Problem with the Public option under SMB/CIFS, Shares

  • Hi,
    I started a new thread with this, but this is the continuation of my last post in this one: Questions about OMV. Is it the right NAS distro for me?.


    Here is how I setup my different shares:

    USERS AND GROUPS:

    USERS: user1, user2
    GROUPS: admins, members
    admins: user1
    members: user2


    Access Rights Management, Shared Folders:
    public (Permissions: root: read/write, users: read/write, others: read/write | Privileges: admins: read/write, members: read/write)
    share (Permissions: root: read/write, users: read/write, others: read-only | Privileges: admins: read/write, members: read-only)
    users (Permissions: root: read/write, users: read/write, others: none | Privileges: admins: read/write, members: read-only)


    Access Rights Management, Users, Settings:
    -User home directory
    Enable: Yes
    Location: users


    Services, SMB/CIFS:
    -General Settings
    Enable: Yes
    Workgroup: WORKGROUP
    Description: %h server
    Local Master Browser: Yes
    Time Server: Yes
    -Home directories
    Enable home directorie: Yes
    Browsable: No (If I tick it I can see 2 home directories, one called "homes" and another one with the with the account name. Both have the same path. Why does it do that? Is it normal? Why can't I only see the homes folder?)
    -WINS:
    WINS Support: Yes
    -Advanced settings:
    Null Passwords: Yes
    Use sendfile: Yes
    Asynchronous I/O: Yes


    Services, SMB/CIFS, Shares:
    -public and share settings
    Public: Guest allowed
    Read only: No
    Browsable: Yes
    Inherit ACLs: Yes
    Inherit Permissions: Yes
    Recycle bin: Yes (0 | 2)
    Hide dot files: Yes
    I didn't select or add any other options.


    Everything works fine as long as I am logged on with existing USERS. They all have a home directory listed under their names. The GROUP admins can read/write in public and share. The GROUP members can only write in public and read in share. Although, when I try to access to public or share with a client that has no credentials, it prompts a log box. What should I do to be able to allow people with no logins to have read in public and share and write in public? I don't get where my mistake is here.

  • I can't help you too much now, but take a look at these directives below in google, to put in extras


    map to guest = Bad User
    security = user
    guest account = pcguest

    I'll explain later i have to go now.


    Edit: these are already defined. Guest account is mapped to nobody. Testing these in my VM it only works with Guest only, and with no write permission. Since the share ownership is root:users,i believe you have to give perms to nobody.
    For these to work I did it using the ACL button and giving nobody the desired permissions.
    Tell me how it goes

  • I surfed with lines u gave me and adding some modified versions of them and nothing. I also came to the conclusion that it must be because nobody has no permissions, but I thought it would have them because I gave others write in public and read in share. I edited the /etc/group and added nobody to users and to members. Again, nothing... I guess, I will have to try and find another solution in the way to deal with it because I don't want to go the ACL way, I think it could end up messing my other settings.


    I mean, if I go ACL, that means I would have to set everything using it instead of privileges right? At what level does ACL works? On top of privileges or under it?

  • The user nobody is already defined. Also nobody doesn't belong to users groups. So in the privileges schema it doesn't have permission.
    My first approach to this was to define a guest user account with no password, using the directives that I pointed before, but then i realised that omv already defines guest account to nobody. The account nobody is already defined, OMV won't let change that.


    The privileges schema works on the sharing system layer (with 775 root:users). ACL act on file permissions in an extended way, remember is only user, group and others, so acl permits an extension to more users and groups.


    Set your privileges. Don't change the default perms on the folder. Go to ACL, and give user nobody read-only and apply recursively.
    This worked for me in mac os x. Tomorrow ill test in windows.


  • I did try to give read/write to nobody using acl and nothing. You know what, instead of having a headache over this little inconvenient, I will setup a guest account with a password and give it to the occasional users. It should also make it simpler when I want to set my ftp using the same permissions/privileges, accounts and group.


    Oh, sry, didn't see your second post, I'll give it another try with this. :P

  • You're right, it does get fuzzy when there are other user privileges set for the share.
    My original testing didn't include the other users. I think is the valid users directive.


