Samba: Share directory with a specific Windows 10 user without password required

I would like instructions for creating a Samba share that can only be accessed by a specific Windows 10 user without a password required.

I have read some tutorials and, while I can easily create a share that anyone can access, I have not been able to create one that only the specific user can access. I can see the directory in question but if I try to open it, I get an Access Denied error and Windows File Explorer asks for a username and password.

I did create a linux user with what I believe to be the username on the Windows PC and the same password as the Windows user. If I type the credentials of this Linux user I created into the prompt mentioned above, I am granted access. All I can think of at this point is that the username of the Linux account is not the same as the corresponding Windows account.

Here is what I have in smb.conf

encrypt passwords = yes
security = user
[Email Backup] comment = email backup folder path = /home/samba/emailbackup guest ok = yes read only = no browseable = yes valid users = xavie emailer +emailbackup

xavie is the name of the Linux account that is supposed to correspond with the Windows account, emailer is another Linux account that needs access to the directory and emailbackup is a group the the two accounts are both members of. The Windows account is a Microsoft account (ie. not a local account; tied to an @Outlook.com email address) if that changes anything.

If this problem is caused by the wrong username, can anyone advise me on how I can find the username that needs to be assigned to the Linux account (eg. is there a log file I can look at to see what user tried to gain access to the Samba share)? Otherwise, is there anything else I can check that might be the cause of this problem?

EDIT:I have done some searching on the internet and have made some progress. After examining Samba's log files, I found that I was correct in believing that the username was incorrect. According to the log files, Windows 10, when the user uses a Microsoft account, identifies the user to Samba with the email address used by that account rather than the username. Here is the log (level 2) that I was seeing:

[2016/08/20 14:15:36.349641, 2] ../source3/param/loadparm.c:2700(lp_do_section) Processing section "[All Users]"
[2016/08/20 14:15:36.349966, 2] ../source3/param/loadparm.c:2700(lp_do_section) Processing section "[Email Backup]"
[2016/08/20 14:15:36.350850, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [<snip email address>] -> [<snip email address>] FAILED with error NT_STATUS_NO_SUCH_USER

I added the email address to the smbuser file associating it with the Linux account I created. This worked and the log now says that I successfully authenticate but I now have a new problem.

The new problem is that Samba sharing doesn't work at all for my PC when logged into the account I noted above. Basically, I have two shares on my Ubuntu server; a public share that anyone can access and the other share that I want accessible only to the Windows 10 user. That Windows 10 user, after I made the above changes, can now no longer see either of the shares or even access the Ubuntu server. OTOH, my father's laptop, which doesn't have an account on Samba, can access the server and see both shares (but can't access the non-public share without authentication). Here is the new log created with the changes to smbusers:

[2016/08/20 14:36:44.523779, 2] ../source3/param/loadparm.c:2700(lp_do_section) Processing section "[All Users]"
[2016/08/20 14:36:44.524358, 2] ../source3/param/loadparm.c:2700(lp_do_section) Processing section "[Email Backup]"
[2016/08/20 14:36:44.552274, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [<snip email address>] -> [xavie] -> [xavie] succeeded
[2016/08/20 14:36:44.553509, 1] ../source3/param/loadparm.c:2389(lp_idmap_range) idmap range not specified for domain '*'
[2016/08/20 14:36:44.553782, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-1934213540-918117097-1557597498-1000 -> getpwuid(1002) failed
[2016/08/20 14:36:44.554723, 1] ../source3/param/loadparm.c:2389(lp_idmap_range) idmap range not specified for domain '*'
[2016/08/20 14:36:44.554938, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-1934213540-918117097-1557597498-1000 -> getpwuid(1002) failed

Here are the current contents of smb.conf, if it helps anyone. I'm only including what I changed though; anything not mentioned is at default:

[global] log level = 2 username map = /etc/samba/smbusers encrypt passwords = yes security = user
[All Users] comment = Directory accessible to all users path = /home/samba/allusers guest ok = yes read only = no browseable = yes create mask = 0777 directory mask = 0777
[Email Backup] comment = email backup folder path = /home/samba/emailbackup guest ok = yes read only = no browseable = yes valid users = xavie emailer +emailbackup

Can anyone see what the new problem I'm having is?

Help will be greatly appreciated, Kind regards

1 Answer

I've managed to figure out how to make what I requested work and will post the instructions.

1. First, you need to figure out what the username you need to add is. The easiest way to do this is to first add log level = 2 to smb.conf. Then start and enable the Samba service. Then connect to the Samba server using File Explorer on the Windows PC while logged into the relevant account (you don't have to open any shared directories). Then open the log file found at /var/log/samba/log.<ip address of Windows PC> and the required username will be noted there. You can now set log level to 0 if you want.
2. Create a Linux account for the Samba user using the useradd command (or use an existing one if you prefer). You don't need to worry about passwords with this account but if you create a new account, you may want to block login on it. This account's username doesn't have to be the same as the name noted above but it would be easier if it was. This account's purpose is for the purpose of file permissions and for Linux to determine what files and directories the Windows user is allowed to access.
3. Create a Samba user with the same name as the Linux account in step 2 using the smbpasswd command. Make sure the password assigned to this account is the same as the one used for the Windows account.
4. If the Samba and Windows accounts don't share the same username, you will have to either add !<Samba user> = <Windows user> to smb.conf or add <Samba user> = <Windows user> to smbusers and username map = /etc/samba/smbusers to smb.conf.
5. And that should be it. Be sure to set the valid users = option on any shares you want accessible only by your Windows account.