Windows rename on SMB share ignores ACLs

We're getting ready to put ACLs on our file server into production use, and I was checking to make sure that the file sharing experience for Windows users via SMB mounts would match what OS X users see via AFP mounts to the same shared folders and files.
I've discovered that when Windows users rename files and folders via SMB mounts, the permissions are controlled by the POSIX privileges of the enclosing folder, and ACLs privileges appear to be completely ignored. I have a simple test case where I prepare a shared test folder that grants a particular user full access via an ACL, but no access via POSIX (this is deliberate). Via AFP on an OS X system, the user can do whatever they want on the share, as you'd expect. They have no problems renaming or deleting items; their ACL privileges are properly observed. However, when the same user logs onto a Windows system and access the share via SMB, if they create a folder or file, they won't be able to rename it. The only way to get around that appears to be to grant them POSIX read/write privileges on the enclosing folder (not on the item itself). For this one operation, it would appear that POSIX privileges are observed, but ACLs are being ignored. [This has been submitted to Apple as a Bug Report (Problem ID 6143881).]
We're running OS X Server 10.5.2, but plan to upgrade to OS X Server 10.5.4 once our ACLs are running in a production setting. I wonder if other folks see the same problem with renaming files or folders in Windows with SMB shares in OS X Server 10.5.4.
On my server, on an AFP+SMB share, I create a test folder with the following privileges:
ls -led path/to/testfolder # Show POSIX settings & ACLs for test folder
drwx------+ 2 root wheel 68 Aug 12 11:25 testfolder
0: user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit
These privileges can be set via the following commands. Within an AFP+SMB share, create a test folder as follows:
sudo mkdir -p /path/to/testfolder
cd /path/to/testfolder
sudo chmod -R -N . # Remove any inherited ACLs from testfolder
sudo chmod u=rw+X,go= . # Set POSIX privileges to octal 700
sudo chown root:wheel . # Set POSIX owner & group
sudo chmod +a "user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit"
From Windows, navigate to the testfolder on the SMB share. You can do this as a Network Place, Mapped Network Drive, or by explicitly navigating to
\\myserver\myshare\path\to\testfolder
Create a new folder in Windows Explorer. It will come up by default named "New Folder". Try to rename it and you'll get a Windows error: "Error Renaming File or Folder. Cannot rename New Folder: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
Run the Note Pad accessory. Create a file in the testfolder named "Foo.txt". Try to rename it in Windows Explorer. Same problem.
If you perform equivalent operations on an OS X System via AFP mount to the same test folder, you won't have any problems; the ACL privileges will be correctly granted.
The only workaround I've been able to come up with to grant Windows users "rename" privileges on our SMB mounts is to do so by enabling read/write POSIX privileges on the enclosing folder ("testfolder"). You can either:
1) Make the user the POSIX owner of the enclosing folder, and grant the owner read/write access, or
2) Set the POSIX group to a group the user is a member in, grant that group read/write access, or
3) Enable POSIX world read/write access (careful!).
Without POSIX read/write privileges to the enclosing folder, it would appear that Windows users on SMB shares can't rename files or folders. Interestingly, they can upload folder hierarchies with arbitrarily named files and folders and won't run into problems; it's specifically when items are renamed when they already exist that you may run into problems.

Just an FYI: I received a response to my bug report. Apple reports that this problem has probably already been addressed in OS X Server 10.5.3, so it's likely this issue will disappear when I update my server from 10.5.2 to 10.5.4.
If you look at http://support.apple.com/kb/HT1142, there's this item:
File Services
The smb.conf file is updated to include the line "acl check permissions = no" in order to provide expected permissions behavior for Windows clients connecting to the SMB service.

Similar Messages

  • Windows Server 2012: SMB share with transparent failover

    Have a nice day to all!
    I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
    So, there are 2 arrays on every server:
    1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
    2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
    And I installed Windows Server 2012 Standard on each server.
    Than I created a failover two-nodes cluster.
    And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
    VMs even if one node of SMB share cluster is failed.
    I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
    Can anyone advice me something?
    Thanks in advance!

