3

Now, I know there are lots of samba questions (about 1400) on ServerFault, and I have browsed through about half of them at least, and not been able to use any of the answers to solve my problem.

We are installing CentOS 6.2 on a new, blank machine - clean install; it will run as a network server to host Asterisk.

I want to configure the machine so I have full, administrative access to root (I mean the "/" root) from my Windows workstation.

This will enable me to use my own, comfortable machine (and Notepad++) to edit all the configuration files. In other words, I should be able to open \\mylinux\etc\samba\ in Windows Explorer and then have full rights to edit smb.conf with my Windows Text Editor.

I have this working very well with CentOS 4, but can't get it working in CentOS 6.2. In the older OS version, there was a GUI for everything, but now I need to learn and do everything from the CLI. I still use the GUI for a few things that I haven't learned how to do form the CLI yet, so I will still make references to the GUI in my notes here.

Now that you know my problem and my goal, here are some details:

  • smb is running and installed and set to runlevel 35.
  • nmb is running and set to runlevel 35.
  • the firewall is wide-open on eth0 and network is ON (I ran this command: iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT)
  • I have added my own user account on the linux box to the root group.
  • that user account has the same username and password as my Windows computer.
  • samba is configured to know the name of my Windows workgroup
  • I am able to ping \\mylinux from \\mywindows just fine, and vice-versa, also.
  • If I open Network in \\mylinux, I get an error saying: "Failed to retrieve share list from server" which I posted about here.
  • If I do a net view from \\mywindows, then it does not see \\mylinux at all.
  • samba is configured to share the root drive:

.

[root]
comment = Root Directory
path = /
valid users = @root all root group
invalid users = None
writeable = yes
browseable = yes

  • also, in /etc/samba/smbusers.conf, I have made my entry:

    myuser = myuser

Now, you would think that I could access the linux share at this point. But when, from my Windows computer, I try to map the path \\mylinux\root\, I get an error saying the destination does not exist. On my old linux machine, I am able to browse even to \\oldlinux\ and get a list of shares. I can't seem to duplicate the functionality!

[EDIT]

Okay, I disabled the firewall completely, and now I can browse the files wherever I want to go. What remains is the permissions now to edit a file like smb.conf. In other words, my user account that I use to browse the files, which is in the root group, also needs root permissions. How do I get that?

Community
  • 1
bgmCoder
  • 706
  • 4
  • 16
  • 29
  • This is a really, really, really bad idea from a security POV. Also, samba will occasionally screw up file permissions, which makes this even worse. Please don't do this. Install WinSCP or something, but don't try to manage a production server over samba. – devicenull May 22 '12 at 00:53
  • @devicenull - You are right, and I agree with you completely. However, I am safely behind a firewall, and will only be using this kind of access from within my LAN. And there is no risk in-house for security. – bgmCoder May 22 '12 at 03:39

2 Answers2

2

Samba maps your access to a Unix user account on the server, and the normal permissions for that user are enforced. This is therefore the same as granting a Unix user write access to these files. You either need to actually be the root user (i.e. act as the owner of the files, which has write permission), or you need to be in a group which has group write permissions to the files. The latter is (marginally) preferable, so add yourself to the root group and change the file permissions to allow group writes. (I'm assuming that you are aware of the security implications of doing this.)

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • thanks for answering. I do understand the security risks. In my original problem, my user *was* a member of the root group. However, I did manage to solve the problem - see my answer, too! – bgmCoder May 22 '12 at 00:48
0

Finally got it! It took two things: - Disable selinux - uncomment the line in smb.conf for

username map = /etc/samba/smbusers

And, in smbusers.conf, I added root = myuser then, run the command: 

smbpasswd -a myuser
smbpasswd -e myuser
service smb restart

Now I can connect to the machine from my windows computer, browse the files in root, and edit them with my favourite text editor on my windows computer.

Just a note for all - I do understand it is a security risk working the procedures that I am working, but I am behind a secure firewall-router, and will only be administering the machine in this fashion from within the LAN.

For CentOS7

In CentOS 7, it denies ntlm authentication for root access by default - which means you cannot connect with a root account - unless you add this to the [global] section of smb.conf:

ntlm auth = yes

And if you want to use the smbusers file, add this to the same global section in smb.conf:

username map = /etc/samba/smbusers

Then you can create that file, and add this:

root = myusername
bgmCoder
  • 706
  • 4
  • 16
  • 29
  • Please could you mark your answer as accepted, so that others know that this is the solution. – mgorven May 22 '12 at 01:19
  • This doesn't work on Centos7. Something is different; there isn't any smbusers.conf, so I don't know what to do now. – bgmCoder Mar 18 '19 at 02:10