[Samba] Accessing guest Samba shares from Windows 10/11 without hacks

Rowland Penny rpenny at samba.org
Thu May 30 12:23:11 UTC 2024 

On Thu, 30 May 2024 11:47:50 +0000
Jones Syue 薛懷宗 via samba <samba at lists.samba.org> wrote:

> > Is there a simple SoHo samba configuration that works for W10/W11
> > clients? I don't want to use Samba as a DC or anything like that.
> > So, are there any Samba options that can be used with vanilla
> > W10/W11 enterprise installations without altering group/local
> > security policies?
> 
> Yesterday a link mentioned that Windows changed 'vanilla' flavor, it
> introduces two new security measures in order for protection, turn-on
> sign & turn-off guest access:
> Accessing a third-party NAS with SMB in Windows 11 24H2 may fail
> https://techcommunity.microsoft.com/t5/storage-at-microsoft/accessing-a-third-party-nas-with-smb-in-windows-11-24h2-may-fail/ba-p/4154300
> 
> The protection policy disable guest access for enterprise/pro/edu
> editions, though not sure whether home edition does so too, it looks
> like upcoming Windows release would tend to follow this protection
> policy, so revert new protection like turn-off sign & turn-on guest
> might not recommended.
> 
> Fortunately this link did mention there is an alternate: to replace
> guest access with an authentication by a username/password pair
> (should be a strong password instead of week password). And the
> simplest steps might be:
> 
> 1. PC > Start button > Run > Enter 'cmd' to launch 'Command Prompt'.
> 2. Input command 'whoami' in the command line. And it would output a
> string like 'computername\username', this should be the same as the
> credential we just enter while we login Windows Desktop, for example
> in my case its output is 'jones-ws22-62\jones', and 'jones' is my PC
> usernane. 3. Go to samba server, create a new samba account which is
> the same as PC username, in my case it is 'jones'. Also revise
> smb.conf to allow this account access samba server.
>    

Or to put it another way, stop setting up Samba with guest access and
use Samba users with passwords, you could even use 'vfs objects =
acl_xattr' and set finer controls over the permissions.

Rowland

More information about the samba mailing list