samba - Feb 2014 - Public share with ADS security

I'm killing myself on this, so I'm going to the list for help solving my
issue.

I have a Samba server integrated with AD working on Ubuntu 13.10, Samba 3.6.18. 
All is good, in that accounts that exist in the password file of the Samba
server are automatically authenticated to the shares without need for
username/password on the client.

However, I also want to set up a public share so that anyone within the
organization can map the share without any input of username/password on the
client, even when the username/password does not exist on the Samba server. 
I've searched and found others with the same needs, but the solutions
don't seem to help me.  Here's the latest version of the config file
that I've been hacking at:

  max log size = 50
   max protocol = SMB2
   dns proxy = No
   idmap config * : range    idmap config * : backend = tdb
   follow symlinks = yes
   wide links = yes
   unix extensions = no
   socket options = TCP_NODELAY SO_KEEPALIVE
   map to guest = Bad User
   guest account = nobody
   usershare allow guests = yes

[SPU_KC_GIS]
        comment = SPU King County GIS
        force user = nobody
        path = /mnt
        read only = yes
        only guest = yes
        browsable = yes

Right now if the user tries to map the share on the client, and are prompted for
username and password, if they input "nobody" for username they are
then granted access to the public share.  I don't want any prompting for
username/passwords.  Is this possible with ADS?  Thanks!  Also, logfiles show
that when users initially browse for the share, and they are without accounts on
the Samba server, the following is logged:  Username <domain\username> is
invalid on this system.

On 02/11/2014 5:56 PM, McNamara, Bradley wrote:
> I'm killing myself on this, so I'm going to the list for help
solving my issue.
>
> I have a Samba server integrated with AD working on Ubuntu 13.10, Samba
3.6.18.  All is good, in that accounts that exist in the password file of the
Samba server are automatically authenticated to the shares without need for
username/password on the client.
>
> However, I also want to set up a public share so that anyone within the
organization can map the share without any input of username/password on the
client, even when the username/password does not exist on the Samba server. 
I've searched and found others with the same needs, but the solutions
don't seem to help me.  Here's the latest version of the config file
that I've been hacking at:
>
>    max log size = 50
>     max protocol = SMB2
>     dns proxy = No
>     idmap config * : range >     idmap config * : backend = tdb
>     follow symlinks = yes
>     wide links = yes
>     unix extensions = no
>     socket options = TCP_NODELAY SO_KEEPALIVE
>     map to guest = Bad User
>     guest account = nobody
>     usershare allow guests = yes
>
> [SPU_KC_GIS]
>          comment = SPU King County GIS
>          force user = nobody
>          path = /mnt
>          read only = yes
>          only guest = yes
>          browsable = yes
>
> Right now if the user tries to map the share on the client, and are
prompted for username and password, if they input "nobody" for
username they are then granted access to the public share.  I don't want any
prompting for username/passwords.  Is this possible with ADS?  Thanks!  Also,
logfiles show that when users initially browse for the share, and they are
without accounts on the Samba server, the following is logged:  Username
<domain\username> is invalid on this system.
Bradley,

I use security = ads, map to guest = Bad User, and winbind/rid in my 
global config.  The default guest account is "nobody", and the user 
"nobody" exists on the system.
For completeness, I tested on a joined system and a system not joined to 
the domain.  The following share config works on both.

[SPU_KC_GIS]
     comment = SPU King County GIS
     path = /mnt
     read only = yes
     guest only = yes
     browseable = yes
     guest ok = yes

Dale