Windows 10 Anonymous Share Issue Printer Management

Joe Gill

FOG Version: 1.5.7.1
FOG OS: CentOS
Client OS: Windows 10 PRO

Hello! I am currently having an issue deploying printers from an anonymous SMB share to any WIndows Host… I have been getting an error stating:

“You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe malicious devices on the network.”

I never use to get this message until the most recent Windows 10 update.

@Wayne-Workman do you have a work around for this?

Thanks!

george1421

I’m not sure how you are connecting things, but my bet is someone disabled guest or anonymous access (which should have been blocked years ago). Typically you will need to provide domain level connection credentials to access domain base network shares. If your connection is by a batch file, mapping a drive to the network share or the IPC$ port first will then address the issue.

If you use a batch file this command will map a drive with network credentials.

net use t: \\server\share1 /user:domain\user <password>
will map a network drive to a remote server using the specific credentials.

If you want to use a driveless connection then you can go this route

net use \server\IPC$ /user:domain\user <password>
\\server\share\file_path\some_program.exe

Wayne Workman

No idea, haven’t used Windows in a year.

Joe Gill

@Wayne-Workman
@george1421

I figured this one out… I was having problems with security. One of Windows 10’s recent updates (as in the last 3 months or so) was blocking connections to anonymous shares. It allowed them but they needed to be authenticated. For those of you who stumble across this post…

Add your FOG server to your domain and configure Kerberos. After you do this you will need to configure your driver share. I have included the way I did mine and it works. This configuration is for using an existing domain controller. In our case, we use Windows Server 2012 to do domain control.

Do the following:

yum install samba*
yum install krb5-libs krb5-workstation

Confuguration Kerberos /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.TN = {
kdc = dns-name-your-domain-controller
}

[domain_realm]
netbiosnameyourdoamin = NETBIOSNAMEYOURDOMAIN
netbiosnameyourdomain = NETBIOSNAMETYOURDOMAIN
Configuration samba /etc/samba/smb.conf

[global]

workgroup = DOMAIN
password server = dns-name-your-domain-controller:88
realm = NETBIOSNAMETYOURDOMAIN
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true

log file = /var/log/samba/log.%m
max log size = 50

passdb backend = tdbsam

load printers = yes
cups options = raw

[homes]
comment = Home Directories
browseable = no
writable = yes

[printerdrivers]
comment = All FOG Printers
path = /PATHTODRIVERS
browseable = no
guest ok = no
writable = yes

Add dns name in /etc/hosts

Install and configuration ntp server (It’s important for use Kerborose authorization)

yum install ntpd
edit /etc/ntp.conf
server ip-address-your-ntp-server prefer
Create ticket
kinit account-admin-for-active-directory@NETBIOSNAMETYOURDOMAIN
Add server in domain

net ads join -S dns-name-your-domain-controller -U account-admin-for-active-directory
Create keytab for Kerberos

net ads keytab create -U account-admin-for-active-directory
Edit file /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind

Restart samba and windind

Test
net ads info
wbinfo -t