samba - May 2024 - Accessing guest Samba shares from Windows 10/11 without hacks

On 5/28/24 7:21 AM, Rowland Penny via samba wrote:
> On Tue, 28 May 2024 00:03:23 +0000
> "Artem S. Tashkinov via samba" <samba at lists.samba.org>
wrote:
>
>> Hello,
>>
>> I'm quite concerned that in order to access guest Samba shares in
>> Windows 10 you have to enable Insecure Guest Logons for the Lanman
>> Workstation and in Windows 11 you even need to disable "Digitally
Sign
>> Communications".
>>
>> I've scoured through the entire smb.conf man page, tried the
options
>> that looked appropriate, nothing worked.
>>
>> Is there a simple SoHo samba configuration that works for W10/W11
>> clients? I don't want to use Samba as a DC or anything like that.
>>
>> I'm using Samba 4.20.1.
>>
>> Here's where I posted the solution but again I'd like to avoid
doing
>> that:
>>
>>
https://superuser.com/questions/1843566/windows-11-enterprise-samba-access-error
>>
>> My configuration is simple:
>>
>> [global]
>>       workgroup = WORKGROUP
>>       security = user
>>       passdb backend = tdbsam
>>       guest account = nobody
>>       map to guest = Bad User
>>
>> Best regards,
>> Artem
>>
>
> This has nothing to do with Samba, it is all down to Microsoft not
> wanting the use of guest logons. Samba, by default, has never allowed
> them, you have to set (as you have done) 'map to guest = Bad User'
in
> global and 'guest ok = yes' in the relevant share.
> Now just because Microsoft has put the 'switches' under the
'LANMAN'
> heading doesn't mean you are using lanman auth, you aren't, that is
a
> SMBv1 thing and Samba defaults to SMBv2 as a minimum.
Sorry, I'm stupid and I don't want to pretend that I understood any of
that, except I vaguely remember that SMBv1 is considered largely
insecure and has been disabled in Windows 10 for quite some time now.

So, are there any Samba options that can be used with vanilla W10/W11
enterprise installations without altering group/local security policies?

Regards,
Artem

On Tue, 28 May 2024 08:40:04 +0000
"Artem S. Tashkinov" <aros at gmx.com> wrote:
> 
> 
> On 5/28/24 7:21 AM, Rowland Penny via samba wrote:
> > On Tue, 28 May 2024 00:03:23 +0000
> > "Artem S. Tashkinov via samba" <samba at
lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> I'm quite concerned that in order to access guest Samba shares
in
> >> Windows 10 you have to enable Insecure Guest Logons for the Lanman
> >> Workstation and in Windows 11 you even need to disable
"Digitally
> >> Sign Communications".
> >>
> >> I've scoured through the entire smb.conf man page, tried the
> >> options that looked appropriate, nothing worked.
> >>
> >> Is there a simple SoHo samba configuration that works for W10/W11
> >> clients? I don't want to use Samba as a DC or anything like
that.
> >>
> >> I'm using Samba 4.20.1.
> >>
> >> Here's where I posted the solution but again I'd like to
avoid
> >> doing that:
> >>
> >>
https://superuser.com/questions/1843566/windows-11-enterprise-samba-access-error
> >>
> >> My configuration is simple:
> >>
> >> [global]
> >>       workgroup = WORKGROUP
> >>       security = user
> >>       passdb backend = tdbsam
> >>       guest account = nobody
> >>       map to guest = Bad User
> >>
> >> Best regards,
> >> Artem
> >>
> >
> > This has nothing to do with Samba, it is all down to Microsoft not
> > wanting the use of guest logons. Samba, by default, has never
> > allowed them, you have to set (as you have done) 'map to guest
> > Bad User' in global and 'guest ok = yes' in the relevant
share.
> > Now just because Microsoft has put the 'switches' under the
'LANMAN'
> > heading doesn't mean you are using lanman auth, you aren't,
that is
> > a SMBv1 thing and Samba defaults to SMBv2 as a minimum.
> 
> Sorry, I'm stupid and I don't want to pretend that I understood any
of
> that, except I vaguely remember that SMBv1 is considered largely
> insecure and has been disabled in Windows 10 for quite some time now.
> 
> So, are there any Samba options that can be used with vanilla W10/W11
> enterprise installations without altering group/local security
> policies?
> 
> Regards,
> Artem
No, because it isn't Samba that is stopping the guest access, it is
Windows. Unless you allow guest access from Windows, you will not get
guest access even if the Samba setup allows them.

Rowland

> Is there a simple SoHo samba configuration that works for W10/W11
> clients? I don't want to use Samba as a DC or anything like that.
> So, are there any Samba options that can be used with vanilla W10/W11
> enterprise installations without altering group/local security policies?
Yesterday a link mentioned that Windows changed 'vanilla' flavor, it
introduces
two new security measures in order for protection, turn-on sign & turn-off 
guest access:
Accessing a third-party NAS with SMB in Windows 11 24H2 may fail
https://techcommunity.microsoft.com/t5/storage-at-microsoft/accessing-a-third-party-nas-with-smb-in-windows-11-24h2-may-fail/ba-p/4154300

The protection policy disable guest access for enterprise/pro/edu editions,
though not sure whether home edition does so too, it looks like upcoming
Windows release would tend to follow this protection policy, so revert 
new protection like turn-off sign & turn-on guest might not recommended.

Fortunately this link did mention there is an alternate: to replace guest
access with an authentication by a username/password pair (should be a
strong password instead of week password). And the simplest steps might be:

1. PC > Start button > Run > Enter 'cmd' to launch 'Command
Prompt'.
2. Input command 'whoami' in the command line. And it would output a
string
   like 'computername\username', this should be the same as the
credential
   we just enter while we login Windows Desktop, for example in my case its
   output is 'jones-ws22-62\jones', and 'jones' is my PC
usernane.
3. Go to samba server, create a new samba account which is the same as PC
   username, in my case it is 'jones'. Also revise smb.conf to allow
this
   account access samba server.
   
Here is a link to refer more details in step 3, hope this helps :)
https://askubuntu.com/questions/208013/how-can-i-set-up-samba-shares-to-only-be-accessed-by-certain-users

--

Regards,
Jones Syue | ???
QNAP Systems, Inc.