Topic: latest samba update breaks anonymous share [SOLVED]

[Frank VB]

I've been running a server for about 3 years on which I set up an ibay which is used as a network shared drive. I turned this share into an anonymous share (for particular reasons). I did this by creating two custom templates (in /etc/e-smith/templates-custom/etc/smb.conf). One contains the line:

Code: [Select]

guest ok = yesThe second one contains this fragment (I replaced "user" by "share" in the last line):

Code: [Select]

}
security = {
    if ($smb{ServerRole} eq "DM") {
        "domain";
    } elsif ($smb{ServerRole} eq "ADS") {
        "ADS";
    } else {
        "share";
    }
}
Now this has all been working flawlessly until I updated this server on friday to the latest samba (version 3.6.23-6). This morning users reported they couldn't access the share anymore. They can see it but they can't access it. I checked whether the samba service is up and running (it is).

I've a little bit of the flu at the moment so I would like to find a quick work around for this problem. My question: is it save to do a downgrade of samba (and all other samba packages) to the previous version and is this the correct syntax:

Code: [Select]

yum downgrade samba3x samba3x-client samba3x-common samba3x-winbind
I'm reporting this issue on the forum and not in the bugtracker since an anonymous share is not an out of the box feature of SME server but a tweak I implemented myself.

TIA
Frank

[guest22]

Hi Frank,

the change log of samba3x version 3.6.23-6 shows:

# rpm -q samba3x --changelog
* Wed Jul 09 2014 - Andreas Schneider <asn@redhat.com> - 3.6.23-6
- resolves: #1110729 - Fix write operations as guest with 'security = share'.

That might imply that you have been putting a security hole to practical business use...

As for the downgrade, I would give it a try on a non production VM on e.g. VirtualBox to test.

HTH

guest

[guest22]

ps. one might want to implement the yum change log, and manually supervise any updates:


http://wiki.contribs.org/Yum-changelog

[Frank VB]

Thank you HF, for pointing to the samba changelog and yum-change rpm. I had already googled that samba behaviour had changed. Normally I apply updates only after applying them on a test server and waiting two weeks before applying them to production servers (unless the updates are critical such as the bash update). But it seems this time I was caught by surprise.
Anyway, it doesn't solve my problem. As a workaround, instead of downgrading, I've removed the custom-templates and switched back to a normal ibay/share. I created a user on the server and instructed my users to connect to the share using the user account.
As for a final solution, I either have to find a new way for implementing anonymous access or I have to create a user account on the "broken" server with exactly the same logon credentials as on my main server (which acts as a DC). We're talking about 20-25 accounts. It is not a disaster but it certainly isn't practical in terms of maintenance.
I wonder if I'm the only one who is using this "it is not a bug, it is a feature" or maybe I should say "it WAS a bug ..."
Regards
Frank

[stephdl]

I know another user, a sysadmin in a french college, he needed this feature for collecting the works of student. In fact the network share is in free access but without permissions of browsing and reading/removing.

so the student can give his work without password but he cannot see others works.

Unfortunately for now he has to downgrade to keep this feature.

[janet]

The concept referred to here may be useful.
http://wiki.contribs.org/User_homes_admin_access

It is not exactly the same situation but may help or guide.

[Frank VB]

The concept referred to here may be useful.
http://wiki.contribs.org/User_homes_admin_access

It is not exactly the same situation but may help or guide.

Thank you Janet. I will have a look at this.
Frank

[guest22]

There is also the nice SharedFolder contrib http://wiki.contribs.org/SharedFolders

[Frank VB]

Just to give an update on the final solution I implemented. The network share in question is mounted by a logon script which is set in the gpedit.msc management console. I added the username and password to the net use command:

Code: [Select]

net use s: \\servername\sharename passw0rd /user:dummy /p:yes
As a result the share is mounted automatically and can be accessed without the user having to enter a username and/or password. Of course this means that I had to boot up each client computer and change the script, but luckily I only have to do this once and only about 15 computers were involved.

Again, thank you all for your input.
Frank

[guest22]

Again, thank you all for your input.
Frank

And thank you for your feedback and final resolution that works the best for you.