[Samba] Shared printing between Linux (client) and Windows (server): NT_STATUS_ACCESS_DENIED

Rowland Penny rpenny at samba.org
Thu Apr 4 09:42:40 UTC 2019 

On Thu, 4 Apr 2019 12:08:58 +0300
cloun via samba <samba at lists.samba.org> wrote:

> Thank you for answer.
> 
> Logged in as Guest, then went to Security tab. I see `Everyone', it
> is given all permissions. Then I went to `Current permissions' tab (I
> have localized OS at the moment, so probably it is not correct name)
> and typed in `Everyone' and `Guest' as well: all five permission
> types are checked
> 
> Then I edited smb.conf as you instructed

I take it you are referring to Louis here.
 
> 
> then I receive different errors: if username is equal to a Linux
> local machine user, ACCESS_DENIED is the case; if username is equal
> to a windows user (`Guest', `Admin', etc), then I have "session setup
> failed: NT_STATUS_LOGON_FAILURE". But if I specify `-U
> LOCAL\windowsusername', it gives ACCESS_DENIED.

Lets try and explain Samba guest access on a standalone server:

To set guest access, you need to add 'map to guest' to smb.conf, there
are 4 settings for this: Never, Bad User, Bad Password and Bad Uid.

The first one (Never) is the default and doesn't need to be set, this
doesn't allow any guest access.

The last one (Bad Uid) isn't used on a standalone server, so this
leaves us with Bad User and Bad Password.

Bad Password allows access for known users if the wrong password is
used, but the user will become the guest user and will not have the
permissions they think they have.

Bad user rejects users with wrong passwords unless the user is also
unknown, in which case the user gets mapped to guest.

Normally, if you want authenticated users on a Samba standalone
server, you will need to create a Unix user and then also make them a
Samba user with 'smbpassword -a username'. If you only require guest
access, there is no need to do any of that, no Samba users means that
any users that connect will become the guest user, as long as you set
'map to guest = Bad User' in smb.conf and add 'guest ok = yes' to the
shares.

Rowland

More information about the samba mailing list