Using NT to browse Samba shares

Graham Allan ALLAN at
Mon Sep 14 22:55:06 GMT 1998

I'm wondering if it is possible in any way to allow guest browsing of
Samba shares from an Nt workstation.

This subject seems to be covered in Recent-FAQs.txt:

->> start the explorer on a win-nt workstation and select network. I find
->> my unix server running samba, but I can not see the list of shares 
->> unless I am  a user, who is known in the smbpasswd of the unix machine.
->> The guest account "guest" exists on my unix machine. For testing I even
->> made him a regular user with a password.
->> With my network monitor I can see, that the win-nt workstation uses the
->> current login, to connect to IPC$ on the samba server 
->> (for example "administrator"), not the guest account.
->This is exactly how Windows NT works. You MUST have a valid account on
->the Windows NT box you are trying to see the resource list on. If your
->currently logged in account details do NOT match an account on the NT
->machine you are trying to acce ss then you will be presented with a
->logon box for that machine. When you enter the name of an account on
->that machine / domain, together with a valid password then the resource
->list is made available. If the account details are not correct then no
->resource list is shown.
->Samba follows the behaviour of Windows NT exactly.
->Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2.
->The default is 0. If this is set to 1 or 2 then Windows NT machines that
->DO NOT have an account on the Samba server will see the resource list.
->The down side of this is that legitimate users may then be refused
->access to their legitimate resource s. Setting this option creates
->serious security holes. DO NOT DO IT. Samba has the value of this option
->set at 0 - NOT WITHOUT REASON!!!!

Well, until this FAQ became added to the docs, I did (I confess!) use
GUEST_SESSSETUP=1, which did allow all NT machines guest access - useful
for printing to unix queues, among other things. Given the above strong
language I've now removed this option, and so people without accounts
can't access printers which they could previously.

So, my question is, is there any way to give such restricted access back
to non-account holders. I am using "security = server", NT4SP3, and
samba 1.9.18p10, and although I hesitate to disagree with the Samba
documentation, I don't see how it is following the behaviour of Windows
NT exactly. To be precise, while those systems outside of my domain, and
without accounts, cannot browse the Samba server, they *can* browse the
NT server which validates the passwords!

Where's the difference? Is it possible to make Samba act like the NT
server domain controller in this situation? Maybe this is supposed to
work and I simply have something misconfigured?

Graham Allan
Physics, University of Minnesota

More information about the samba mailing list