    Have a nice day to all!
    I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
    So, there are 2 arrays on every server:
    1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
    2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
    And I installed Windows Server 2012 Standard on each server.
    Than I created a failover two-nodes cluster.
    And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
    VMs even if one node of SMB share cluster is failed.
    I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
    Can anyone advice me something?
    Thanks in advance!
    You need to have your storage you want to export as being a shared storage visible to your cluster (part of CSV). Then you'll configure failover file shares using content accessible from both cluster nodes. Refer to this manual for diagrams (ignore StarWind
    and replace it logically with your existing shared storage you've used to create your cluster):
    http://www.starwindsoftware.com/configuring-ha-file-server-on-windows-server-2012-for-smb-nas
    Also see these manuals from MS on how to create failover file server:
    http://technet.microsoft.com/en-us/library/cc753969.aspx
    http://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx
    http://blogs.technet.com/b/askcore/archive/2010/08/19/working-with-file-shares-in-windows-server-2008-r2-failover-clusters.aspx
    However if you want to use existing storage located on the both nodes you're out of luck. Microsoft does not provide anything representing local DAS to the cluster nodes. If you want to use existing DAS then you'll have to stick with a third-party product
    like StarWind, SteelEye or DataCore. To create something like in this picture:
    So you'll have a configuration with only two nodes, no physical shared hardware (SAS JBOD, FC or iSCSI) and vSAN. Refer to this manual:
    http://www.starwindsoftware.com/ns-configuring-ha-file-server-for-smb-nas
    Hope this helped :)
    StarWind iSCSI SAN & NAS

  • Smb share not displaying all files in finder

    When accessing a non-windows (IBM iseries) smb share, I will only see 30 objects. Windows PCs will see all of the available objects.
    Is there a solution for this problem?

    Hi,
    Me too, I am encountering the same problem, not with Windows XP but with a virtual Windows NT machine.
    I am connecting to an SMB share on a Unix server running under Sun Solaris (vers. 8) on which the Windows NT machine is emulated by running PC Netlink (version 2.0 Rev=rr24).
    Viewing share folders by clicking them via Finder, I see only a maximum of 30 entries (folders and/or files) in each sub folder, though many of them contain dozens or hundreds of objects.
    When I view those folders via the command line in the Terminal, I see even less: only 14 objects appear. For each sorting mode the same 14 objects are visible.
    When I copy a file from my local harddisk into such a folder, it disappears immediately after copying. When I copy the same file a second time into the same folder, a message pops up rejecting the copying because another file with that name already exists. Together with that message the "hidden" first copy now appears in the finder window, only to disappear again when the warning message is clicked away.
    I do see all objects when I mount the shares on a PC or on my old PB G3, running Classic MacOS 9.2.2. And I did see all objects before I migrated from MacOS X 10.3.9 to MacOS X 10.4.10.
    The names of the "hidden" objects are all OK (neither beginning nor ending with a dot, etc.).
    I am curious if somebody found a solution for the prob, or what workaround you are using.
    Thank you
    Fred

  • OS X client connecting to Windows 2003 Server SMB

    My OS X 10.6.7 clients are connecting to Windows 2003 Server SMB share. They open files and edit them. Strange thing is that in Windows 2003 Server Open Files the files opened are listed like this:
    filename.tiff:AFP_Resource
    and the user is unable to save the file to the same location.
    Anyone else experienced the same problem?

    My OS X 10.6.7 clients are connecting to Windows 2003 Server SMB share. They open files and edit them. Strange thing is that in Windows 2003 Server Open Files the files opened are listed like this:
    filename.tiff:AFP_Resource
    and the user is unable to save the file to the same location.
    Anyone else experienced the same problem?

  • Windows Backup creates "locked" directory on SMB share

    I'm trying to back up my Windows 7 laptop to my Mac Mini over SMB.
    Normal non-backup file operations work okay, from the desktop: I can create folders, drag files, delete files, etc.
    But Windows Backup fails, because it creates a directory on the SMB share that--despite ACLs--OS X won't let anyone create files within, or change the security settings. The only option is to rm -rf the directory.
    The ACLs look like this (the directory Windows Backup creates is called 'MEGALITH'. I tried creating a parent directory (called 'Megalith') with inherited ACLs, but to no avail:
    sarsen:Megalith root# ls -le .
    total 0
    drwx------+ 2 windowsbackupuser  staff  68 Jan  8 12:49 MEGALITH
    0: user:root inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_i nherit
    1: group:admin inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,re adextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_i nherit
    2: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
    Even with these ACLs, I cannot chown the MEGALITH directory. Nor can I edit its ACLs in the Server window.
    My SMB config is:
    sarsen$ defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.serve r
        AclsEnabled = 1;
        AllowGuestAccess = 0;
        AllowNTLM2Auth = 1;
        DOSCodePage = 437;
        EnabledServices =     (
            disk
        LocalKerberosRealm = "LKDC:SHA1.C5D430A59786EE0CC0515EEF37A77A538C6D612A";
        NetBIOSName = sarsen;
        ServerDescription = sarsen;
        Workgroup = WORKGROUP;
        "wins server" =     (
    And the error log says:
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request: init request
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request: init return domain: SARSEN server: SARSEN
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request: uid=0
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request: od failed with 2 proto=ntlmv1-with-v2-session
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request: user=SARSEN\\windowsbackupuser
    Jan 8 12:49:27 sarsen.nerdgod.com digest-service[711]: digest-request kdc: ok user=SARSEN\\windowsbackupuser proto=ntlmv1 flags: NEG_KEYEX, ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM2, NEG_ALWAYS_SIGN, NEG_NTLM, NEG_SIGN, NEG_TARGET, NEG_UNICODE

