Many administrators face this frustrating scenario: You've configured a Samba public share with guest ok = yes, yet Windows clients stubbornly demand authentication. This contradicts the intended behavior where public shares should allow anonymous access.
The root cause typically lies in three key areas:
[global]
security = user
map to guest = Bad User
guest account = nobody
[DSMPubblica]
path = /var/dsm/pubblica
guest ok = yes
guest only = yes
read only = no
force user = nobody
force group = nogroup
create mask = 0777
directory mask = 0777Windows clients have particular requirements:
- Enable insecure guest access in Windows 10/11:
gpedit.msc→ Computer Configuration → Administrative Templates → Network → Lanman Workstation → "Enable insecure guest logons" - For Windows 7/8.1: Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\AllowInsecureGuestAuthset to 1
When troubleshooting, examine these log entries:
tail -f /var/log/samba/log.smbd
smbclient -L //localhost -U%
testparm -sThe complete permission chain must align:
chmod -R 777 /var/dsm/pubblica
chown -R nobody:nogroup /var/dsm/pubblica
setsebool -P samba_export_all_rw on # For SELinux systemsThis tested setup resolves the password prompt issue:
[global]
workgroup = WORKGROUP
server string = Samba Server
security = user
map to guest = Bad User
guest account = nobody
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[Public]
path = /samba/public
browsable = yes
writable = yes
guest ok = yes
read only = no
create mask = 0777
directory mask = 0777
force user = nobody
force group = nogroupFor Windows clients accessing Linux shares, ensure NTFS permissions don't conflict:
net use Z: \\server\public /user:guest *
icacls Z:\ /grant Everyone:(OI)(CI)FWhen configuring mixed-access Samba shares (both public and private), Windows clients often stubbornly demand credentials even for designated guest-accessible shares. This occurs despite seemingly correct configurations, manifesting in two key symptoms:
- Windows requesting credentials for shares marked
guest ok = yes - Authentication prompts reappearing after system reboots despite credential caching
Your current setup reveals several common pitfalls in Samba-Windows integration. Let's analyze the core issues:
[global]
# Problem area 1: Missing security specification
security = user # This should be explicitly set
# Problem area 2: Guest account handling
map to guest = bad user # Crucial for public shares
[DSMPubblica]
# Problem area 3: Inconsistent permissions
force create mode = 777 # Overkill and potentially unsafe
Windows 7/8.1 clients enforce specific authentication protocols that often conflict with Samba's defaults. The smb_pwd_check_ntlmv1 error indicates protocol mismatch.
Essential adjustments for Windows compatibility:
[global]
# Security protocol adjustments
client min protocol = NT1
client max protocol = SMB3
server min protocol = NT1
server max protocol = SMB3
# Guest access foundation
guest account = nobody
map to guest = bad user
For your public share (DSMPubblica), implement these changes:
[DSMPubblica]
path = /var/dsm/pubblica
browseable = yes
read only = no
guest ok = yes
guest only = yes
force user = nobody
create mask = 0666
directory mask = 0777
# Windows-specific optimizations
store dos attributes = yes
inherit permissions = yes
For your secured share (DSMUfficio), enhance the existing configuration:
[DSMUfficio]
path = /var/dsm/ufficio
valid users = @dsm @administrators
write list = @dsm
read list = @administrators
force group = dsm
create mask = 0770
directory mask = 0770
# Security hardening
ntlm auth = yes
restrict anonymous = 2
Critical post-configuration steps on Linux:
# Set proper ownership
sudo chown -R nobody:nogroup /var/dsm/pubblica
sudo chmod -R u=rwx,g=rwx,o=rwx /var/dsm/pubblica
# For private share
sudo chown -R root:dsm /var/dsm/ufficio
sudo chmod -R 770 /var/dsm/ufficio
# SELinux contexts (if applicable)
sudo chcon -Rt samba_share_t /var/dsm/pubblica
sudo chcon -Rt samba_share_t /var/dsm/ufficio
Add these registry modifications to prevent credential caching issues:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"RequireSecuritySignature"=dword:00000000
"EnablePlainTextPassword"=dword:00000001
"EnableSecuritySignature"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000001
Essential commands for troubleshooting:
# Test configuration
testparm -v
# Real-time log monitoring
sudo tail -f /var/log/samba/log.smbd
# Client connection testing
smbclient -L //localhost -U%
# Detailed share access check
smbclient //server/DSMPubblica -N -d 3
Before declaring victory, verify:
- Global
security = useris set map to guest = bad userexists in [global]- Public share has
guest ok = yesANDguest only = yes - Filesystem permissions match Samba masks
- Windows network discovery is enabled
- Firewall allows SMB ports (445/tcp, 137-139/udp)