How can I use docker without sudo?

Question

tudor -Reinstate Monica-

Asked: 2018-01-24 18:07:06 +0800 CST2018-01-24 18:07:06 +0800 CST 2018-01-24 18:07:06 +0800 CST

Group shares not listed by smbtree, nautilus due to not asking for password

772

We recently migrated to Samba 4.4.16 (from 3.5.15).

Our configuration contains a number of shares which have group access only (@group or +group) which map to unix groups. Here's an excerpt of the config:

[global]
bind interfaces only = yes
interfaces = lo eth0
netbios name = OURSERVER
server string = Office Intranet (OURSERVER) Server Version %v
workgroup = WORKGROUP
domain master = yes
preferred master = yes
os level = 34
dns proxy = no
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
nmbd bind explicit broadcast = No
printcap name = cups
name resolve order = wins hosts
passdb backend = tdbsam:/etc/samba/passdb.tdb
obey pam restrictions = yes
passwd chat debug = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*        %n\n *password\supdated\ssuccessfully* .
pam password change = yes
security = user
encrypt passwords = yes
map to guest = Bad User
wins support = Yes
idmap config * : backend = tdb
cups options = raw
use client driver = Yes
hosts allow = 127.0.0.1 192.168.0.0/24
case sensitive = no
invalid users = root
username map script = /bin/echo
restrict anonymous = 2

[homes]
comment = Home Directories
path = /data/home/%u
hide files = /.*/
veto files = /.*/lost+found/bin/httpd/public/.vacation.*/.forward/
follow symlinks = No
create mask = 0755
read only = No

[Stuff]
comment = All your base are belong to us
path = /data/shares/stuff
hide files = /.*/
veto files = /.*/lost+found/bin/httpd/public/.vacation.*/.forward/
follow symlinks = No
access based share enum = Yes
create mask = 0770
directory mask = 0770
force group = entitled
force user = docman
read only = No
valid users = @entitled

This works on smbclient -L OurServer:

$ smbclient -L OURSERVER
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\funster's password: 
Domain=[OURSERVER] OS=[Windows 6.1] Server=[Samba 4.4.16]

Sharename       Type      Comment
---------       ----      -------
homes           Disk      Home Directories
funster         Disk      Home Directories
Stuff           Disk      All your base are belong to us
IPC$            IPC       IPC Service (Office Intranet (OURSERVER) Server Version 4.4.16)

Server               Comment
---------            -------

Workgroup            Master
---------            -------
WORKGROUP

But not on smbtree or Nautilus because neither ask for a password by default:

$ smbtree
WORKGROUP
    \\OURSERVER                 Office Intranet (OURSERVER) Server Version 4.4.16

However:

$ smbtree -Ufunster%p4ssw0rd
WORKGROUP
    \\OURSERVER                 Office Intranet (OURSERVER) Server Version 4.4.16
        \\OURSERVER\funster         Home Directories
        \\OURSERVER\IPC$            IPC Service (Office Intranet (OURSERVER) Server Version 4.4.16)
        \\OURSERVER\homes           Home Directories
        \\OURSERVER\Stuff           All your base are belong to us

Without restrict anonymous = 2, anonymous logins are allowed, BUT Nautilus and smbtree shows only the homes share even though the others are accessible directly.

How can I force Nautilus and smbtree to ask for a password so that it sees the group shares?

1 Answers

Voted

Elder Geek · Answer 1 · 2018-02-08T12:36:13+08:00

As indicated in @Robert Riedl comment the man page for smbtree make it clear that the -N --no-pass switch will suppress the normal password request.

The possibilities that come to mind and the solutions are as follows.

1) It's possible that an alias was set for smbtree you can check this with the command alias | grep smbtree and if you get output similar to alias smbtree='smbtree -N'or alias smbtree='smbtree --nopass' you can remove the alias with the command unalias smbtree

2) You have discovered a bug and should report it. so that it can be squashed by the developers.

3) The only other way I know of that this can occur is if you designate a section as a Guest Service in smb.conf by using the guest ok = yes line in the share configuration. See this excerpt from the related man page

If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This parameter nullifies the benefits of setting restrict anonymous = 2

See the section below on security for more information about this option.

Default: guest ok = no

The solution to this is to remove the guest ok = yes from the share configuration so that it reverts to the default.

If as you surmise this is related to the group assignment:

If the force user parameter is also set the group specified in force group will override the primary group set in force user.

force group (S)

This specifies a UNIX group name that will be assigned as the default >primary group for all users connecting to this service.

This is useful for sharing files by ensuring that all access to files on >service will use the named group for their permissions checking. Thus, by >assigning permissions for this group to the files and directories within >this service the Samba administrator can restrict or allow sharing of these files.

In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.

    Default: force group =

    Example: force group = agroup

To dive deeper into all things samba visit here.

Sources:

How do I report a bug?

http://manpages.ubuntu.com/manpages/trusty/man1/alias.1posix.html

http://manpages.ubuntu.com/manpages/xenial/man1/unalias.1posix.html

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Group shares not listed by smbtree, nautilus due to not asking for password

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?