[Samba] Public Share on Samba with ADS security

[McNamara, Bradley]

Hello, list;

This is my second try asking for help.  One person responded and provided help, but I still can't seem to work this out.  I've searched, but have failed.  I'm not new to Samba, but I can and do make mistakes...so here I am.

I have a fresh install of Ubuntu 13.10 with Samba 3.6.18.  I have Kerberos properly configured and have successfully joined the domain, and can list users, groups, etc.  All I want to do is have a server that is part of AD, and have a public share on it.  The smb.conf is very simple and listed here:

[global]
   workgroup = SPU
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   log level = 3
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   realm = SPU.COS.LOCAL
   map to guest = Bad User
   usershare allow guests = yes
   guest account = nobody

[SPU_KC_GIS]
        comment = SPU King County GIS
        path = /mnt
        read only = yes
        guest only = yes
        guest ok = yes
        browseable = yes

The only accounts on the server are the default accounts that are there when the server is built.  The "nobody" account does exist.  All I want is to have a public share that does not prompt for username/password.  Right now, when one browses for the share, they are prompted for username and password.  When I put "nobody" in for username, and blank password, they are granted access to the share.  Thereafter, they are granted access to the share without being prompted for username and password.

I turned up the logging level and this appears in the log for the client, which is what I would expect to be in there.  I would also expect that any user not known on the server (not in passwd file) would be mapped to "Bad User" and then granted access as nobody.  This does not seem to happening.

[2014/02/13 16:04:42.031246,  3] smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2014/02/13 16:04:42.031303,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 2437
[2014/02/13 16:04:42.163990,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: McNamaB [Bradley W. McNamara]
[2014/02/13 16:04:42.164061,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [McNamaB at SPU.COS.LOCAL]
[2014/02/13 16:04:42.164296,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username SPU\McNamaB is invalid on this system
[2014/02/13 16:04:42.164338,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2014/02/13 16:04:53.294408,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 156.74.130.227 read error = NT_STATUS_CONNECTION_RESET.
[2014/02/13 16:04:53.385036,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

Of course, when the user does exist in the password file, everything works as expected:  no prompting for username and password.  Am I asking for something that Samba cannot deliver?  Am I just losing it and have not done something basic and trivial that is preventing what I want to do?  I am not running 'windbind' as I don't need account info from AD.

Thanks for any and all help!

Brad