[Samba] Samba4 as AD DC, with one anonymous read-only share

Harry Jede walk2sun at arcor.de
Wed Dec 18 05:32:00 MST 2013

On 12:30:22 wrote Jason Bailey:
> Hello all,
> I have several Samba4 DCs that host various production shares. I need
> one share, however, available as a read-only guest share (anonymous)
> that will be used as a software distribution share point. I have been
> unable to make it work (the servers prompt me for a valid username
> and password on that share).


> Thoughts? Help is appreciated.

This is from samba 3.6.x on Debian. Should also work on samba4 on any 
Linux OS.

Settings in smb.conf:

    guest account     = nobody
    map to guest      = Bad User

    comment           = Installation Service
    path              = /srv/z
    browseable        = no
    guest ok          = yes
    read only         = yes

    copy              = install
    guest ok          = no
    acl group control = Yes
    write list        = +administrators

Guest account is set to the unix user nobody. "map to guest" is not so 
The install share is unvisible, readonly and allows guest access.
The install2 share points to the same path. I use the "+" sign instead 
of the "@" sign as group indicator. This prevents the unnecessary NIS 

# getent passwd guest

# getent passwd nobody

There us no user guest in unix.

# pdbedit -Lv guest
Username not found!

Nor in samba

# pdbedit -Lv nobody
Unix username:        nobody
NT username:          nobody
Account Flags:        [NU         ]
User SID:             S-1-5-21-3958726613-3318811842-4132420312-501
Primary Group SID:    S-1-5-21-3958726613-3318811842-4132420312-514
Full Name:            nobody
Home Directory:       \\capella\nobody
HomeDir Drive:        U:
Logon Script:         UNKNOWN.bat
Profile Path:         \\capella\profile\nogroup\nobody\UNKNOWN
Domain:               EUROPA
Account desc:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mo, 30 Apr 2012 14:22:04 CEST
Password can change:  Mo, 30 Apr 2012 14:22:04 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0

# ldapsearch -xLLL uid=nobody
dn: uid=nobody,ou=people,ou=accounts,dc=europa,dc=xx
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: nobody
uidNumber: 65534
gidNumber: 65534
homeDirectory: /dev/null
sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-514
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-501
loginShell: /bin/false
sambaPwdLastSet: 1335788524
sambaAcctFlags: [NU         ]

The guest account must have the wellknown DomainSI-501 and DomainSID-514 
for primary group. Password changes are forbidden as N in sambaAcctFlags 

I use this setup to install Windows 7 pro via pxe boot with WindowsPE 
3.0 and to install software with wpkg-gp as service.


	Harry Jede

More information about the samba mailing list