    For interoperability with Windows clients, this is absolutely 100% bad behavior:
    http://support.microsoft.com/kb/326549
    Note Unlike the Read-only attribute for a file, the Read-only attribute for a folder is typically ignored by Windows, Windows components and accessories, and other programs. For example, you can delete, rename, and change a folder with the Read-only attribute by using Windows Explorer.
    The Read-only and System attributes is only used by Windows Explorer to determine whether the folder is a special folder, such as a system folder that has its view customized by Windows (for example, My Documents, Favorites, Fonts, Downloaded Program Files), or a folder that you customized by using the Customize tab of the folder's Properties dialog box. As a result, Windows Explorer does not allow you to view or change the Read-only or System attributes of folders. When a folder has the Read-Only attribute set it causes Explorer to request the Desktop.ini of that folder to see if any special folder settings need to be set. It has been seen where if a network share that has a large amount of folders set to Read-only, it can cause Explorer to take longer then what is expected to render the contents of that share while it waits on the retrieval of the Desktop.ini files. The slower the network connectivity to the share the longer this process can take to the point where Explorer may timeout waiting for the data and render nothing or appear to hang.
    Note In some previous versions of Windows, you can change the Read-only attribute for folders by using the Properties dialog box for the folder, but no versions of Windows permit you to change the System attribute by using Windows Explorer.

  • Mac OS X Mountain Lion randomly disconnects from a Windows SMB share

    First le t me say that I am still trying to diagnose if this is a hardware or software issue.  But I figured I would start here.  I work in a mixed environment with Mac's and PC's and all working together with no issues.  I deployed this Mac about 6 months ago to production.  The person using this Mac recently has been complaining of the Mac disconnecting from a Windows SMB share at random times.  The server is running Windows Server 2008R2 and has been running for 3 years.  I have other Macs on the same network connecting to it with varying operating systems ranging from 10.6 to 10.8.  None of the other Mac's are experiencing this same issue.  So I know it is isolated to this Mac.  I was wondering if there might be something in the software like a setting that needs changed that might be causing this.  Any suggestions are welcome.

    I have renamed my pc and everything is ok with the file sharing SMB. Both my iMac and my pc can share files very easily.

  • Mac Pro accessing SMB shares on a windows server. After being left on all night, the MP gets "file unavailable" messages when opening files on the share.

    Windows Server 2003 accessed by several PCs and Macs without previous incident.  This one Mac Pro after it's been left on all night (running jobs, or just left idle), and a user tries to reconnect to an SMB share, can go to Finder, Go, Connect to Server, enter the Server info as normal, login as normal, view the directories and files as normal, but as soon as they try to open anything they are given one of the following messages:
    "Word cannot open this document. The document might be in use, the document might not be a valid Word document, or the file name might contain invalid characters (for example, \ /). (<filename>)" - when opening a word document
    "<filename> could not be found.  Check the spelling of the file name and verify that the file location is correct.  If you are trying to open the file from your list of most recently used files on the File menu, make sure that the file has not been renamed, moved, or deleted." - when opening an excel spreadsheet
    Note that these messages are popping up AFTER the user has double-clicked on them to open them.  So the files are certainly there and correctly named (and contain only letters, numbers and underscores).  After restarting the Mac Pro, the error messages are gone and the files can be accessed without problem. Would like it so that they can connect to the server without having to restart every day.