    In the extra options for the share try adding


    valid users = "nobody" and control your guest RW or RO with the ACL for nobody

  • OK!
    I think I figured it out. I will confirm it tomorrow after a good sleep. I decided to untick everything in privileges and manage all the permissions with ACL.
    I messed around with different configs though, and I really sleepy, so there might be something else, but for tonight I come to the conclusion that this is one or the other. If you want guest access the way I do you need to use the ACL and not touch the Privileges options. All in all, it seems like working for now! I will add the solved tag tomorrow after confirming that this is the only thing I did.


    Good Night and thank you! :)

  • Tell me how it goes with ACL. The other way around is to setup the share with no privileges, guest allowed. You define read only in the tickbox for guests.


    Then if you want some users to access that guess share and be able to write to it, use:


    write list = "user1","user2"


    in the extras box for the share.


    For this you will need in windows to map the network drive and check option login with other credentials. Otherwise the default will be with no login (guest).
    The problem from before is that guest allowance contrasts with valid users, which denies access to nobody (in this case guest)

  • In the end it wasn't solved because it won't restrict any users if I use the ACL. It's logic, all the created users are part of the group users that has read/write access.
    Isn't there a way to add nobody to my members group? It would solve everything. Or can I add groups to the write list instead of users? It doesn't work when I do it. It would be easier to add users by groups than one at the time and would automate things when I add new users.

  • I don't think you can add nobody to users group.


    If you want another guest account different than nobody, try and map it yourself in global, map to guest and point to another user (pcguest for example). Like the original directives I've point you in the extras options, to check if they override the default ones (nobody)


    You will need then to create this account in CLI with null password (blank). Then he should appear in Users in webUI. From there add a comment blah blah and save it, so OMV syncs with smbpasswd. You can't create users with blank passwords in OMV.


    If the mapping directive effectively overrides the default nobody, then you can control from privileges RW or RO for pcguest.


    This is a guess, i'll test it later in VM. Did you try my previous post with write list directive? and eliminating privileges and ACL.

  • Well, I give up. I did try that too. I created a new user with a blank password using the CLI. I also tried creating a user using the WebGUI and then removing its password with CLI. I used this in the extras: guest account = pcguest
    map to guest = bad user. Nothing worked. I don't think that setting shares with guests allowed and login users is that unusual. It should be something you could try to implement in the future.


    My solution: set a guest user with a password and give it to the users with no logins. I just hope that multiple users can use it at the same time...


    Should a bug report be submit about this?


    Thank you for all your help though, it is really appreciated.

  • I did not read every word but why don't you change the permissions of the share on the filesystem, to the permissions you want? And then change the samba share to guest allowed.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • I did not read every word but why don't you change the permissions of the share on the filesystem, to the permissions you want? And then change the samba share to guest allowed.


    I did try to give the permissions to nobody using ACL, but it gets blocked because it's not part of the groups that are set and allowed at the privileges level.

  • After giving some thoughts to your suggestion I think I misunderstood it. If I go like you say, I would have to set no privileges at all and manage everything at the filesystem level. Won't I run into trouble with other services later if I change the default root:users on the different shares?

  • No you missunderstood me both times, or I did missunderstand you?


    What I understand: You want some users via username to have access to a share and also allow guest acces, right? Which permissions should this guest users have? only read? or write too?


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Read-only on share
    Read/Write on public


    If you look at the settings I posted top, this is my actual configuration. I went back to it after trying different things.
    I think that the problem comes from the fact that nobody is not part of the groups which are given the privileges needed to access the different share.
    -Keeping the privileges settings and clicking ACL to give nobody the needed permissions, but nothing.
    -Setting privileges to nothing and managing all rights through ACL gives all user Read/Write on all shares.
    -Trying using CLI to add a user pcguest with a blank pass and map it to the guest account in samba didn't work.


    No matter what I try I keep getting a log box asking for a password when trying to access it as a guest. With the config I posted at the beginning of the thread, everything is perfect except that I can't use the guest option. I am pretty sure that for some reason the nobody account doesn't get through the privileges level because it is not part of any group created. Maybe, if the account nobody is added to the privileges window, it could solve the problem? I don't know, this my noob point of view, I might be missing something here. As I said before, this is not such a big deal, I can manage having a guest account with a password and just hand it to the ones that need it.

  • Ignore ACL, this can be done via normal permissions and tweaking your filesystem permissions a little bit.


    Setup the "share" like you would allways do and just set it to guests allowed. This should be all for it.
    for a public share you have to do the same, but for it to be writeable you have to chmod o+w the shared folder via CLI.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!