samba - May 2017 - system error 58 when guest connects from Win10

I cannot connect as guest from Win10 to Samba anymore,
since I removed "server max protocol = NT1"


   net use \\%IP%\testshare /user:"" "" /persistent:no

   System error 58 has occurred.
   The specified server cannot perform the requested operation.


It works when I supply a userid and password.
It works from Win7.
It fails only in the combination Win10, SMB3, guest user.

Samba is version 4.5.8

smb.conf has these lines:
   server role = classic primary domain controller
   guest account = gast
   map to guest  = bad user

This is the share declaration:
[testshare]
     path = /srv/samba/files/archiv
     guest ok = yes
     read only = yes
     locking = no
     admin users = +smbadmin

The option "smb encrypt = off" does not help.
The option "server max protocol = SMB2_10" makes it worse.

A similar issue is described in
https://lists.samba.org/archive/samba/2016-August/201876.html
https://bugzilla.samba.org/show_bug.cgi?id=12136
but that cites WinPE, not Windows 10.

Does smb signing require a userid?

can you post full smb.conf? Why did you need NT1 protocol in the first
place?

2017-05-04 17:49 GMT+02:00 Klaus Hartnegg via samba <samba at
lists.samba.org>:
> I cannot connect as guest from Win10 to Samba anymore,
> since I removed "server max protocol = NT1"
>
>
>   net use \\%IP%\testshare /user:"" "" /persistent:no
>
>   System error 58 has occurred.
>   The specified server cannot perform the requested operation.
>
>
> It works when I supply a userid and password.
> It works from Win7.
> It fails only in the combination Win10, SMB3, guest user.
>
> Samba is version 4.5.8
>
> smb.conf has these lines:
>   server role = classic primary domain controller
>   guest account = gast
>   map to guest  = bad user
>
> This is the share declaration:
> [testshare]
>     path = /srv/samba/files/archiv
>     guest ok = yes
>     read only = yes
>     locking = no
>     admin users = +smbadmin
>
> The option "smb encrypt = off" does not help.
> The option "server max protocol = SMB2_10" makes it worse.
>
> A similar issue is described in
> https://lists.samba.org/archive/samba/2016-August/201876.html
> https://bugzilla.samba.org/show_bug.cgi?id=12136
> but that cites WinPE, not Windows 10.
>
> Does smb signing require a userid?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Am 04.05.2017 um 18:24 schrieb Jakub Kulesza via samba:
>  Why did you need NT1 protocol in the first place?
Because some old DOS software did otherwise not run, but this was 
recently somehow solved by a newer Samba version.
> can you post full smb.conf?
That is difficult, because it uses several include statements.
I concatenated all lines from all files, which are not commented-out, 
and left away some shares which are not used from guest. The beginning 
is from Ubuntu. The middle is to work around some other problems, some 
of these are probably not required any more. The last line is from a try 
to avoid this "error 58" issue, but it did not help.


workgroup = FBZ
server string = EXPRESS2 Samba %v
dns proxy = no

log file = /var/log/samba/log.%m.%R
log file = /var/log/samba/log.%m.%R
syslog = 0
panic action = /usr/share/samba/panic-action %d

server role = classic primary domain controller

passdb backend = tdbsam
obey pam restrictions = yes

unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

map to guest = bad user


follow symlinks = yes
log level = 0
domain master = yes
local master = yes
os level = 65

domain logons = yes
logon script = logon.cmd
logon drive = H:
logon home = \\%L\S\usr\%U
logon path 
vfs objects = acl_xattr
map acl inherit = true
store dos attributes = yes
nt acl support = yes
inherit acls = yes
inherit permissions = yes

unix charset = UTF-8

mangle prefix = 5
mangling method = hash2

lanman auth = no
ntlm auth = no
client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes

ntlm auth = Yes

locking = yes
strict locking = yes
oplocks = yes
fake oplocks = no
blocking locks = yes

default case = lower
case sensitive = no
preserve case = yes
short preserve case = yes

fake directory create times = no

map hidden   = no
map system   = no
map archive  = no
map readonly = no

load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes

recycle:keeptree = Yes
recycle:touch = Yes
recycle:touch_mtime = No
recycle:versions = Yes
recycle:inherit_nt_acl = yes
recycle:exclude_dir = .recycle
recycle:exclude = *.vdi

usershare max shares = 0
usershare allow guests = no

guest account = gast
map to guest  = bad user

[netlogon]
    comment = Network Logon Service
    path = /srv/samba/netlogon
    guest ok = yes
    read only = yes

[archiv]
     path = /srv/samba/files/archiv
     guest ok = yes
     read only = yes
     admin users = +smbadmin
     locking = no
     smb encrypt = off

> Am 04.05.2017 um 17:49 schrieb Klaus Hartnegg:
> I cannot connect as guest from Win10 to Samba anymore,
> since I removed "server max protocol = NT1"
Finally found the answer:
win10-1709 disables guest access to shares using SMB2.

You can re-enable insecure guest logons via GPO:
Computer configuration\administrative templates\network\Lanman Workstation

However Microsoft discourages this because security:
"Guest logons do not support standard security features such as signing and
encryption. Therefore, guest logons are vulnerable to man-in-the-middle attacks
that can expose sensitive data on the network. Windows disables
"insecure" (nonsecure) guest logons by default. Microsoft recommends
that you do not enable insecure guest logons."
https://support.microsoft.com/help/4046019

Additionally I found that if samba runs as AD-DC, then guest logon appears to
work again. Presumably because in this case the client is also authenticated to
the server with its machine account.