I've shared the usb disk attached to my openwrt router (here is screenshot of samba settings) 
.
I am able to access its partitions from win8.1 with no problem.
But on android, setting access as "anonymous", I always get "access denied".
What's wrong?
After trial and error I found the solution.
The protocol was SMB so to access a public file i found out i had to type user guest and passsword guest.
After that it worked.
And on next connection attempts i could also login using the "anonymous" flag in the login screen. I don't know if this a bug of the Explorer (this is the name) app i am using, anyway my problem was solved by using guest/guest.
You would be wise to update to OpenWrt 18.06 as well as the current samba as there have been several samba vulnerabilities patched in the last couple weeks (and more over the last year or more since "LEDE" was released).
1 Like
Thank you for your prompt reply, but I get "access denied" aven accessing as guest/guest.
Please post the output of:
/etc/config/samba/etc/samba/smb.conf/etc/samba/smb.conf-default
What app are you utilizing for accessing the shares on Android?
I think you would need to tick the allow guests option to allow anonymous users. In my case, this is how I use it. Also check that in the samba config and samba template, invalid users option does not contain anonymous user.
Content of /etc/config/samba:
config samba
option name 'Lede'
option description 'Lede'
option autoshare '1'
option homes '0'
option workgroup 'WORKGROUP'
config sambashare
option guest_ok 'no'
option path '/mnt/sda1'
option name 'part1'
option read_only 'no'
config sambashare
option path '/mnt/sda2'
option read_only 'no'
option guest_ok 'no'
option name 'part2'
config sambashare
option name 'part1root'
option users 'root'
option read_only 'no'
option guest_ok 'no'
Content of /etc/samba/smb.conf:
[global]
netbios name = Lede
display charset = UTF-8
interfaces = lo br-lan
server string = Lede
unix charset = UTF-8
workgroup = WORKGROUP
bind interfaces only = yes
deadtime = 30
enable core files = no
invalid users = root
local master = no
map to guest = Bad User
max protocol = SMB2
min protocol = SMB2
min receivefile size = 16384
null passwords = yes
passdb backend = smbpasswd
security = user
smb passwd file = /etc/samba/smbpasswd
use sendfile = yes
browseable = yes
writeable = yes
[part1]
path = /mnt/sda1
read only = no
guest ok = no
[part2]
path = /mnt/sda2
read only = no
guest ok = no
No /etc/samba/smb.conf-default present.
Content of /etc/samba/smb.conf.template:
[global]
netbios name = |NAME|
display charset = |CHARSET|
interfaces = |INTERFACES|
server string = |DESCRIPTION|
unix charset = |CHARSET|
workgroup = |WORKGROUP|
bind interfaces only = yes
deadtime = 30
enable core files = no
invalid users = root
local master = no
map to guest = Bad User
max protocol = SMB2
min protocol = SMB2
min receivefile size = 16384
null passwords = yes
passdb backend = smbpasswd
security = user
smb passwd file = /etc/samba/smbpasswd
use sendfile = yes
browseable = yes
writeable = yes
The android app is not important, I realized to get the same error using Ubuntu (Nautilus).
What user and group owns the files and directories within the share on OpenWrt?
Add the following to /etc/samba/smb.conf.template
-
log file = /var/log/samba_%m-%I.log- If the below does not work after you restart Samba, please post the log output
/etc/config/samba
- Try the following:
option browseable 'yes'option guest_ok 'yes'option public 'yes'
config samba
option name 'Lede'
option autoshare '1'
option description 'Lede'
option homes '0'
option workgroup 'lan'
# Should be local domain as set in /etc/config/dhcp
# Really should be in /etc/samba/smb.conf.template
config sambashare
option name 'part1'
option browseable 'yes'
option create_mask '0666'
option dir_mask '0777'
option guest_ok 'yes'
option path '/mnt/sda1/share1' # Share needs to be a directory, not the root of a mount point, due to single-user OS
option public 'yes'
option read_only 'no'
config sambashare
option name 'part2'
option browseable 'yes'
option create_mask '0666'
option dir_mask '0777'
option guest_ok 'yes'
option path '/mnt/sda2/share2' # Share needs to be a directory, not the root of a mount point, due to single-user OS
option public 'yes'
option read_only 'no'
# Root Should Never Be A Samba User
#config sambashare
# option name 'part1root'
# option browseable 'yes'
# option create_mask '0600'
# option dir_mask '0700'
# option guest_ok 'no'
# option read_only 'no'
# option users '<non-root user>'
-
Please Note:
-
option pathdirectory should be owned by a user other thanroot- A Samba user, once created, must also be added to
/etc/passwdand/etc/group
- A Samba user, once created, must also be added to
-
Can you explain why the root should never be the samba user?
Because SSHFS is more secure. I know there's more to it than that, however I can't recall the details from the writeup I read several years ago... I simply made a note that on a single user OS, root should never be a Samba user.
Could you elaborate on why you believe you would need root to be a Samba user?
I am not saying that I want to create another root user for Samba purposes, it is just that root is already available in the system so I can just use it to access samba share securely. In fact I am doing the same on my router. Should I create another user to just access Samba share?
Samba shares are typically intended for users that need a place to store data, not as a way to access the core filesystem and operation of the server on which it runs. By allowing root access to your samba shares, any misconfiguration or any vulnerability of the samba software or Microsoft authentication (and we know how "secure" Windows has proven to be) could immediately result in compromise of your router.
It is generally good practice to run services at the lowest possible privilege possible. While challenging on a device that ships with a single user, at least not allowing SMB credentials to be used to access highly privileged files is a good idea.
For managing the router itself, ssh, scp, sftp, rsync and the like are much better approaches that providing root access through samba.
1 Like
Can you suggest me how to check owner of my samba share?
Anyway, your other changes hadn't change the result: access denied.
Moreover, all the log files in /var/log/ have size zero. 
ls -ls /path/to/share
- Should be owned by a Samba user and a Samba group, not root
At this point, I'd recommend flashing OpenWrt 18.06.1, as it's the most up to date version of OpenWrt.
I tried the log option on mine as well, and it seems OpenWrt's Samba package doesn't honor the log option.
- Try the following:
logread | grep smblogread | grep samba
- If neither of those returns any log output, you're going to have to do some research to figure out how to get Samba to output to a log file
There's always the possibility the samba settings on your Android device are part of the issue... can you login to a Samba share on Android with a Samba user's username and password?
Forgive me, I haven't done a mistake when applying your instructions.
I added the first three lines of your "try the following" at the beginning of /etc/config/samba.
After recognizing my mistake and moving that lines inside each config sambashare section, the access denied issue disappeared!
Then I deleted each added line one at a time, until understanding which is the one that solved the issue. It is the following: option guest_ok 'yes'
Thank you for your patience.
I would do it very willingly, if it were not for my fear to brick my router...
18.06.1 is the most recent version of OpenWrt and will not brick your device.