Background:
I am setting up a Linux box for a local accounting office. The purpose of the box is to alleviate the threat of viruses that have access to the network via USB drives. Please keep in mind that this office needs the highest security possible. My configuration is attempting to leverage Samba to allow members of the already configured (and highly secure) Windows 2008 Server to access the Samba share. I have added the user name of each of the people who need to access the Linux box to the system but have not added passwords as the passwords on the Windows Server are required to change quite often. Attempting to manage a password database on the Linux box is to be avoided if at all possible.
Requirements:
- No password authentication required for logged-in Windows users to access Samba share.
- As little manipulation of current Windows security policies as possible.
- All users who access the share should have full read and write permissions (execute is NOT necessary).
Problem:
Currently, all attempts to connect to the Samba server by unauthenticated users is met with an error on the Windows side saying "Access to the resource {insert IP address} has been disallowed." Samba is running with the following smb.conf
file that I built from scratch:
[global]
workgroup = {Windows Domain Name}
server string = Removable Media Server
security = share
[media]
path = /media
writable = yes
browsable = yes
guest ok = yes
guest only = yes
force directory mode = 0666
force create mode = 0666
Samba version is 3.6.9. Samba's testparm
command returns no errors. I have always restarted the Samba server after making changes to the Samba configuration.
What I have tried:
In smb.conf
:
- Setting security to user.
- And just about every setting I have run across.
Other things of note:
The Samba share IS seen by the Windows domain and is actually accessible from a Windows administrator session.
One more thing: I am very new to Samba so please bear with me.
Best Answer
Well, the first thing I was going to suggest was to set:
But then I saw this in the Samba doc's chapter on Domain Membership:
Is it feasible for you to set up an account for each user that will be connecting?
I've never set up a Samba share inside a Windows domain, but here's a link to the Samba doc on Domain Menbership that I quoted above: Samba Domain Membership
Give the doc a look, and maybe it'll help you with what you need to do.