remove

valid users = "@domain admins", "@domain users"

from [global], only use it in shares that are not "guest" enabled

Answer from user168261 on Stack Exchange
๐ŸŒ
Medium
sourabhdey21.medium.com โ€บ samba-configuration-anonymous-user-965b6d81c5ad
Samba Configuration Anonymous User | by Sourabh Dey | Medium
March 5, 2022 - [global] workgroup = WORKGROUP server string = Samba Server %v netbios name = Rhel7 security = user map to guest = bad user dns proxy = no ... [Anonymous] path = /srv/samba/anonymous browsable = yes writable = yes guest ok = yes read only = no
Top answer
1 of 5
10

Happened to stumble across this thread on the Ubuntu forums, and thought it might help. It explains the steps that happen behind the scenes:

In Windows the client's username and password is automatically sent when it browses for shares - this is done without the user's knowledge. That forces Samba to deal with the sent credentials even though it's a guest share that requires no authentication.

When that username is passed Samba will search through it's password database for that user:

  • If there is no match to the username the client user is tagged a "Bad User" and converted ( mapped ) to the guest account which by default is "nobody".

  • If it finds a match to the username and there is a samba password that matches the one sent by the Windows client then the Windows user automatically gains access although not as an anonymous user which is why you needed to add "force user = nobody" to your share definition.

  • If it finds a match to the username but the samba password does not match exactly the password that's automatically sent by the Windows client then you will be prompted for a password - even for a guest share.

Try adding force user = nobody to your share definition, and see if that does it.

Edit 02/20/2013:

Is testparm returning an exit code of something other than zero? All the same, I would go ahead and give that area of the config a good, hard look. Also, I'm not sure how case-sensitive smb.conf is, but every example I see (for example) of map to guest = Bad User has the B and U capitalized. Check-out the Samba man pages for the options you are using, and double-check everything.

2 of 5
10

This is how OpenElec is configured. Should do what you are asking for. (even if it is a year later...maybe it will help the next one) Just tweak the share settings as needed.

[global]
  server string = YOURSERVERNAME
  workgroup = WORKGROUP
  netbios name = %h
  security = share
  guest account = root
  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
  smb ports = 445
  max protocol = SMB2
  min receivefile size = 16384
  deadtime = 30
  os level = 20
  mangled names = no
  syslog only = yes
  syslog = 2
  name resolve order = lmhosts wins bcast host
  preferred master = auto
  domain master = auto
  local master = yes
  printcap name = /dev/null
  load printers = no
  browseable = yes
  writeable = yes
  printable = no
  encrypt passwords = true
  enable core files = no
  passdb backend = smbpasswd
  smb encrypt = disabled
  use sendfile = yes

[share]
comment = Share
path = /share
available = yes
browsable = yes
writable = yes
public = yes
๐ŸŒ
Reddit
reddit.com โ€บ r/openbsd โ€บ samba/smb-cifs // anonymous logon
r/openbsd on Reddit: Samba/SMB-CIFS // Anonymous Logon
December 6, 2024 -

Is anyone aware of a way to allow anonymous logon for Samba/SMB-CIFS with OpenBSD? As foolish as it may sound, I'm not a fan of providing general credentials for anyone (on my LAN) who needs a temp place to store something? Yes, it is isolated, and yes, all permissions are restricted to that specific directory, with no access to anything outside it. Alternatively, would it be best to just leave it as a NFS/network directory/drive (for my Windows fans), and provide the general credentials?

