How to disable guest access for a Samba share
Anonymous SMB access is easy to leave behind after a share moves from a public drop box to named-user storage. A Samba share that still permits guest access can accept a client with no password, so account lists and Samba users can look locked down while the share remains reachable through the guest account.
Samba controls anonymous access per share with guest ok, also exposed through the public synonym. Setting guest ok to no returns the share to authenticated access, and resetting guest only avoids a stale setting that would force connections through the guest account when guest access is allowed.
Keep a global map to guest policy only if other shares still need it. Disabling guest access on one share should be paired with a configuration parse check, a reload, an anonymous smbclient test that fails, and an authenticated smoke test so the share is not accidentally closed to valid users.
Steps to disable guest access on a Samba share:
- Check the current parsed guest setting for the target share.
$ sudo testparm -s --section-name=team --parameter-name='guest ok' Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Yes
Replace team with the share section name from /etc/samba/smb.conf. Yes means the share currently permits guest access; No means Samba already parses the share as guest-disabled.
- Back up the Samba configuration file.
$ sudo cp --archive /etc/samba/smb.conf /etc/samba/smb.conf.backup
Keep a rollback copy before changing share access. A syntax error or wrong share section can block clients after reload.
- Open /etc/samba/smb.conf in a text editor.
$ sudoedit /etc/samba/smb.conf
- Set guest access off inside the target share section.
[team] path = /srv/samba/team read only = no guest ok = no guest only = noKeep the existing path, valid users, write list, and filesystem-permission settings that belong to the share. If the section uses public = yes, remove it or set public = no because public is a synonym for guest ok.
- Test the Samba configuration syntax.
$ sudo testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_STANDALONE # Global parameters [global] map to guest = Bad User server role = standalone server ##### snipped ##### [team] path = /srv/samba/team read only = Notestparm suppresses default-valued share parameters in the normalized output, so guest ok = no may not appear in this dump even when Samba parsed it correctly.
Related: How to validate Samba configuration with testparm - Confirm the parsed guest setting is disabled for the share.
$ sudo testparm -s --section-name=team --parameter-name='guest ok' Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) No
- Reload smbd so running clients use the updated configuration.
$ sudo smbcontrol smbd reload-config
On hosts where the packaged systemd unit supports reloads, sudo systemctl reload smbd is also acceptable. The smbcontrol command sends the reload request directly to the running smbd daemon.
- Test anonymous access to the share.
$ smbclient //files.example.net/team -N -c 'ls' tree connect failed: NT_STATUS_ACCESS_DENIED
-N suppresses the password prompt and makes the client attempt an unauthenticated connection. NT_STATUS_ACCESS_DENIED confirms the share no longer accepts guest access.
- Test authenticated access with a valid Samba user.
$ smbclient //files.example.net/team -U sguser -c 'ls' Password for [WORKGROUP\sguser]: . D 0 Tue Jun 16 09:10:55 2026 .. D 0 Tue Jun 16 09:10:55 2026 readme.txt N 12 Tue Jun 16 09:10:55 2026 123530212 blocks of size 1024. 107924004 blocks availableIf authenticated access fails after guest access is disabled, check the Samba user, share access rules, and filesystem permissions before treating the change as complete.
Related: How to troubleshoot SMB share permission denied