[Samba] Accessing guest Samba shares from Windows 10/11 without hacks

[Artem S. Tashkinov]

On 5/28/24 7:21 AM, Rowland Penny via samba wrote:
> On Tue, 28 May 2024 00:03:23 +0000
> "Artem S. Tashkinov via samba" <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I'm quite concerned that in order to access guest Samba shares in
>> Windows 10 you have to enable Insecure Guest Logons for the Lanman
>> Workstation and in Windows 11 you even need to disable "Digitally Sign
>> Communications".
>>
>> I've scoured through the entire smb.conf man page, tried the options
>> that looked appropriate, nothing worked.
>>
>> Is there a simple SoHo samba configuration that works for W10/W11
>> clients? I don't want to use Samba as a DC or anything like that.
>>
>> I'm using Samba 4.20.1.
>>
>> Here's where I posted the solution but again I'd like to avoid doing
>> that:
>>
>> https://superuser.com/questions/1843566/windows-11-enterprise-samba-access-error
>>
>> My configuration is simple:
>>
>> [global]
>>       workgroup = WORKGROUP
>>       security = user
>>       passdb backend = tdbsam
>>       guest account = nobody
>>       map to guest = Bad User
>>
>> Best regards,
>> Artem
>>
>
> This has nothing to do with Samba, it is all down to Microsoft not
> wanting the use of guest logons. Samba, by default, has never allowed
> them, you have to set (as you have done) 'map to guest = Bad User' in
> global and 'guest ok = yes' in the relevant share.
> Now just because Microsoft has put the 'switches' under the 'LANMAN'
> heading doesn't mean you are using lanman auth, you aren't, that is a
> SMBv1 thing and Samba defaults to SMBv2 as a minimum.

Sorry, I'm stupid and I don't want to pretend that I understood any of
that, except I vaguely remember that SMBv1 is considered largely
insecure and has been disabled in Windows 10 for quite some time now.

So, are there any Samba options that can be used with vanilla W10/W11
enterprise installations without altering group/local security policies?

Regards,
Artem