How to enable SAMBA encryption and do not require user authentication

Question

I have a perfectly working SAMBA (version 4.3.11) share hosted on ubuntu.

SAMBA shares are open to ANY user (local intranet)

As soon as I added encryption settings, traffic is encrypted BUT all of a sudden it started to prompt for credentials.

[global]
server signing = mandatory
smb encrypt = mandatory
client signing = mandatory
...

Below is sample share setup:

[Share1]
path = /mnt1/Share1
guest ok = Yes
browseable = no
writable = yes
force user = ShareUser
force group = ShareGroup
create mask = 0770
directory mask = 0770
hosts allow = ...list of IPs for white-listing....
hosts deny = 0.0.0.0/0
delete readonly = yes

And here is Global setup:

[global]
server signing = mandatory
smb encrypt = mandatory
client signing = mandatory
oplocks = yes
level2 oplocks = no

# New Windows switches
dos filemode = yes
dos filetime resolution = yes
dos filetimes = yes
map acl inherit = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
store dos attributes = yes

follow symlinks=yes
wide links = yes
unix extensions = no

strict locking = no
aio read size = 16384
aio write size = 16384

log file = /var/log/samba/samba.log
log level = 2

guest account = nobody
map to guest = Bad User

case sensitive = yes

I want to have a share that has encryption but does not required auth

Any help is appreciated.

Answer 1

Figured out some more details as well.

Having encryption ON and guest ON (no authentication) IS NOT possible.

proof (from SAMBA source):

if (guest && x->global->encryption_required) {
        DEBUG(1,("reject guest session as encryption is required\n"));
        return NT_STATUS_ACCESS_DENIED;
    }

and

if (guest_session && encryption_required) {
        DEBUG(1,("reject guest as encryption is required for service %s\n",
             service));
        return NT_STATUS_ACCESS_DENIED;
    }

Answer 2

Encryption over the wire requires a unique key to encrypt the packets & decrypt on the other end using the same unique key. The signing & encryption key is unique for a user and is generated when the user authenticates itself for each connection.