红帽全球峰会1.12. Configuring a share to allow access without authentication
In certain situations, you want to share a directory to which users can connect without authentication. To configure this, enable guest access on a share.
Shares that do not require authentication can be a security risk.
1.12.1. Enabling guest access to a share
If guest access is enabled on a share, Samba maps guest connections to the operating system account set in the guest account parameter. Guest users can access files on this share if at least one of the following conditions is satisfied:
- The account is listed in file system ACLs
-
The POSIX permissions for
otherusers allow it
例 1.6. Guest share permissions
If you configured Samba to map the guest account to nobody, which is the default, the ACLs in the following example:
-
Allow guest users to read
file1.txt -
Allow guest users to read and modify
file2.txt -
Prevent guest users to read or modify
file3.txt
-rw-r--r--. 1 root root 1024 1. Sep 10:00 file1.txt
-rw-r-----. 1 nobody root 1024 1. Sep 10:00 file2.txt
-rw-r-----. 1 root root 1024 1. Sep 10:00 file3.txtProcedure
Edit the
/etc/samba/smb.conffile:If this is the first guest share you set up on this server:
Set
map to guest = Bad Userin the[global]section:[global] ... map to guest = Bad UserWith this setting, Samba rejects login attempts that use an incorrect password unless the user name does not exist. If the specified user name does not exist and guest access is enabled on a share, Samba treats the connection as a guest log in.
By default, Samba maps the guest account to the
nobodyaccount on Red Hat Enterprise Linux. Alternatively, you can set a different account. For example:[global] ... guest account = user_nameThe account set in this parameter must exist locally on the Samba server. For security reasons, Red Hat recommends using an account that does not have a valid shell assigned.
Add the
guest ok = yessetting to the[example]share section:[example] ... guest ok = yes
Verify the
/etc/samba/smb.conffile:# testparmReload the Samba configuration:
# smbcontrol all reload-config
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}