[Samba] How does the "guest account" param work?

Michael Heydon michaelh at jaswin.com.au
Thu Oct 16 07:17:25 GMT 2008

Kyle wrote:
> smb.conf states "This user must exist in the passwd file, but does not 
> require a valid login"  What exactly does this mean?
It means exactly what it says, the specified user must exist in the 
passwd file (as in the list of valid unix users), but does not require a 
valid login (as in a samba login).
> As I understand it, adding a user with 'smbpasswd -a nobody' 
> automatically gives it a valid login.
Correct, so don't do that.
> I couldn't browse the workgroup, but could log on to the samba host 
> directly via UNC. E.g. \\<samba-host> with user:'nobody' - pass: <empty>
This isn't how the guest account works. The guest account is the account 
used to access files when "map to guest" is triggered.
e.g. I have an XP machine with the username "fred", I try to connect to 
a samba host which has "map to guest = bad user" and *does not have an 
account called fred* I will be granted access to guest shares and all of 
my reads and writes will be performed using the unix id "nobody".
> Only problem with that is that a home dir appeared for 'nobody' which 
> happened to be the '/' (root) dir.  NOT good!
This is because you aren't connecting as a guest user, you are 
connecting as a normal user who happens to have the same UID as the 
guest user.
> So then I tried with 'guest account = guest'
> Deleted the 'nobody' user from passdb.tdb
> I created a /home/guest dir and added and enabled 'guest' to the 
> passdb.tdb.
> This then lets me only log on to the [public] share. However, if I 
> click the 'Up' button on the XP host's file manager (Explorer), I can 
> get back up to the root of the host directly (i.e. \\<samba-host> ) 
> and suddenly see both the [public] share and the guest home dir.
> If there are 'guest ok = Yes' defined shares, then I would expect to 
> still be able to browse the workgroup and see available shares on the 
> samba host, albeit only those 'guest ok' defined shares. And I 
> certainly wouldn't expect to see any home dir for a limited user.
This is entirely expected behaviour. You aren't a "limited user" if you 
authenticate with valid credentials.

*Michael Heydon - IT Administrator *
michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au>

More information about the samba mailing list