[Samba] Public share with ADS security

Dale Schroeder dale at BriannasSaladDressing.com
Wed Feb 12 13:05:11 MST 2014

On 02/11/2014 5:56 PM, McNamara, Bradley wrote:
> I'm killing myself on this, so I'm going to the list for help solving my issue.
> I have a Samba server integrated with AD working on Ubuntu 13.10, Samba 3.6.18.  All is good, in that accounts that exist in the password file of the Samba server are automatically authenticated to the shares without need for username/password on the client.
> However, I also want to set up a public share so that anyone within the organization can map the share without any input of username/password on the client, even when the username/password does not exist on the Samba server.  I've searched and found others with the same needs, but the solutions don't seem to help me.  Here's the latest version of the config file that I've been hacking at:
>    max log size = 50
>     max protocol = SMB2
>     dns proxy = No
>     idmap config * : range =
>     idmap config * : backend = tdb
>     follow symlinks = yes
>     wide links = yes
>     unix extensions = no
>     socket options = TCP_NODELAY SO_KEEPALIVE
>     map to guest = Bad User
>     guest account = nobody
>     usershare allow guests = yes
>          comment = SPU King County GIS
>          force user = nobody
>          path = /mnt
>          read only = yes
>          only guest = yes
>          browsable = yes
> Right now if the user tries to map the share on the client, and are prompted for username and password, if they input "nobody" for username they are then granted access to the public share.  I don't want any prompting for username/passwords.  Is this possible with ADS?  Thanks!  Also, logfiles show that when users initially browse for the share, and they are without accounts on the Samba server, the following is logged:  Username <domain\username> is invalid on this system.

I use security = ads, map to guest = Bad User, and winbind/rid in my 
global config.  The default guest account is "nobody", and the user 
"nobody" exists on the system.
For completeness, I tested on a joined system and a system not joined to 
the domain.  The following share config works on both.

     comment = SPU King County GIS
     path = /mnt
     read only = yes
     guest only = yes
     browseable = yes
     guest ok = yes


More information about the samba mailing list