Windows: Cannot access samba share as Guest

Hi,

since some later Versions of Windows 10 it is no longer possible to access Samba Public shares with Guest access as Windows User SYSTEM(i.e. from Schedule Tasks).

The error occured is:

The specified server cannot perform the requested operation.

Microsoft has limited the Guest Account in Windows 10 and connections with null sessions (User and Password are null) are prevented:

net use \\yourSambaServer\yourInsecureShare /user:"" ""
The specified server cannot perform the requested operation.

Windows resets the tcp session after the smb2 Sessions Setup Response of Samba:

Windows Guest Account Reset TCP Connection

In the samba log you find some strange errors like “smbd_change_to_root_user”, NT_STATUS_CONNECTION_RESET….

Two workarouds which brings back to old behaviour. Set the Samba max protocol to SMB1

[global]
...
        map to guest = Bad User
        guest account = nobody
...
        client min protocol  = nt1
        client max protocol  = nt1
        server max protocol  = nt1
...
[yourInsecureShare]
        guest ok = yes

Or, the prefered way, set

reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /v AllowInsecureGuestAuth /d 1 /f /t REG_DWORD

If it not works proberly. Check the smb signing settings on the client. Either disable

Microsoft network client: Digitally sign communications : always

or but not tested yet enable smb signing in the samba config (auto or mandatory):

server signing = auto
server signing = mandatory

Michael

3 thoughts on “Windows: Cannot access samba share as Guest”

  1. The accepted answer works by lowering the security on the client side. It is not enforcing the restriction in Windows 10 / Windows Server which was added for security purposes. It requires adjusting each of your clients.

    On the other hand, the real answer is to raise the security on the server side and remove any mapping to guest accounts

    **ADD THESE LINES**
    `
    [global]
    client min protocol = SMB3
    client max protocol = SMB3
    restrict anonymous = 2
    encrypt passwords = true
    `
    **REMOVE**

    – the `map to guest` option (which I had as bad user)
    – any ‘guest ok’ line in your smbd.conf

    restart samba and you’ll be prompted for a username/password instead.

Leave a Reply Cancel reply