Configuring anonymous public shares with Samba 3

On the fileserver I run, I use samba to conveniently access my files. I like Samba. Also, I find that most popular online casinos like Daisyslots have embedded the same program software. I can mount it on any machine I run and access my files like it’s any other filesystem, but when it comes to sharing files to other (anonymous) users, Samba has to cope with some ugly Windows legacy. After all, Samba is just an open source implementation of SMB/CIFS which Windows calls “Windows File Sharing”. Let’s look at the differences and how to cope with them.

The Windows way

When a Windows client tries to access a share on a Windows server, it requests the given share using username and password of the current user on the client. The Windows server will then look for this username/password combination and if it exists, grants the user access to the share with the proper rights assigned. If it can’t find the username, it falls back to an anonymous user and grants access anyway (if this is policy).

How Samba handles it

This is where Samba differs. If set to security=user (which is a good idea anyway), when a user requests access to a share, it too looks up the credentials in a backend. However, if the user is unknown to the system, the default behaviour is to deny access. This is kind of unfriendly to Windows users, since they aren’t used to type in “guest” as a username and refuse to understand how to log in a way different from what they are used. This is how to set up your public shares to imitate Windows behaviour.

How to imitate Windows behavior using Samba

In my example, I’ve got one public share, on which I want to have full rights for myself and limited (read-only) access to all anonymous users. The name of the share will be “public”:

        comment = Public Shares
        browsable = yes
        path = /data/pub
        public = yes
        writable = no
        write list = dawuss
        guest ok = yes

This sets up a share named “public” which is shown when browsing the server to any user with rights to do so. You can see it is public, but not writable except for “dawuss” (which is me) and that it is ok for guests to login.

Next, we need to set up the guest access itself. In the global section:

        guest account = nobody

Which defines the account to use when authenticating guests. Don’t forget to create this user using

# smbpasswd -an nobody

This will create the user with no password.

Now we have a perfectly valid Samba setup with a public share, but every time a user wants to access this share as a guest, he will have to do so by logging in as “nobody”. To complete our setup and imitate Windows behaviour, add the following line to the smb.conf global section:

        map to guest = bad user

This maps any unknown username to the specified guest user, so login always succeeds.

We’re done! Remember, this will only work for unknown usernames. If an unhappy user called “pete” tries to login while there already exists a pete on the server with a different password, he will be denied access. This is normal behaviour when imitating Windows, so we’ll just have to live with that.

59 Responses to “Configuring anonymous public shares with Samba 3”

  1. Tatey says:

    Thanks for this great explanation :)

  2. ruslanas says:

    Thank you…exactly that I was looking solves my problem..

  3. Thanks says:

    Exactly what I was looking for !

  4. kittychunk says:

    Thanks, this works perfectly for transparent sharing to our (Windows) LAN at work.

  5. greap says:

    This was just what I was looking for!
    The samba man pages are just too damn complicated.

  6. bmestep says:

    BRILLIANT!! Exactly what I needed.

  7. Pingback: TBdO » Brendan » Revelation » Blog Archive » Samba Share Success

  8. lgespee says:

    Just what I was looking for. Thanks a lot.

  9. Tom says:

    Excellent article – exactly what I needed – Thanks ….

  10. Tomasz N says:

    Thanks :)
    “map to guest” – that was I was missing

  11. Ralfs says:

    worked perfectly! tnx

  12. Daniel Sampson says:

    Perfect explanation and implementation – thank you.

  13. john says:

    Thanks – the map to guest was the trick

  14. Excellent tutorial – thank you!
    Just one minor possible change… Instead of using “map to guest = bad user”, how about “map to guest = bad password”?
    Correct me if I’m wrong, but wouldn’t that function in pretty much the same way, apart from Pete would not be denied access with the wrong password, but simply mapped to guest?

    Thanks again. Very interesting, and exactly what I’m looking for.

  15. Michel says:

    Interesting idea Oliver. I never thought of that, and I did not yet have time to try, but it sounds like something that should work. Funny to see how after three years have passed since I wrote this post, one can still discover new tricks :) Thanks for that!

  16. Matt says:

    This was just what I needed, I just setup FC11 and this tutorial is still valid!! Thanks!!!

  17. Ilya says:

    Great tips, thank you! :)

  18. Shanu Gulati says:

    thanks a lot buddy, after an hour juggling with this issue I found your blog and solved this problem.

  19. perfect, i reviewed many sites on this topic and your instructions were succinct and more importantly worked! happy new year

  20. very easy and understandable way to explain.

    map to guest is very good tip


  21. Volker says:

    It doesn’t seem to work when security = ads because samba then ignores all local users (including nobody), or am I missing something?

  22. Peter Hafliger says:

    exactly what I was looking for, works with “security=ads”. thanky you pit

  23. Stephen Butler says:

    Thanks for posting a samba guide in plain english. I was having a LOT of trouble with tutorials that use a nobody account as the guest account until I realized the problem is that I was creating folders in my file system for the share that are not owned by the nobody user.

    So once the nobody user is setup,

    – sudo chown nobody plans
    – sudo chmod 755 plans

  24. Dado says:

    great! That fixed my issue too.

  25. Sasa Ostrouska says:

    Yups, yes, I missed the ownership of the public folder. It was owned by root, but of course changing it to nobody , permitted immediately to write and delete files.

    Nice tutorial, thanks.

  26. Natan says:

    I want to say THANK YOU.

  27. Roy says:

    Nice mini tutorial! Thanks for putting this together….

  28. siva kumar says:

    Thanks a ton ! i am banging my head to solve anonymous user access, Finely i got it. with help of your post.

  29. Waris says:

    excellent. Thanks for sharing.

  30. Pascal GUERIN says:

    Thanks for sharing, works fine with a samba/LDAP configuration

  31. Sean Cull says:

    Thanks, helped a lot

  32. Morgan R says:

    Thank you! It was just what I was looking for after many hours.

  33. Hemmat Ragheb says:

    Very usefull, thanks.
    Also the note from Oliver Treend.

  34. Larry says:

    So with this setup, when you double click on the “public” share in window, I assume it would login to samba as guest. How do you login by using your own user id in order to get write authority.

  35. Aryo says:

    I have to uncomment the following line in [global] section to make it work:

    security = share

    on Ubuntu 12.04 LTS

  36. Chris says:

    Thank you for posting this, saved me a lot of time.

  37. saurabh hirani says:

    Thanks for this post. Very clear and concise explanation.

  38. Ale says:

    this was written 6 years ago, still applies! thank you!

  39. Aleksey says:

    Thanks. Very useful.

  40. Pingback: Delicious Bookmarks for January 6th from 16:05 to 23:22 « Lâmôlabs

  41. Pingback: Serveur samba |

  42. Ravn says:

    Fantasic, a life saver ;)

  43. Alex says:

    Great tip! Thank you!

  44. Thomas says:

    Exactly what I needed. Nicely explained as well. Thank you.

  45. Prasad says:

    Thanks for sharing :)

  46. Pingback: Configuring anonymous public shares with Samba 3 | Welcome To Prasad Linux Blog

  47. Pingback: WD My Book Live Duo – Readonly Public Share | Todd Pearsall

  48. Richard Goiser says:

    thanks a lot! That was exactly what I was looking for! Very nicely explained.

  49. Dan says:

    Doesn’t seem to work with the current version of samba.

  50. Inspiring quest there. What occurred after? Thanks!

    Visit my blog post; Faire la conception un site web