Samba Shares with security

[dcdeez]

I was creating a samba share on my CentOS 7 server and it works great but when trying to access it from a windows system with guest authentication disabled it fails with "You can't access this shared folder because your organization's security policies block unauthenticated guest access" which is by design.

All the tutorials online walkthrough creating a wide open share and then a secured share with a group. Creating only the secured group share I would expect it to not get flagged as "unauthenticated guest access".
https://www.howtoforge.com/samba-server ... n-centos-7
https://medium.com/@alemartineeez/set-u ... 0e8b152af2

How do I tie down a samba share to not allow "unauthenticated guest access"?

smb.conf is below: (*with workgroup/domain, "netbios", "valid users" name changed)
-----------------------
[global]
workgroup = <domain>
server string = Samba Server %v
netbios name = <hostname>
security = user
map to guest - bad user
dns proxy = no

[secured]
path = /samba/secured
valid users = <GUID>
guest ok = no
writable = yes
browsable = yes
---------------------------

Thanks!

[ron7000]

Code: Select all

[global]
         map to guest   {read samba web page}
[MyShare]
         path = /data/some_folder
         browsable = <yes | no>                { can omit this, will default to yes}
         writable = < yes | no >                 { can omit this, will default to yes}
         guest ok = no
         read only = <no | yes>                 { can omit this, will default to no}
         create mask = 660                       { created files via samba have -rw-rw--- }
         directory mask = 770                   { created folders via samba have drwxrwx--- }
         hosts allow = <ip_address/netmask>
         hosts deny = <ip_address/netmask>
         inherit acls = <yes | no>              { defaults to no if omitted, from security perspective yes is better }
         valid users = <username>

https://www.samba.org/samba/docs/curren ... onf.5.html

also check out

• interfaces will let you segregate your shares if you have more than one network to deal with... eth1 in addition to eth0
• invalid users
• max connections can be useful like if u know only 1 person such as yourself at any given time should be able to have samba access
• obey pam can be tricky u need to know PAM ( pluggable authentication modules under /etc/pam.d/ )
• min protocol I think it's smb1 or smb2 or smb3 are only valid settings; 3 only works for win10 last I knew, need at least 2 for win10...
• smb encrypt

what you want to do is smbpasswd -a <username> on your Linux system; that will create a local samba account. Provided that username is the same on the windows machine, and both passwords are the same, then the given user will be allowed access. If not then in windows a popup will be entered to enter username/password credentials of a valid account on the Linux system. And map to guest if set appropriately will either allow or deny this popup- if your windows account name is not same as on Linux then you don't even get the popup for a change to try a username and password. Once good username/pw given hen move to next step in the security chain per what's in etc/samba/smb.conf. And none of this will happen if the connection is coming from a host deny ip address and/or not on the host allow list. And then once in, you can further restrict access.. for example browseable prevents those shared folders in smb.conf not even showing up if the user doesn't have permissions to access that folder. Have to go thru the samba website and check out what options make sense for you.