๐ŸŒ
FreeBSD
forums.freebsd.org โ€บ server and networking โ€บ web and network services
Anonymous user on Samba | The FreeBSD Forums
December 20, 2023 - Click to expand... Remove the 'guest' username. Guest access means "anonymous", in other words without authentication.
๐ŸŒ
SambaWiki
wiki.samba.org โ€บ index.php โ€บ Setting_up_Samba_as_a_Standalone_Server
Setting up Samba as a Standalone Server - SambaWiki
[global] map to guest = Bad User log file = /var/log/samba/%m log level = 1 server role = standalone server [guest] # This share allows anonymous (guest) access # without authentication!
Find elsewhere
๐ŸŒ
Raspberry Pi Forums
forums.raspberrypi.com โ€บ board index โ€บ projects โ€บ networking and servers
anonymous passwordless samba share - Raspberry Pi Forums
I've no idea abour Windows S. If you are using Windows pro (10 or 11) upwards, then, if your computer is fully updated, 'insecure guest access' is turned off by default. This means you cannot connect to a Samba share without a username & password, even if the Samba share is 'guest ok = yes'. ...
๐ŸŒ
Medium
medium.verylazytech.com โ€บ exploiting-anonymous-logins-advanced-techniques-for-penetration-testing-8ecdc00d01cc
Anonymous logins for pentesters
March 30, 2025 - By downloading the note.txt, you've successfully exploited the anonymous login feature to retrieve sensitive information. SMB services often come with misconfigured anonymous access. To create an SMB service on Ubuntu: apt install samba ยท Edit the /etc/samba/smb.conf file to enable anonymous access: nano /etc/samba/smb.conf ยท
๐ŸŒ
Arch Linux Forums
bbs.archlinux.org โ€บ viewtopic.php
howto allow anonymous access to samba [Solved] / Newbie Corner / Arch Linux Forums
June 18, 2016 - Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] enable core files = No interfaces = 127.0.0. 192.168.0. server string = Aaaaaaaaaaaaaaaaahhhhhhhhhhh!!! domain master = Yes preferred master = Yes syslog = 2 usershare allow guests = Yes usershare max shares = 100 usershare path = /var/lib/samba/usershare load printers = No name resolve order = wins lmhosts hosts bcast server max protocol = SMB2 map to guest = Bad User null passwords = Yes obey pam restrictions = Yes passdb backend = smbpasswd security = USER smb passwd file = /etc/s
Top answer
1 of 5
36

OK, I have found an answer myself.

As this is absolutely not obvious from the docs and HOWTOs and whatever, the reason this thing asks for password is because it cannot map guest user to the owner of the directory being shared.

I have NTFS partitions which I need to mount RW so I used the following setup in my /etc/fstab:

/dev/sdb1  /media/disk1  ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0       2
/dev/sdb2  /media/disk2  ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0       2

The most important pieces of config are uid and gid (maybe only uid, don't know). They are set to the UID and GID of the user jonnie set up on the server (obviously not root). So, when ntfs-3g will mount these disks, everything will be owned by him.

After that, I have added this user to the Samba registry (or maybe created new identical one, don't care):

# smbpasswd -a jonnie

It asked for password, I have entered the same as for the main system.

After that, I have added the force user and force group settings to the smb.conf:

[global]
  workgroup = WORKGROUP
  netbios name = HOMESERV
  security = user
  map to guest = Bad User

[disk1]
  comment = Disk 1 on 400GB HDD
  path = /media/disk1
  browsable = yes
  guest ok = yes
  read only = no
  create mask = 666
  directory mask = 777
  force user = jonnie
  force group = jonnie

[disk2]
  comment = Disk 2 on 400GB HDD
  path = /media/disk2
  browsable = yes
  guest ok = yes
  read only = no
  create mask = 666
  directory mask = 777
  force user = jonnie
  force group = jonnie

So, most important piece of config relevant to me was force user.

Courtesy of the Samba HOWTO

2 of 5
6

The config can be shorter:

Create unix user jonnie

sudo useradd jonnie -s /usr/sbin/nologin

Create smbuser

sudo smbpasswd -a jonnie

Create the Linux directory to share

mkdir /mysmbshare

Change the owner of the directory to jonnie

sudo chown jonnie /mysmbshare

smb.conf

[global]
  workgroup = MyWorkGroup
  server string = Hello, use me
  security = user
  map to guest = Bad User
  guest account = jonnie
  passdb backend = tdbsam
  
[the_public_share]
   path = /mysmbshare
   writable = yes
   printable = no
   public = yes

All files are owned by jonnie and everyone has rw access to the files.

