[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

Rowland Penny rpenny at samba.org
Tue Jul 17 07:54:17 UTC 2018

On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
Andrew Martin via samba <samba at lists.samba.org> wrote:

> Hello,
> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
> fileserver is joined to a Samba4 AD Domain. I have configured the
> following options to allow guest access to a share:
> [global]
>     guest account = nobody
>     map to guest = Bad User
> [Share]
>     guest ok = yes
> When attempting to connect from a local account on a Windows 7 client
> (the client is joined to the domain but the local account is local to
> the machine), I can no longer connect as a guest to this share,
> receiving STATUS_LOGON_FAILURE. Looking into it further, I can
> successfully authenticate as a guest if I specify the AD domain name
> (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER) but NOT
> if I use the hostname of the Windows 7 client (WINDOWS7CLIENT):
> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
> # this works
> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
> # this works
> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser%
> session setup failed: NT_STATUS_LOGON_FAILURE
> I think setting "map untrusted to domain = no" will resolve this
> problem since the user will get mapped to FILESERVER\LocalWindowsUser
> instead of WINDOWS7CLIENT\LocalWindowsUser as it is now when set to
> "auto", however this is not a long-term solution since it looks like
> this option is being removed in Samba 4.8. How can I allow a local
> Windows user to authenticate as a guest to this share?
> Thanks,
> Andrew

Have you tried not using '-W' ?

You talk about 'authenticating' as guest, but this is the last thing
that will happen, if a user connects to a share with an invalid
password it will be rejected, unless the user is also invalid (i.e.
unknown), if so the user is silently mapped to guest. There is no
authentication involved, exactly the opposite ;-)


More information about the samba mailing list