I've managed to figure out how to make what I requested work and will post the instructions.
- First, you need to figure out what the username you need to add is. The easiest way to do this is to first add
log level = 2tosmb.conf. Then start and enable the Samba service. Then connect to the Samba server using File Explorer on the Windows PC while logged into the relevant account (you don't have to open any shared directories). Then open the log file found at/var/log/samba/log.<ip address of Windows PC>and the required username will be noted there. You can now set log level to 0 if you want. - Create a Linux account for the Samba user using the
useraddcommand (or use an existing one if you prefer). You don't need to worry about passwords with this account but if you create a new account, you may want to block login on it. This account's username doesn't have to be the same as the name noted above but it would be easier if it was. This account's purpose is for the purpose of file permissions and for Linux to determine what files and directories the Windows user is allowed to access. - Create a Samba user with the same name as the Linux account in step 2 using the
smbpasswdcommand. Make sure the password assigned to this account is the same as the one used for the Windows account. - If the Samba and Windows accounts don't share the same username, you will have to either add
!<Samba user> = <Windows user>tosmb.confor add<Samba user> = <Windows user>tosmbusersandusername map = /etc/samba/smbuserstosmb.conf. - And that should be it. Be sure to set the
valid users =option on any shares you want accessible only by your Windows account.
Videos
OK, I have found an answer myself.
As this is absolutely not obvious from the docs and HOWTOs and whatever, the reason this thing asks for password is because it cannot map guest user to the owner of the directory being shared.
I have NTFS partitions which I need to mount RW so I used the following setup in my /etc/fstab:
/dev/sdb1 /media/disk1 ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0 2
/dev/sdb2 /media/disk2 ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0 2
The most important pieces of config are uid and gid (maybe only uid, don't know).
They are set to the UID and GID of the user jonnie set up on the server (obviously not root). So, when ntfs-3g will mount these disks, everything will be owned by him.
After that, I have added this user to the Samba registry (or maybe created new identical one, don't care):
# smbpasswd -a jonnie
It asked for password, I have entered the same as for the main system.
After that, I have added the force user and force group settings to the smb.conf:
[global]
workgroup = WORKGROUP
netbios name = HOMESERV
security = user
map to guest = Bad User
[disk1]
comment = Disk 1 on 400GB HDD
path = /media/disk1
browsable = yes
guest ok = yes
read only = no
create mask = 666
directory mask = 777
force user = jonnie
force group = jonnie
[disk2]
comment = Disk 2 on 400GB HDD
path = /media/disk2
browsable = yes
guest ok = yes
read only = no
create mask = 666
directory mask = 777
force user = jonnie
force group = jonnie
So, most important piece of config relevant to me was force user.
Courtesy of the Samba HOWTO
The config can be shorter:
Create unix user jonnie
sudo useradd jonnie -s /usr/sbin/nologin
Create smbuser
sudo smbpasswd -a jonnie
Create the Linux directory to share
mkdir /mysmbshare
Change the owner of the directory to jonnie
sudo chown jonnie /mysmbshare
smb.conf
[global]
workgroup = MyWorkGroup
server string = Hello, use me
security = user
map to guest = Bad User
guest account = jonnie
passdb backend = tdbsam
[the_public_share]
path = /mysmbshare
writable = yes
printable = no
public = yes
All files are owned by jonnie and everyone has rw access to the files.
I finally found the solution:
[global]
workgroup = WORKGROUP
netbios name = NAS
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[public]
path = /home/share
public = yes
guest only = yes
writable = yes
force create mode = 0666
force directory mode = 0777
browseable = yes
creates a share without any user/password login.
You can access it in Windows with \\NAS\public.
I use this. The script uses ACLs to gives all files in the directory to the Debian group "sambashare". This simplifies the exchange of files between local and remote users, because local and remote users can read and write all files in the directory.
mkdir /home/sambashare
chown nobody:sambashare /home/sambashare
chmod 2775 /home/sambashare
setfacl -R -dm u::rwx,g::rwx,o::r-x /home/sambashare
setfacl -R -m u::rwx,g::rwx,o::r-x /home/sambashare
cat >> /etc/samba/smb.conf <<EOF
[public]
comment = Public Share
path = /home/sambashare
browsable = yes
guest ok = yes
read only = no
create mask = 0664
directory mask = 2775
force create mode = 0660
force directory mode = 2770
force group = sambashare
inherit acls = yes
map acl inherit = yes
EOF
systemctl enable smbd
systemctl enable nmbd
usermod -aG sambashare localuser
So you have likely run into an issue with Windows 10 Pro and more recent versions, explictly protecting against the exact thing you are trying to do.
