[Samba] Disable AD checking per share in smb.conf [sec=unclassified]

Kym Newbery kym.newbery at aad.gov.au
Wed Apr 25 19:38:57 MDT 2012

On 2012/04/26 11:16, Jeremy Allison wrote:
> On Thu, Apr 26, 2012 at 11:14:47AM +1000, Kym Newbery wrote:
>> Hi
>> I tried the 'map to guest = Bad User' option, but the win XP machine
>> reports "unexpected network error occurred'.  Without that option
>> Windows Xp just reports 'access denied'.
>> That is even though some of the my shares are 'public = yes' and
>> 'guest ok = yes' (but others are not - they are for domain
>> credentials only.
>> I looked in /var/log/messages when the Windows XP machine accessed
>> the server  (with 'map to guest = Bad user')
>> Apr 26 01:09:23 sts-dev adclient[1412]: WARN<fd:25
>> CAPIGetObjectBySID>  base.zonehier Failed to extend object for
>> CN=427802e411ed46798fe049b8c9439a7c,CN=Foreign User,CN=One Way
>> So - I'm still stuck to work out if it is at all possible for a
>> server that is on the domain (using CentrifyDC) to run Samba and
>> have a public read only share that doesn't require credentials.
> What do you have your guest user set to ? These are Centrify
> error messages so you might want to follow up with them.
I set 'guest account = nobody'

My previous attempts at sorting out this problem haven't been too successful on 
the Centrify Express Community forum ..:


Here is the latest update from our dev group:

1.  The only security mode we support is security = ADS

Unfortunately in ADS mode things like username map only apply AFTER 
authentication completes so these are not possibilities.

2.  The workaround that was provided earlier appears to be also an issue with 
stock samba.

Typically we test the same with stock samba just to make sure Centrify is not 
the cause of behavior changes. Unfortunately, in this scenario, Stock Samba 
seems to have made some changes in the newer releases which is leading to this bug.

You will have to pursue this issue further with Samba experts through their 
forum support.


I also tried

1. Edit /etc/samba/smb.conf and add the following to the [globals] section

guest account = nobody
map to guest = Bad Uid

2. Add the following to public shares

guest ok = yes

but, the same 'access is denied' is present.

Even if I remove all the shares that require AD credentials and only have one share

<snipped same as previously>

     map to guest = Bad Uid
     guest account = nobody

     path = /samba-test
     public = yes
     guest ok = yes
     writable = yes

on windows XP

c:\net view \\sts-dev
System Error 5 occurred

access denied.

> Jeremy.
> .

Kym B Newbery, Science Technical Support Electronics Design Engineer
Australian Antarctic Division 203 Channel Highway, Kingston, TASMANIA, 7050.
PHONE +61 3 6232 3329  FAX +61 3 6232 3351


    Australian Antarctic Division - Commonwealth of Australia
IMPORTANT: This transmission is intended for the addressee only. If you are not the
intended recipient, you are notified that use or dissemination of this communication is
strictly prohibited by Commonwealth law. If you have received this transmission in error,
please notify the sender immediately by e-mail or by telephoning +61 3 6232 3209 and
DELETE the message.
        Visit our web site at http://www.antarctica.gov.au/

More information about the samba mailing list