Hello List I install a samba 4.6.5 server for active directory authentication and shares. I have a number of Samba shares, some of which I would like to allow guest access to Windows machines. If a windows machine tries to access a "guest" share, it requests a username and password. please help me to connect to share without username and password. thanks Here is my smb.conf: # Global parameters [global] dns forwarder = 192.168.142.2 netbios name = LOCALHOST realm = SAMBA.COM server role = active directory domain controller workgroup = SAMBA idmap_ldb:use rfc2307 = yes [test] path = /mnt read only = no available = yes browsable = yes guset ok = yes
On Sat, 29 Dec 2018 12:03:43 +0330 sam zand via samba <samba at lists.samba.org> wrote:> Hello List > I install a samba 4.6.5 server for active directory authentication and > shares. > I have a number of Samba shares, some of which I would like to allow > guest access to Windows machines. If a windows machine tries to > access a "guest" share, it requests a username and password. > please help me to connect to share without username and password. > thanks > Here is my smb.conf: > > > # Global parameters > [global] > dns forwarder = 192.168.142.2 > netbios name = LOCALHOSTI do hope your computers FQDN isn't localhost.samba.com, if it is, then you really need to start again, but this time with a short hostname that isn't 'localhost'> realm = SAMBA.COM > server role = active directory domain controller > workgroup = SAMBA > idmap_ldb:use rfc2307 = yes > > > [test] > path = /mnt > read only = no > available = yes > browsable = yesYou do not need the above two lines, they are the defaults.> guset ok = yes'guset' should be 'guest' You need to add 'map to guest = bad user' to [global] and then connect with users that are unknown to AD, which is going to be virtually impossible from domain joined clients. Rowland
On Sat, 29 Dec 2018 13:41:50 +0330 sam zand <zand.nas.storage at gmail.com> wrote:> I add 'map to guest = bad user' to [global] and 'guest ok = yes' > and then try to connect to share. but it requests a username and > password. >I did say it would be virtually impossible in an AD domain. 'man smb.conf' has this to say about 'map to guest = bad user' Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account. So a guest user has to be unknown, before they are mapped to guest, but a user has to be known before they can log into a domain computer. This means you are in a catch 22 position here. To get guest access working, you will need to connect from a non-domain member as a user unknown to AD, this sort of defeats the idea behind AD ;-) Rowland
On Sat, 29 Dec 2018 14:42:46 +0330 sam zand <zand.nas.storage at gmail.com> wrote:> Did I understand correctly??? > I cannot directly connect to one share with the guest user in AD > samba.If your user is an AD user, connecting from a domain member, then they will never be a guest user. If you must have guest access (why ?), then set up another samba instance as a standalone server not joined to the domain. Rowland
On Sat, 29 Dec 2018 15:15:51 +0330 sam zand <zand.nas.storage at gmail.com> wrote:> so why the guest user available in user list in the path: > /usr/local/samba/bin/samba-tool users list >Because it is a standard Windows user, it is not a Unix user (the Unix guest user is usually 'nobody'). You should also be aware that using a 'Guest' user in Windows is heavily discouraged. It is insecure to use a guest user in AD, so why do you want to do this ? Rowland
On Sat, 29 Dec 2018 15:48:37 +0330 sam zand <zand.nas.storage at gmail.com> wrote:> I have 50 users in a network. for 40 user defined username and > password but 10 users alone want to connect to one public share the > is common for 50 users. > what is the best smb.conf for the scenario? > very thanks for answer the questions me >First, do not use the DC as a fileserver. Set up a Unix domain member, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Do not use a guest user, make everybody authenticate. Use Windows ACLs, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You appear to be the system administrator, you make your users do things your way, it is the only way to make things secure. Rowland