Samba share for two users, with one user as read-only

Hello,

I have successfully setup a samba v2 share on my x86 router, which is accessible by my Android, iOS, Linux and Windows devices.

share name "nas" pointing to /mnt/ext_hdd
User A - nobody, no password, read only
User B - smb_admin, with password, read + write

User A is working fine on all devices.
User B is also working fine, except for windows clients they cannot login. Even if I set a blank password for user B.

I hope you guys can help me out here, below my config.

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
smb_admin:*:1000:65534:smb_admin:/var:/bin/false

config samba
	option workgroup 'WORKGROUP'
	option name 'OPENWRT-ROUTER'
	option description 'OpenWrt SMB Server'
	option homes '0'

config sambashare
	option path '/mnt/ext_hdd'
	option browseable 'yes'
	option guest_ok 'no'
	option read_only 'no'
	option users 'smb_admin'
	option name 'nas_a'
	option create_mask '0700'
	option dir_mask '0700'

config sambashare
	option browseable 'yes'
	option name 'nas'
	option path '/mnt/ext_hdd'
	option read_only 'yes'
	option guest_ok 'no'
	option create_mask '0700'
	option dir_mask '0700'
	option users 'nobody'

[global]
	netbios name = |NAME| 
	display charset = |CHARSET|
	interfaces = |INTERFACES|
	server string = |DESCRIPTION|
	unix charset = |CHARSET|
	workgroup = |WORKGROUP|
	bind interfaces only = yes
	deadtime = 30
	enable core files = no
        encrypt passwords = true
	invalid users = root
	local master = yes
	map to guest = Never
	max protocol = SMB2
        min protocol = SMB2
	min receivefile size = 16384
	null passwords = yes
	passdb backend = smbpasswd
	security = user
	smb passwd file = /etc/samba/smbpasswd
	use sendfile = no
        veto files = System Volume Information/$RECYCLE.BIN

nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:31D6CFE0D16AE931B73C59D7E0C089C0:[U          ]:LCT-00000001:
smb_admin:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:31D6CFE0D16AE931B73C59D7E0C089C0:[U          ]:LCT-00000001:

I currently have a nas folder for nobody and a nas_a folder for smb_admin, to test things out.
Goal is to only have the nas folder with r/w access for smb_admin

On samba4 the below config should work in the way you want, by making the share readonly, but giving special write access via "write_list" to the admin.

config sambashare
	option path '/mnt/ext_hdd'
	option browseable 'yes'
	option guest_ok 'no'
	option read_only 'yes'
	option users 'smb_admin, nobody'
	option write_list 'smb_admin'
	option name 'nas_a'
	option create_mask '0700'
	option dir_mask '0700'

The problem is only samba4 has the write_list UCI option to give smb_admin write access. If you use samba36, you can add the feature yourself just check my PR https://github.com/openwrt/packages/pull/8943
The alternative is, to ignore UCI and put your final share option directly into the template, including the write list = smb_admin option.

I would like to keep the samba36 repo version.

By final share you mean putting this in the conf template?

[mynas]
	path = /mnt/ext_hdd
	browseable yes
	guest_ok = no
	read_only = yes
	users = smb_admin, nobody
	write_list = smb_admin
	create_mask = 0700
	dir_mask = 0700

By doing so, everyone can access the mynas share without the need to provide a username.
The share is also read only.

UCI doesn't accept a change of "sambashare". Only the 2nd share is created but not accessible.

config samba
	option workgroup 'WORKGROUP'
	option name 'OPENWRT-ROUTER'
	option description 'OpenWrt SMB Server'
	option homes '0'

config sambashareadmin
	option browseable 'yes'
	option path '/mnt/ext_hdd'
	option read_only 'no'
	option guest_ok 'no'
	option name 'nas_a'
	option users 'smb_admin'
	option create_mask '0700'
	option dir_mask '0700'

config sambashare
	option browseable 'yes'
	option name 'nas'
	option path '/mnt/ext_hdd'
	option users 'nobody'
	option read_only 'yes'
	option guest_ok 'no'

Ah you are right, did mix up something. Yes the sharename is defined via option name 'nas_a'.

If you want to put the option directly into the smb.conf.template, you need to use the samba options. Just check the smb.conf for the dynamically created share section and copy only this into your template, including any extra option thats not supported by UCI.

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

[nas]
        path = /mnt/ext_hdd
        valid users = nobody
        write list = smb_admin
        browseable = yes
        read only = yes
        guest ok = no
        create mask = 0700
        directory mask = 0700

This is what I currently have in my samba conf template.
User "nobody" can login fine (with an empty password) to my server "\\192.168.1.1\" and even directly to my shared folder "\\192.168.1.1\nas\" all while only having read access, which is exactly how I would like it to be.

User "smb_admin" can login (only with username + password) to my server "\\192.168.1.1\" but cannot access my shared folder "\\192.168.1.1\nas\".
When trying to access the share "nas" it asks me again for my login credentials and then tells me "Access denied" with a new login prompt.

Try remove valid users or add smb_admin to it. You can also run testparm via shell and see if anything sticks out, its the samba tool that checks your config for error's.

This solved the issue, thanks a lot. The samba documentation didn't point out that the write user had to be in the valid users list.

The working config would look like this, in case someone needs it.
It has to be placed in the smb.conf.template file.

[nas]
        path = /mnt/ext_hdd
        valid users = nobody, smb_admin
        write list = smb_admin
        browseable = yes
        read only = yes
        guest ok = no
        create mask = 0700
        directory mask = 0700

Anyway since windows won't let me change the logged in user to a share without removing it, I had to create a second share in the end.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.