    Windows Server 2003 accessed by several PCs and Macs without previous incident.  This one Mac Pro after it's been left on all night (running jobs, or just left idle), and a user tries to reconnect to an SMB share, can go to Finder, Go, Connect to Server, enter the Server info as normal, login as normal, view the directories and files as normal, but as soon as they try to open anything they are given one of the following messages:
    "Word cannot open this document. The document might be in use, the document might not be a valid Word document, or the file name might contain invalid characters (for example, \ /). (<filename>)" - when opening a word document
    "<filename> could not be found.  Check the spelling of the file name and verify that the file location is correct.  If you are trying to open the file from your list of most recently used files on the File menu, make sure that the file has not been renamed, moved, or deleted." - when opening an excel spreadsheet
    Note that these messages are popping up AFTER the user has double-clicked on them to open them.  So the files are certainly there and correctly named (and contain only letters, numbers and underscores).  After restarting the Mac Pro, the error messages are gone and the files can be accessed without problem. Would like it so that they can connect to the server without having to restart every day.

  • Rename folders in SMB shares

    Hello,
    as different threads already proved
    https://discussions.apple.com/thread/2139840?start=0&tstart=0
    there is a bug in 10.6.x where folders in SMB shares (linux but also Windows servers) cannot be renamed (Finder, Terminal, ...).
    Since the bug was not present in 10.5.x, I wonder whether it is still there in 10.7.x.
    Could someone please check?
    Thank you

    Have you seen this? <https://discussions.apple.com/thread/5477749>

  • Since upgrading to Mac OS 10.6.8 I can't connect to a smb share on Windows Server 2003r2

    Hi recently i upgraded from Mac OS 10.5.8 to Mac OS 10.6.8 on a 2.66 GHz Dual-Core Intel Xeon Mac Pro 1,1.
    Prior to upgrading to 10.6.8 i had a viable connection to a Windows Server 2003r2 which hosts Pre-press client and all out work files as well as client applications. Now I can not connect to the server. I can ping the server. I can connect to another SMB share on different Windows Server 2003r2 that is our secondary server, but i can not connect to the primary. The Client software is associated with data base tracking the data.
    This share does not show up in my volumes but I have a Max Host File with the share defined.
    Can anyone come up with a solution to this. I have contacted my support for the Server 2003r2 Client software but they don't have a solution beyond clean installing the computer.

    Hi recently i upgraded from Mac OS 10.5.8 to Mac OS 10.6.8 on a 2.66 GHz Dual-Core Intel Xeon Mac Pro 1,1.
    Prior to upgrading to 10.6.8 i had a viable connection to a Windows Server 2003r2 which hosts Pre-press client and all out work files as well as client applications. Now I can not connect to the server. I can ping the server. I can connect to another SMB share on different Windows Server 2003r2 that is our secondary server, but i can not connect to the primary. The Client software is associated with data base tracking the data.
    This share does not show up in my volumes but I have a Max Host File with the share defined.
    Can anyone come up with a solution to this. I have contacted my support for the Server 2003r2 Client software but they don't have a solution beyond clean installing the computer.

  • Trying to access SMB share, can read but not write, I use the domain account to autenticate and domain account has access to the share. its a samba domain and im a Windows Admin by trade.

    I have two  I Mac's Intel i7 models.
    I have some problems getting them to write files to SMB shares.
    The domain user account I use when requested to enter when i first try to connect to the share seems to go though without a problem and it presents me with a list of mounts (shares) I select one and the folder opens, I can read files and copy them but I cant write to any of the folders.
    I have also mounted the network locatiosn to a folder from the terminal while also specifying a user name and password to use but this also doesnt allow the specified user account to write data to the share.
    I have confirmed the user account can write to the share by having the user do so from a windows box.
    any help from any of you mac guys would be great!!!!
    Im a windows fan boy / Windows Server based Network Administrator and am slowly becomming a fan of your macs (mainly due to the Unix terminal access letting me realise there is more control to be had than most haters would lead you to believe).
    Peace Out

    I should add that I originally formatted the problematic drive for FAT32 from the Mac, but then the WinXP computer couldn't see the drive when I plugged it in directly via USB. That's why I went with Seagate's utility to format it.

