Thanks to http://micheljansen.org
The Windows way
When a Windows client tries to access a share on a Windows server, it requests the given share using username and password of the current user on the client. The Windows server will then look for this username/password combination and if it exists, grants the user access to the share with the proper rights assigned. If it can’t find the username, it falls back to an anonymous user and grants access anyway (if this is policy).
How Samba handles it
This is where Samba differs. If set to security=user (which is a good idea anyway), when a user requests access to a share, it too looks up the credentials in a backend. However, if the user is unknown to the system, the default behaviour is to deny access. This is kind of unfriendly to Windows users, since they aren’t used to type in “guest” as a username and refuse to understand how to log in a way different from what they are used. This is how to set up your public shares to imitate Windows behaviour.
How to imitate Windows behavior using Samba
In my example, I’ve got one public share, on which I want to have full rights for myself and limited (read-only) access to all anonymous users. The name of the share will be “public”:
#/etc/samba/smb.conf [public] comment = Public Shares browsable = yes path = /data/pub public = yes writable = no write list = dawuss guest ok = yes
This sets up a share named “public” which is shown when browsing the server to any user with rights to do so. You can see it is public, but not writable except for “dawuss” (which is me) and that it is ok for guests to login.
Next, we need to set up the guest access itself. In the global section:
[global] #... guest account = nobody
Which defines the account to use when authenticating guests. Don’t forget to create this user using
# smbpasswd -an nobody
This will create the user with no password.
Now we have a perfectly valid Samba setup with a public share, but every time a user wants to access this share as a guest, he will have to do so by logging in as “nobody”. To complete our setup and imitate Windows behaviour, add the following line to the smb.conf global section:
[global] #... map to guest = bad user
This maps any unknown username to the specified guest user, so login always succeeds.
We’re done! Remember, this will only work for unknown usernames. If an unhappy user called “pete” tries to login while there already exists a pete on the server with a different password, he will be denied access. This is normal behaviour when imitating Windows, so we’ll just have to live with that.