[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

Andrew Martin amartin at xes-inc.com
Tue Jul 17 18:53:41 UTC 2018

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, July 17, 2018 2:54:17 AM
> Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain =
> auto

> On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
> Andrew Martin via samba <samba at lists.samba.org> wrote:
>> Hello,
>> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
>> fileserver is joined to a Samba4 AD Domain. I have configured the
>> following options to allow guest access to a share:
>> [global]
>>     guest account = nobody
>>     map to guest = Bad User
>> [Share]
>>     guest ok = yes
>> When attempting to connect from a local account on a Windows 7 client
>> (the client is joined to the domain but the local account is local to
>> the machine), I can no longer connect as a guest to this share,
>> receiving STATUS_LOGON_FAILURE. Looking into it further, I can
>> successfully authenticate as a guest if I specify the AD domain name
>> (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER) but NOT
>> if I use the hostname of the Windows 7 client (WINDOWS7CLIENT):
>> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
>> # this works
>> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
>> # this works
>> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser%
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> I think setting "map untrusted to domain = no" will resolve this
>> problem since the user will get mapped to FILESERVER\LocalWindowsUser
>> instead of WINDOWS7CLIENT\LocalWindowsUser as it is now when set to
>> "auto", however this is not a long-term solution since it looks like
>> this option is being removed in Samba 4.8. How can I allow a local
>> Windows user to authenticate as a guest to this share?
>> Thanks,
>> Andrew
> Have you tried not using '-W' ?
> You talk about 'authenticating' as guest, but this is the last thing
> that will happen, if a user connects to a share with an invalid
> password it will be rejected, unless the user is also invalid (i.e.
> unknown), if so the user is silently mapped to guest. There is no
> authentication involved, exactly the opposite ;-)
> Rowland


Yes, if I do not use '-W' then it works as expected, mapping to the
guest account. However, the use case I am trying to make work is 
having a local account on a Windows 7 client access the share as guest.
Windows will always pass along the workgroup of the local account so
there's no way for me to omit it. How can I allow successful guest
mapping in this case?



More information about the samba mailing list