[Samba] Windows: Forcing a Guest Login.

Matthew Fowle rektide at gmail.com
Wed Feb 14 05:06:40 GMT 2007

Just for reference, I'm not ever talking about the guest account on
windows.  I'm taking about guest access, as is convention within

On 2/13/07, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
> > How do you get windows to access a share as a guest?
> But what's a "guest"?  Is that someone logging in with a blank
> username?  Or is it someone logging in with the username "Guest" and a
> blank password?  Or is it any unknown username regardless of the
> password?

Well, what is a guest to samba?  smbclient for example appears to be
happy to work anonymously.  Does it just pull some data from
/dev/urandom for username/password and toss it at the server?  Clearly
the samba clients have some concept of being a guest, of logging in
anonymously.  I just wish i could replicate this "known unknown"
username in windows.

>> [snip, you are correct in your comments]

> > - There is no way to force windows to connect as a guest
> But Windows asks you for a username to connect as, just log in with the
> "Guest" username (isn't that how Windows itself works?  Don't people
> always tell you to disable the Guest account on a new Windows
> installation for this reason?)

This is the key!  Right here!

Samba services appear to permit connectivity without username/password

The closest semantic equivalent in the windows login box would be
""/"" for username password, but the windows login box will not let
you send that, it demands some kind of username to connect.  As soon
as you enter something in the login box, samba thinks you are trying
to connect as a user named Guest.  I wish for a way to get windows to
try to connect anonymously, to connect as a guest, not as a user named

[snip more]

> I think you'll have to use a 'map to guest' option with Samba, that's
> really the only way having things "just work" (assuming, as you say,
> that people don't accidentally log themselves on as a guest.)

map to guest = bad username is a little safer than map to guest = bad
password or other options: if the user enters their own username (they
usually manage at least that) they get an err and not just demoted to

> I guess it's up to how you define your guest account.  If you create an
> account called Guest and give it a blank password, then people can log
> in as this guest account or their own account by typing in the
> appropriate username, and there shouldn't be any mix up.

I was thinking about this problem today, and arrived at the same
solution.  It still greatly irritates me that samba is capable of
anonymous login, where windows requires creating password-less users
to emulate this behavior, but it is at least tenable.

The idea here is really to make it so that merely by connecting, the
user explicitly knows what kind of network access they have.  If they
can and do log in as user, it means they have some kind of personal
access beyond anonymous access.  If they want to log on as a guest,
they should know they're logging in as a guest in the first place.

I hope I'm being a little clearer.  The main keyword (guest) is being
overloaded from the samba & windows ends...

More information about the samba mailing list