๐ŸŒ
Raspberry Pi Forums
forums.raspberrypi.com โ€บ board index โ€บ software โ€บ raspberry pi os
Anonymous Samba share on Raspberry Pi3 and Samba 4.2 - Raspberry Pi Forums
The default is 'no'. pam password change = yes # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections map to guest = bad user security = user ########## Domains ########### # # The following settings only takes effect if 'server role = primary # classic domain controller', 'server role = backup domain controller' # or 'domain logons' is set # # It specifies the location of the user's # profile directory from the client point of view) The following # required a [profiles] share to be setup on the samba server (see # below) ; logon path = \\%N\profi
๐ŸŒ
Fedora Discussion
discussion.fedoraproject.org โ€บ ask fedora
Trouble setting up an anonymous samba share - Fedora Discussion
May 13, 2021 - Hello, iโ€™m trying to setup a read and writeable samba share on a second internal disk. So far i can see the share on my windows 10 machine, but i cannot access it: โ€œYou do not have permission to accessโ€ฆโ€ My smb.conf looks like: [global] workgroup = WORKGROUP wins support = yes security = user map to guest = bad user [sambashare] comment = SambaShare path = /mnt/wwn-0x5000039a756056c3/samba-share browseable = yes writeable = yes guest ok = yes guest only = yes read only = no forc...
๐ŸŒ
LinuxQuestions.org
linuxquestions.org โ€บ questions โ€บ linux-networking-3 โ€บ samba-anonymous-logins-411620
samba anonymous logins? - Linux - Networking
Hello - I would like to be able to login using no username and no password to my samba share, and have it work. If it could, I would like this
๐ŸŒ
TechRepublic
techrepublic.com โ€บ home โ€บ software
How to create a passwordless guest share in Samba - TechRepublic
March 14, 2022 - To make sure Samba is only listening to that interface locate the below line: ... [public] path = /home/share public = yes guest only = yes writable = yes force create mode = 0666 force directory mode = 0777 browseable = yes ยท Save and close the file. ... Next, weโ€™re must create a directory to house the shares. Back at the terminal, create the directory with: ... At this point, the newly-created share should be accessible via anonymous access.
๐ŸŒ
Hacking Articles
hackingarticles.in โ€บ home โ€บ penetration testing โ€บ anonymous logins for pentesters
Anonymous Logins for Pentesters
May 9, 2026 - The operator authenticates as Anonymous, is greeted with code 230 (login successful), runs ls to enumerate the anonymous root, navigates into pub, and downloads note.txt with the get command. The transfer completes in under a second โ€” a 28-byte file in this lab, but the same workflow scales identically to multi-gigabyte database dumps and source-code archives that real-world misconfigured servers expose every day. Samba implements the SMB/CIFS protocol on Linux and serves as the bridge between Linux servers and Windows clients.
๐ŸŒ
Stack Exchange
unix.stackexchange.com โ€บ questions โ€บ 765411 โ€บ anonymous-access-to-samba-server-not-share
Anonymous Access to Samba Server (not share) - Unix & Linux Stack Exchange
December 23, 2023 - Whilist I can set up guest access to the share, I am now prompted for a password when accessing the samba server: \\192.168.50.230. Interestingly, if I enter any user name and password, it lets me in, so I know I am going in as nobody. (Indeed, I have confirmed this by creating new files and seeing who owns it.
Top answer
1 of 4
9

In order to set up guest access in Samba, you need to set up a user that it will pretend to log in as. So, let's say you want to share files on /mnt/somepartition/files publically. Your configuration might look like this:

[public_files]
    comment = Public files
    path = /mnt/somepartition/files
    browsable = yes
    guest ok = yes
    writable = yes
    guest account = someusername
    create mask = 0775
    directory mask = 0755

What this saying is "Create a samba share on \mymachine\public_files that is viewable to anonymous users (not hidden like user files generally are) and enable it for write access. Anonymous users can access this share by using someusername's credentials. When files are created, make them globally executable but restrict write access globally. When directories are created, make them globally executable but only writable by someusername."

Once this is done, you will need to create a smbpassword, per your question. To do this, ensure first that the user exists within your server. If the user doesn't, create it:

sudo adduser someusername

Once the user exists, create a samba login:

sudo smbpasswd -a someusername

A couple of things to keep in mind: the directory that public_files points to will need to be READ accessible to someusername. Make sure you set the permissions correctly. If the directory is owned by you but still want to make them available, add someusername to a common group and then change the group ownership.

2 of 4
0

How I got it to work on my Pi running dietpi. It works with Windows (10), Mac (Catalina) and Linux clients, and has read+write permissions. Note: I automount the USBHDD to /media/USBHDD at startup

Contents of smb.conf:

[global]
        workgroup = WORKGROUP
        server string = %h server
        dns proxy = no
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog only = no
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        security = user
        encrypt passwords = true
        passdb backend = tdbsam
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = yes
        map to guest = bad user
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
[dietpi]
        comment = DietPi Share
        path = /mnt/dietpi_userdata
        browseable = yes
        create mask = 0664
        directory mask = 0775
        valid users = dietpi
        writeable = yes
[PiNAS]
        path = /media/USBHDD
        browseable = yes
        read only = no
        guest ok = yes
        writeable = yes
        create mask = 0775
        directory mask = 0755
max connections = 8