[Samba] anonymous samba server with unauthenticated guest access policy
Michael Tokarev
mjt at tls.msk.ru
Wed Sep 27 18:26:32 UTC 2023
27.09.2023 21:14, Achim Gottinger via samba wrote:
> Am 27.09.23 um 18:30 schrieb Michael Tokarev via samba:
>> 27.09.2023 19:18, Rowland Penny via samba wrote:
>> ...
>>> Lets see if I understand this correctly, you have a Samba server that
>>> is/was running with 'map guest = bad user' in global and 'guest ok =
>>> yes' in a share, this would allow unknown (to Samba) users to connect
>>> to the share.
>>>
>>> However, the latest Windows no longer will allow anonymous shares, so
>>> you are looking to use authentication and are looking for the best way
>>> of doing this.
>>
>> Yes, exactly.
> You need to define an gpo on the client. See here
Unfortunately, nope. I've read that solution. The new requirement, I think,
ia a good thing. And I mentioned in my first email in this thread that I'd
rather not touch make clients less secure in this context, - we've seen
various tricks like clicking stuff in email already.
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
>
> .........................
>
> Resolution
>
> Configure your third-party SMB server device to require a username and password for SMB connections. If your device allows guest access, any device or
> person on your network can read or copy all of your shared data without any audit trail or credentials.
>
> If you can't configure your third-party device to be secure, you can enable insecure guest access with the following Group Policy settings:
BTW, this very part is entirely wrong. Requiring password is *anything*
but being secure. I can require password but accept anything as a password
for example, this does not make me any more secure. It's quite a grief\
that microsoft "learn" thing lets itself such serious mistakes.
/mjt
More information about the samba
mailing list