[Samba] anonymous samba server with unauthenticated guest access policy

[Michael Tokarev]

27.09.2023 19:18, Rowland Penny via samba wrote:
...
> Lets see if I understand this correctly, you have a Samba server that
> is/was running with 'map guest = bad user' in global and 'guest ok =
> yes' in a share, this would allow unknown (to Samba) users to connect
> to the share.
> 
> However, the latest Windows no longer will allow anonymous shares, so
> you are looking to use authentication and are looking for the best way
> of doing this.

Yes, exactly.

> In my opinion, you have two choices, you run Samba as a standalone
> server and create the required users in Unix and Samba, or join the
> computer to the domain and use the 'rid' idmap backend.
> 
> The first is only really viable if there are only a few users, the
> second will make every AD user a Unix user.
> 
> Once you have decided which way to go, you can then use a group and
> allow the group read access to the share, but without write permission.

I was thinking about entirely opposite way: to run samba under non-root
uid so it just can not write to these files at all.

Or at the very least, to map all domain users to a fixed uid, similar
to `map to guest = bad user` (with *all* users being bad).

Samba server can be a domain member server too, that's ok if it's a must.

There's just no place for any "foreign" (domain) users here.  The only
thing I need is to let samba server to be "known" to windows.

/mjt