samba - May 2016 - access to share without authentication when security=ads

I have samba configured with security=ads, and want to keep that so I can
have properly authenticated access to file shares. However, I also would
like to have anonymous access, even from non-domain accounts, to a printer.
This latter part is giving me trouble. My (edited) smb.conf is at the end of
this message. When I try to connect to the print share (via add printer)
from a Windows system from a non-domain account, I get error 0x000004d8; if
I remove the "map to guest" line, I instead get 0x0000052e. Does
anyone know
how to do this, or is unauthenticated access incompatible with security=ads?
Thanks.

[global]
    security = ADS
    realm = blah.blah
    workgroup = blah
    netbios name = computer
    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
    kerberos method = secrets and keytab
    server signing = auto
    client ntlmv2 auth = yes
    client use spnego = yes
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes
    idmap cache time = 0
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false
    wins server = 10.0.0.1
    guest ok = yes
    map to guest = Bad Password

[bwprinter]
        printer name = bwqueue
        printable = yes
        browseable = yes
        guest ok = yes
        guest only = yes
        writable = yes
        printing = cups
        path = /var/spool/samba

On 19/05/16 16:09, J. Scott Berg wrote:
> I have samba configured with security=ads, and want to keep that so I can
> have properly authenticated access to file shares. However, I also would
> like to have anonymous access, even from non-domain accounts, to a printer.
> This latter part is giving me trouble. My (edited) smb.conf is at the end
of
> this message. When I try to connect to the print share (via add printer)
> from a Windows system from a non-domain account, I get error 0x000004d8; if
> I remove the "map to guest" line, I instead get 0x0000052e. Does
anyone know
> how to do this, or is unauthenticated access incompatible with
security=ads?
> Thanks.
>
> [global]
>      security = ADS
>      realm = blah.blah
>      workgroup = blah
>      netbios name = computer
>      auth methods = guest, sam, winbind, ntdomain
>      machine password timeout = 0
>      passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
>      kerberos method = secrets and keytab
>      server signing = auto
>      client ntlmv2 auth = yes
>      client use spnego = yes
>      template shell = /bin/bash
>      winbind use default domain = Yes
>      winbind enum users = No
>      winbind enum groups = No
>      winbind nested groups = Yes
>      idmap cache time = 0
>      idmap config * : backend  = tdb
>      idmap config * : range = 1000 - 200000000
>      idmap config * : base_tdb = 0
>      enable core files = false
>      wins server = 10.0.0.1
>      guest ok = yes
>      map to guest = Bad Password
>
> [bwprinter]
>          printer name = bwqueue
>          printable = yes
>          browseable = yes
>          guest ok = yes
>          guest only = yes
>          writable = yes
>          printing = cups
>          path = /var/spool/samba
>
>
Try removing the 'auth methods' line and change 'Bad Password'
to 'Bad User'

Rowland

> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland penny
 
> Try removing the 'auth methods' line and change 'Bad
Password' to
> 'Bad User'
Thanks for the response. Unfortunately, this also gives the 0x000004d8 error at
the Windows end.