2

As we know, latest windows 10 upgrade has made samba client refuse to sue guest account. Some organization even make it impossible to disable this bug. This make it impossible to create a public samba share on Linux for win10 clients.

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

I have tried several solutions, like forcing client to use SMBv3 (not working), mapping * to an existing unix user (check_sam_security: Couldn't find user xxx in passdb.). I also searched the Internet, but didn't get anything for Linux.

I have a idea like this: Make smbd server always tell windows "login success", rather than "login failed, please use guest account". But I don't know how to configure smbd to do this.

If you know something about bypassing this win10 limit, please give me a tip. thanks)

recolic
  • 81
  • 1
  • 6

2 Answers2

2

The problem is not the Samba share but a new security setting under Windows 10. They specifically made it so that you cannot bypass this behaviour from the Samba side. They explain why under the section Cause.

Symptoms

In Windows 10, Windows Server 2019, or Windows Server 2016, the SMB2 client no longer allows the following actions:

  • Guest account access to a remote server.
  • Fall back to the Guest account after invalid credentials are provided.

SMBv2 has the following behavior in these versions of Windows:

  • Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows Server 2016 Datacenter and Standard editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows 10 Home and Professional editions are unchanged from their previous default behavior.

If you try to connect to devices that request credentials of a guest instead of appropriate authenticated principals, you may receive the following error message:

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

and

Cause

This change in default behavior is by design and is recommended by Microsoft for security.

A malicious computer that impersonates a legitimate file server could allow users to connect as guests without their knowledge. Microsoft recommends that you do not change this default setting. If a remote device is configured to use guest credentials, an administrator should disable guest access to that remote device and configure correct authentication and authorization.

Windows and Windows Server have not enabled guest access or allowed remote users to connect as guest or anonymous users since Windows 2000. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems do not.

and

Resolution

If you want to enable insecure guest access, you can configure the following Group Policy settings:

  • Open the Local Group Policy Editor (gpedit.msc).
  • In the console tree, select Computer Configuration > Administrative Templates > Network > Lanman Workstation.
  • For the setting, right-click Enable insecure guest logons and select Edit.
  • Select Enabled and select OK.

Source

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

Daniel
  • 6,780
  • 5
  • 31
  • 60
  • thanks a lot for your help. I know this problem is caused by win10, but I would like to "crack" this win10 security feature. because as an server host-er, it's impossible to connect to user's win10 and adjust their settings. what's more, my "organization"(microsoft.com) doesn't allow me to modify this group policy at all. – recolic Oct 04 '20 at 12:12
  • It's not possible to circumvent this feature on the samba side. You can ask as often as you like, but the answer will not change. What are you expecting? – Daniel Oct 04 '20 at 14:53
  • I'm expecting a smbd configuration, to allow "Everyone" Read/Write access ( just like windows does). win10 doesn't accept "Guest", so I want to give access to every possible username/password combination. – recolic Oct 06 '20 at 01:03
1

If you assign the "Everyone" role with Read or Read/Write it will allow you to connect without authenticating. Also remember the Share permissions don't override the NTFS permissions for files, so assign Everyone to Read/Write on the folders too (not just the share permissions).

Here's a tutorial https://websiteforstudents.com/create-shares-everyone-full-access-windows-10-server/

Garrett
  • 1,598
  • 4
  • 14
  • 25
  • I realized my latest modification removed "Linux smbd" keywords... Sorry for the mistake, but I'm looking for a solution with Linux samba server... – recolic Sep 27 '20 at 07:36