2

I'm trying to replace an old Windows 2000 server that is current set up with a number of open anonymous shares used by a legacy application that must remain in production for a few more years. I spent a few hours trying to create anonymous shares on a 2008 R2 box but gave up. My next idea was to use Samba (3.4.7) to create an anonymous share, and following this quick-n-dirty HowTo: http://www.debuntu.org/samba-how-to-share-files-for-your-lan-without-userpassword/, I set up a Lucid Lynx box to do just that. Works great... as long as you're on the same subnet as the Samba server.

So our subnets are roughly set up thusly:

  • 172.21.11.0/24 - Linux servers
  • 172.21.110.0/24 - Test PCs (Win7 x64)
  • 172.18.224.0/20 - Production PCs (Win7 x64)
  • 204.133.165.0/24 (treated as an internal network, don't ask) - Old server subnet

And the specific machines I'll be discussing are:

  • 172.21.11.24 - Samba server (wrc-deploy)
  • 172.21.110.68 - My test PC (Win7 x64)
  • 204.133.165.24 - Old Windows 2000 server

So from another Linux server, I can do the following without a problem:

jheese@wrc-aptcache1:~$ smbclient -NL wrc-deploy
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]

        Sharename       Type      Comment
        ---------       ----      -------
        APS             Disk      APS share
        CARSBIN         Disk      CARSBIN share
        CARSPROJ        Disk      CARSPROJ share
        CivilDocs       Disk      CivilDocs share
        DA_CrystalEase  Disk      DA_CrystalEase share
        RMSDist         Disk      RMSDist share
        RMSDistTRN      Disk      RMSDistTRN share
        RMSTools        Disk      RMSTools share
        TibCAD          Disk      TibCAD share
        IPC$            IPC       IPC Service (wrc-deploy)
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            WRC-DEPLOY
jheese@wrc-aptcache1:~$ smbclient -N //wrc-deploy/RMSDist
Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7]
Server not using user level security and no password supplied.
smb: \> ls
  .                                   D        0  Mon Mar 25 15:44:53 2013
  ..                                  D        0  Mon Mar 25 15:24:20 2013
  test                                A        0  Mon Mar 25 15:45:01 2013

                60617 blocks of size 262144. 49484 blocks available
smb: \> q
jheese@wrc-aptcache1:~$

Great!

However, from my Windows test PC on the 172.21.110.0/24 subnet, if I try to browse to \wrc-deploy or \wrc-deploy\RMSDist, say, I get "The account is not authorized to log in from this station."

However, and I think this is key, I can browse to \172.21.11.24 and \172.21.11.24\RMSDist without a problem... DNS is absolutely working properly, and I can ping, telnet, etc. to the name "wrc-deploy" from my test PC without a problem.

Also, I know that it's not the old NTLM/LM security options because I can hit the old Windows 2000 server's shares from my test PC without a problem, and it's on the old server subnet, 204.133.165.0/24.

To my knowledge, no WINS server has ever been configured on this network, nor do we have any broadcast forwarding configured on our routers to make the old server's shares browse properly.

I've Googled the crap out of this, including the specific error message, seeing about using Samba 4.x to do this instead of Samba 3.x, whether WINS is necessary (I'd really like to not have to go this route if possible), and everything else, but I can't find anyone else in this same situation.

So, can anyone please suggest ways to make this work. I don't care how it's done, but the requirements are:

  1. Anonymous CIFS shares
  2. Works by name across subnets
  3. Without a WINS server on each subnet (we have waaaaay too many subnets, some in weird places)
  4. (Preferably) Without WINS altogether

Let me know if you need any specific information as far as config files, versions, or diagrams. Thanks in advance!

Regards, Jon Heese

Jon Heese
  • 147
  • 1
  • 2
  • 13
  • No answer, but some background on why it's not working on Windows 2008. There's no such thing as anonymous permissions being granted rights any more. It still shows up, but for the most part doesn't work any more in Windows 2008. Mainly because the "Everyone" virtual account actually maps to authenticated users now. – mrdenny Mar 26 '13 at 17:42
  • There ya go. I kinda figured it was something like that. Interestingly, I found plenty of folks out there that claimed they'd gotten it working, but it sure smelled like a wild goose chase to me. – Jon Heese Mar 26 '13 at 18:07
  • Good luck getting the Samba stuff working. Wish I had more useful info than generic Windows 2008 Jeopardy trivia. – mrdenny Mar 26 '13 at 18:41
  • Everyone still has more in it then authenticated users. It contains a few extra system accounts that dont authenticate. You want the anonymous sid which must be specificlly placed on the ACL now. – Nick Young Jan 13 '16 at 12:07

1 Answers1

0

Okay, I ended up posting to the Samba users mailing list and someone suggested that I try the advice on this blog post:

http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html

So I added the following lines to my config:

[global]
  ...
  security = user
  Map to guest = Bad User
  username map = /etc/samba/smbusers
  ...

[theshare]
  guest ok = yes

And created /etc/samba/smbusers with the following contents:

nobody = guest

Restarted smbd, and voila, she works!

Jon Heese
  • 147
  • 1
  • 2
  • 13