Windows by default does not allow accessing SMB services via what it views as insecure guest access. There are two ways to change this.
First, is a way to do this if you have already installed/enabled gpedit, which is tricky in Windows 10 Pro and not covered here:
Run: gpedit.msc
Go to: Local Computer Policy -> Computer Configuration -> Windows Settings -> Administrative Templates -> Network -> Lanman Workstation
Enable: "Enable insecure guest logons"
The other option is in the registry editor:
Run: regedit
Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation
Click: Edit -> New -> DWORD (32-bit) Value
Name it: AllowInsecureGuestAuth
Set value to: 1
Exit Registry Editor
Reboot
At this point, with either method, you should be able to see secured shares without a username and password. HOWEVER, please note there is no "guest" option when authenticating by default. So, it MAY still ask you for a username/password. If it does, enter in anything. It doesn't matter. When it fails, the server will use the 'map to guest' setting and fall back to the guest user and allow visibility.
Good luck and let me know if this works!
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
Guest access in SMB2 and SMB3 disabled by default in Windows
This article describes information about Windows disabling guest access in SMB2 and SMB3 by default, and provides settings to enable insecure guest logons in Group Policy. However, this is generally not recommended.
Original KB number: 4046019
Symptoms
Starting from Windows 10, version 1709 and Windows Server 2019, SMB2 and SMB3 clients no longer allow the following actions by default:
- Guest account access to a remote server.
- Fall back to the Guest account after invalid credentials are provided.
SMB2 and SMB3 have the following behavior in these versions of Windows:
- Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
- Windows Server 2019 Datacenter and Standard editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
- Windows 10 Home and Pro are unchanged from their previous default behavior; they allow guest authentication by default.
- Windows 11 Insider Preview Build 25267 Pro editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials. All subsequent Windows 11 Insider Preview builds no longer allow a user to connect to a remote share by using guest credentials by default.
If you try to connect to devices that request credentials of a guest instead of appropriate authenticated principals, you may receive one of the following error messages:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
Error code: 0x80070035 The network path was not found.
Also, if a remote server tries to force you to use guest access, or if an administrator enables guest access, the following entries are logged in the SMB Client event log:
Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Date: Date/Time
Event ID: 31017
Task Category: None
Level: Error
Keywords: (128)
User: NETWORK SERVICE
Computer: ServerName.contoso.com
Description: Rejected an insecure guest logon.
User name: Ned
Server name: ServerName
Guidance
This event indicates that the server tried to log on the user as an unauthenticated guest but was denied by the client. Guest logons don't support standard security features such as signing and encryption. So, guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure (nonsecure) guest logons by default. We recommend that you don't enable insecure guest logons.
Cause
This change in default behavior is by design and is recommended by Microsoft for security.
A malicious computer that impersonates a legitimate file server could allow users to connect as guests without their knowledge. We recommend that you don't change this default setting. If a remote device is configured to use guest credentials, an administrator should disable guest access to that remote device and configure correct authentication and authorization.
Windows client and Windows Server haven't enabled guest access or allowed remote users to connect as guest or anonymous users since Windows 2000. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems don't.
Resolution
Configure your third-party SMB server device to require a username and password for SMB connections. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials.
If you can't configure your third-party device to be secure, you can enable insecure guest access with the following Group Policy settings:
- Open the Local Group Policy Editor (gpedit.msc) on your Windows device.
- In the console tree, select Computer Configuration > Administrative Templates > Network > Lanman Workstation.
- For the setting, right-click Enable insecure guest logons and select Edit.
- Select Enabled > OK.
For monitoring and inventory purposes, this group policy sets the following DWORD registry value to 1 (insecure guest auth enabled) or 0 (insecure guest auth disabled):
Key: HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation
Value: AllowInsecureGuestAuth
To set the value without using Group Policy, use the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Value: AllowInsecureGuestAuth
Note
As usual, the value setting in Group Policy will override the value setting in the non-Group Policy registry value. (Check both during investigation).
More information
This setting has no effect on SMB1 behavior. SMB1 continues to use guest access and guest fallback.
This was the key option to set to resolve this issue:
[global]
map to guest = bad user
From:
$ man smb.conf | grep -m1 -B8 -A16 'Bad User'
Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.
This is the config that (finally) worked here. I can access a linux server from Windows without asking for a user/password:
[global]
workgroup = MYGROUP
server string = Samba Server %v
netbios name = debian
security = user
map to guest = bad user
dns proxy = no
#============= Share Definitions =================
[adriano]
force user = adriano
path = /home/adriano
browsable =yes
writable = yes
guest ok = yes
read only = no