide open" for easy access to ibays.

This is easy enough in 6.0, by copying the appropriate template fragments to templates-custom/etc/smb.conf:

11guestOk (should be "yes")
11mapToGuest (should be "bad user")
10globals (add "null passwords = yes")
50printers (change to "guest ok = yes", add "public = yes")

Then:

/sbin/e-smith/expand-template /etc/smb.conf
service smb restart

and voila, open for business.

This *seems to work* in 7.0 ... BUT ... looking at an ibay created either before or after this is done ... I can "save as" to the ibay, one can copy & paste files & folders ... but I *cannot* drag & drop to the ibay.  Which of course is a useful functionality.

So ... given that this is a modification I don't think it's a bug, but what about Samba 3 configuration have I missed?

Here's how smb.conf ends up when re-expanded:

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# SME Server software. Instead, modify the source template in
# an /etc/e-smith/templates-custom directory. For more
# information, see http://www.e-smith.org/custom/
#
# copyright (C) 1999-2003 Mitel Networks Corporation
#------------------------------------------------------------






[global]
null passwords = yes


add machine script = /sbin/e-smith/signal-event machine-account-create '%u'
admin users = admin

bind interfaces only = no

case sensitive = no
deadtime = 10080

display charset = ISO8859-1

dns proxy = no

domain logons = no
domain master = no
dos charset = 850

encrypt passwords = yes

guest account = public

guest ok = yes
hosts allow = 127.0.0.1 192.168.11.0/255.255.255.0


interfaces = 127.0.0.1 192.168.11.71/255.255.255.0

log file = /var/log/samba/log.%m




map to guest = bad user


max log size = 50

name resolve order = wins lmhosts bcast

netbios name = labrat
oplocks = true
kernel oplocks = true
level2 oplocks = true



passdb backend = smbpasswd:/etc/samba/smbpasswd


pid directory = /var/run

preserve case = yes

printer admin = admin



security = user
server string = SME Server
short preserve case = yes
smb passwd file = /etc/samba/smbpasswd

socket options = TCP_NODELAY

strict locking = no
unix charset = UTF8

unix password sync = Yes
pam password change = Yes


wins support = no

workgroup = fubar
printcap name = /etc/printcap
load printers = yes
printing = lprng
print command = /usr/bin/lpr -b -h -r -P%p %s

[homes]
comment = Home directory
browseable = no
guest ok = no
read only = no
writable = yes
printable = no
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770
path = /home/e-smith/files/users/%S/home

[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = yes
writable = no
printable = yes
public = yes
use client driver = yes


[print$]
comment = Printer drivers
path = /home/e-smith/files/samba/printers
guest ok = yes
browseable = yes
use client driver = yes
writable = no


[Primary]
comment = Primary i-bay
# Recycle Bin disabled
path = /home/e-smith/files/ibays/Primary
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0640

[test]
comment = Test for null pw
# Recycle Bin disabled
path = /home/e-smith/files/ibays/test/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0664

[MSmith]

Viewed more than 100 times with no replies?   Oh well, maybe a bump will bring the topic to the attention of someone with something to say.

[azche24]

Ho,

Yep, I know it's secure, but I want to make it INsecure.  Because in a lot of small offices,

insecure is a weak word, for what you (or maybe some customers of yours) intend. Such a box is a playground for attackers, thrown-out employees, and so on.

Why not create ibays with write/read for everyone? So nobody can track the guy or lady, who deleted the whole accounting stuff  

But guest access? NO.

Search for samba config SME7 in the forum. I followed that directions to set an ibay to force user = office for some special application.

The directions remain the same. But better do not do it.  

[MSmith]

Actually, I agree with you that it's a mistake, but as an outside consultant I cannot *dictate* to, say, the office manager if he/she wishes the server set up that way.  All I can do is get it in writing and make sure the backup strategy is valid and functioning properly, to recover from just such an issue as you describe.  As for outside attackers, insisting on good firewalls & intrusion detection *is* something I can demand.

So yes, I know, it's a bad idea, but it's been useful to be able to do it anyhow.

[azche24]

Actually, I agree with you that it's a mistake, but as an outside consultant I cannot *dictate* to, say, the office manager if he/she wishes the server set up that way.

Poor manager. In my small company he would get fired, if he does not listen to an external consultant  

You are done, when you follow Charlies instructions at the end of this post http://forums.contribs.org/index.php?topic=29539.0.

You should insert a value like 'guest ok = yes' into

Code: [Select]

/sbin/e-smith/db account setprop test VALUE
and then query that by a template in /etc/e-smith/templates-custom/etc/smb.conf/ibays .

There you can change your values only for the [TEST] ibay.

Or you simply add a 91ibay custom-template, where you modify the wanted settings. But this perhaps will get mixed up, when your client or someone adds new ibays.

I would love someone to write a server-manager panel, where you can add or change values like force user = johnnydepp for single ibays.

[azche24]

Hi,

checked it again. It is even easier:

1. Copy /etc/e-smith/templates/smb.conf/11guestOk to .../templates-custom/...
2. Change no to yes and there you are.

[tog]

When you say that you cannot "drag and drop" files, do you mean in windows explorer?  That shouldn't be an issue with samba.  If everyone can write to the folder, you should have "drag and drop" access.

Also, I appreciate the fact that you are opening up the server.  Clients sometimes need simplicity; simplicity has value.  There isn't an unsecured wireless access point, right?