Configuring Samba for Windows 10 1709: Disabling Guest Access and Fixing SMB2 Connectivity Issues


2 views

Since Windows 10 version 1709 (Fall Creators Update), Microsoft disabled Guest access in SMB2 by default through KB4046019. This creates connectivity problems when Windows machines try to access Samba shares on Linux servers, particularly in environments where:

  • Windows 10 was clean installed (not upgraded from 1703)
  • Samba shares previously allowed anonymous browsing
  • Clients receive "Access Denied" errors despite correct permissions

Check these Windows Event Log entries to confirm the problem:

Event ID 307: "Guest access in SMB2 disabled."
Event ID 310: "SMB client failed to negotiate"

Instead of re-enabling insecure Guest access on Windows clients, implement proper authentication on the Samba server:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   netbios name = SAMBA
   security = user
   restrict anonymous = 2
   map to guest = bad user
   smb ports = 445

   # SMB protocol settings
   min protocol = SMB2
   client max protocol = SMB3
   server max protocol = SMB3

For each share, explicitly disable guest access:

[secured_share]
   path = /srv/samba/secure
   browseable = yes
   writable = yes
   valid users = @smbgroup
   guest ok = no
   create mask = 0660
   directory mask = 0770

If you must allow Guest access temporarily during migration:

# PowerShell command:
Set-SmbClientConfiguration -RequireSecuritySignature $false -EnableInsecureGuestLogons $true

# Group Policy alternative:
Computer Configuration > Administrative Templates > Network > Lanman Workstation
"Enable insecure guest logons" = Enabled

Verify your configuration with these commands:

# From Linux:
smbclient -L localhost -U%

# From Windows (PowerShell):
Test-NetConnection -ComputerName samba.company.com -Port 445
Get-SmbConnection
  • Check /var/log/samba/log.smbd for authentication errors
  • Use Wireshark to analyze SMB protocol negotiation
  • Test with different Windows 10 builds (1709 vs 1803+)
  • Consider implementing Active Directory integration for centralized auth

For production environments:

  1. Always use proper user authentication
  2. Implement SMB signing (server signing = mandatory)
  3. Disable SMB1 completely (min protocol = SMB2)
  4. Use dedicated service accounts for Samba access

Since Microsoft's Windows 10 Fall Creators Update (1709), many administrators have encountered authentication issues when connecting to Samba shares. The root cause lies in Microsoft's security hardening that disabled guest access in SMB2 by default (KB4046019). This change particularly affects fresh Windows 10 1709 installations.

The typical connection sequence fails because:

  1. Windows 1709 attempts SMB2/3 connection with guest credentials
  2. Samba responds with available shares (when restrict anonymous isn't set)
  3. Windows rejects the guest-authenticated session

Here's a production-tested smb.conf configuration that enforces authenticated access:

[global]
   workgroup = COMPANY
   server string = %h server (Samba %v)
   security = user
   restrict anonymous = 2
   map to guest = bad user
   guest account = nobody

   # Protocol configuration
   client min protocol = SMB2
   server min protocol = SMB2
   client max protocol = SMB3
   server max protocol = SMB3

   # Security settings
   ntlm auth = yes
   lanman auth = no
   client ntlmv2 auth = yes

For domain-joined machines, deploy these GPO settings:

Computer Configuration → Administrative Templates → Network → Lanman Workstation
Enable "Enable insecure guest logons" = Disabled

For standalone machines, modify the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:00000000

Use these commands to verify configuration:

# On Linux:
smbclient -L //samba.company.com -U validuser

# On Windows:
Test-NetConnection -ComputerName samba.company.com -Port 445
Get-SmbConnection

For environments requiring strict security:

[global]
   # Disable SMB1 completely
   server min protocol = SMB2_10
   client min protocol = SMB2_10

   # Enable AES encryption
   smb encrypt = required

   # Restrict share enumeration
   access based share enum = yes

In Windows Event Viewer, check for Event ID 304 (SMB session authentication failures) to troubleshoot remaining connection issues.