Disable authentication in SAMBA

[frediusdarde@…]

I wish I had the option to disable authentication on a Samba connection to USB hard drive connected to the fonera2.0n.

[matthijs]

This is related to #850 and should probably be fixed in one go.

[jfgthomassen@…]

agree

["Giovanni Condello / Nanomad <condellog@…]

Add options to uci for security and guest_ok

["Giovanni Condello / Nanomad <condellog@…]

Use the previous options in ReloadSamba?

["Giovanni Condello / Nanomad <condellog@…]

Use the previous options in RestartSamba?

["Giovanni Condello / Nanomad <condellog@…]

Submitted first set of patches to allow this feature.

You have to set: samba.samba.guest_ok = yes samba.samba.security = share

and then run ReloadSamba? or RestartSamba?.

Next set of commits will allow to configure this via the Web GUI

["Giovanni Condello / Nanomad <condellog@…]

Also, someone should review my work.

["Giovanni Condello / Nanomad <condellog@…]

Last post, really. The last two patches are reversed (run the diff program with the parameters switched). + are - and vice-versa

[matthijs]

Looking at your patch, it looks good. One remark, though: Perhaps it would make sense to have a single option, "anonymous" in the uci file instead of the separate security and guest_ok options you have now. For most end users, those two options are not meaningful, and they want just a single toggle: Allow anonymous logins. To make the luci webinterface change two options change two options with a single dropdown is probably possible, but a bit of a hassle. So changing over to a single uci configuration value and then making the ReloadSamba and RestartSamba scripts change both of the relevant settings based on that single uci config is probably the easier approach here.

Regarding the patch generation: It seems you use manual diff commands right now? If you edit the files with an svn checkout, you can also just use the "svn diff" command, which just shows the differences to the latest committed version. That might save you some headaches (no need to make a copy of every file you want to modify, for example).

[anonymous]

About diff: I know, but I was too sleepy to remember that.

I'll fix the patch as you suggested (since it also means less work for me, which is nice).

How about uci option samba.samba.disable_auth?

["Giovanni Condello / Nanomad <condellog@…]

Final version of the patch with WebUI support

["Giovanni Condello / Nanomad <condellog@…]

I've attacched the final revision of the patch. This one can be fully used via the WebUI (the setting is under

Dashboard >> Settings >> Fileserver

[matthijs]

#472 is a duplicate.

[frediusdarde@…]

Thanks! How I can install this on my fonera2.0n? I am a novice user :)

[Giovanni Condello <condellog@…>]

As a novice user, I wouldn't suggest you to apply this patch manually. Just wait for the firmware to be released when it's ready

[matthijs]

I've applied and tested the patch, I'll commit it soon.

I made two changes: I renamed the option to "Anonymous", to be consistent with the equivalent FTP option and to prevent introducing a new string to be translated. Also, you didn't patch the ReloadSamba? script, only the RestartSamba? script. The former is used when reloading samba, for example when inserting an USB disk.

Thanks for the patch!

[anonymous]

Please take a look at bug #866, Revision [1726] patched only the RestartSamba? script and not the ReloadSamba? one. I'm writing this here since I cannot re-open that bug

[matthijs]

(In [1863]) samba: Add an option to enable anonymous access.

This adds a uci option, "allow_unauth", that can be set through the WebGUI and sets "guest ok = yes" and "security = share" in the generated smb.conf. This allows clients to connect without logging in using the router password.

Thanks to Giovanni Condello for this patch.

Closes: #936

[matthijs]

While playing around with smb access today, I found that this patch doesn't quite work like it should. Since samba is mapping anonymous access to the "nobody" user, and not all filesystems are mounted world-writeable, I couldn't write to my disks using smb.

In particular, vfat seems to map everything to the fonero user, ntfs makes everything world-writable (so ntfs worked for me) and ext just uses whatever permissions are on the disk.

I guess that making samba map anonymous access to "fonero" instead of "nobody" would help here, without introducing extra problems. With ext filesystems this might still give permission denieds for existing disks that use different uids/permissions, but I guess that anyone using ext should be able to figure that out...

What filesystem were you using with this?

["Giovanni Condello / Nanomad <condellog@…]

I was using NTFS I think. Maybe adding

guest account = fonero

to the "anonymous" smb.conf can fix this issue.

[matthijs]

ould be able to figure that out...

What filesystem were you using with this?

[matthijs]

Hmm, ignore that last comment, apparently I accidentally pasted something in the comment box :-)

[matthijs]

(In [1980]) samba: Set guest account = fonera for anonymous access.

This makes sure that when anonymous access is enabled, anonymous users can actually write to the shares instead of just read.

Closes: #936

[matthijs]

Seems the last fix isn't perfect either: Any files written while authentication is enabled are owned (and writeable only) by root, while any files written while authentication is disabled are owned by fonera. Also, any files owned by root are not readable when logging in anonymously...

[matthijs]

(In [2071]) samba: Use "force user = root" for all shares.

Previously, each share had "admin users = fonero", which would cause logins as the fonero user to be mapped to the root user by samba. However, this did not work for anonymous logins, which were mapped to fonero by "guest account=fonero", but not mapped again due to the "admin users" setting. Using "force user = root" causes all connections (after any authentication required) to be mapped to the root user, allowing full access to all disks.

Closes: #936