  • Windows machines unable to access smb shares

    I know many people are having problems with smb on osx server, but my issues seems very basic, so I will try to ask for help here.
    Basically, I have set up a single folder for sharing on a Mac Mini running OSX Mountain Lion Server. Directory services are provided by a WIndows 2003 server, and I have joined OSX Server to that, and am able to see all AD users and groups correctly. I have checked the boxes specifying I wish to share as afp, smb and webdav and also made shares accessible to guests.
    Now, if I use a mac client, I can correctly browse the afp and smb shares, and the latter work via finder and smbutil as expected, including access via AD users, connection and file transfer.
    If, instead, I use a windows client (I tried both Win7Pro and WinXP), while being able to ping the osx server machine, if I try to "explore" (entering \\hostname in explorer) the shares I get a "Network error: impossible to access ..." (approximate translation, sorry ). I tried both using the hostname and the ip address, always getting the same result.
    If I try via prompt with "net view \\hostname" I get a System Error 53 (Unable to find network path).
    Does anyone know if I am doing anything wrong?
    Thanks
    Christian

    I have done some further testing, and I can report that occasionally, I am able to connect from a windows 7 professional machine by issuing the following command:
    net use z:\\hostname\share /user:DOMAIN\username
    mostly this command returns a 53 system error, but sometimes I am asked for the user's password and am then able to access the shared folder for a brief time.

  • Why do I get "Unknown user name or bad password" on Windows 7 when trying to connect to an SMB share on my Mac?

    Before installing the update to 10.7.3 I could connect to an SMB share on my Mac from Windows 7 but I can't any longer. When I try I get the error "Unknown user name or bad password" on the Windows 7 system.
    When I try to connect using the "net use..." command I get the error: "System error 86 has occurred".
    Does anyone know how to resolve this? What really confuses me is that it was working fine until I installed the update to 10.7.3.

    Check the Wins Tab in the Advanced section of Network in system preferences.
    If you don't have the same workgroup name and the correct NetBIOS name showing up in the WINS tab you will get the Bad username or password.
    I know I deal with this everyday.
    There is something wrong with Lion and it does not automatically fill in those entries in the WINS tab.
    What I have to do on every reboot/startup is open System preferences go to Sharing and uncheck File Sharing then recheck it. That will fill in the WINS tab entries.

  • Windows SMB shares not showing in finder

    hi,
    i'm using 10.5.8 on a powermac G5 in the office and recently experienced some difficulties regarding SMB shares. there are two Win XP 32bit machines in the office network, one Win 7 64bit machine and the powermac.
    1) usually, the powermac could see and access all three windows machines via finder's sidebar. that stoped working some weeks ago. none of the three PCs shows up in the sidebar now. when i use finder's "connect to server" feature, the connection is established without problems. network printing to one of the XP machines also works fine. the mac's firewall settings where set to “Set access for specific services and applications” all the time, showing AFP and SMB shares enabled. just out of curiosity, i deactivated the firewall… and voila: my three PCs showed up in the finder sidebar again. changed it back… no PCs there
    what's that? why did it work before, with the firewall enabled, and all of a sudden it doesn't work anymore and i have to shut down the firewall, to see my windows shares?
    2) for some time it was sufficient that i could access the windows shares from my mac. now my colleagues needed to access the mac from their windows machines. as they do not need to have access to my entire home folder, i added the relevant (sub)folder from my documents folder via SMB guest sharing, setting the access rights to "read&write" for everyone, so that no password was needed for guests accessing that folder. however, all three windows machines could only see the standard public folder with its drop box, but not the newly added folder. experimented for over an hour or so, changing settings, trying to add other folders… until i found out, that the folder will only show up on the windows network, when it's located on the top level of my home folder, but not, if it's located in a subfolder (i.e. in documents, music, etc.)
    is this meant to be that way? or am i doing something wrong?

    If this is still driving you crazy...
    I had the same problem and by figuring out which machine was the Master Browser I managed to fix it. I have a Windows 7 system and it had taken over as the Master Browser (probably because I had to rebuild my Mac). I disabled the Computer Browser service on the W7 computer and a 2003 server in my network automatically took over as the Master Browser. All of the Windows machines immediately appeared under Shared Items on my Mac sidebar.
    I followed the instructions from:
    http://robmulally.blogspot.com/2009/03/macbook-master-browser-and-my-mate.html
    - on how to figure out which machine is the Master Browser in the network. The link came from a different discussion on the same issue (https://discussions.apple.com/thread/1877116?start=0&tstart=0). There are also instructions (although somewhat vague) on how to make your Mac the Master Browser.
    I hope this is of some help.

  • Why is my Mac pro slow to Open folders in a Windows SMB share?

    Why is my Mac pro slow to Open folders in a Windows SMB share?   We use a Windows Server for graphics storage and I can open the share just fine, but when I attempt to open folders within that share it takes sometimes as long at 15 minutes to display the contents of the folders.  This happend before and I switched to the other NIC port, but now it is doing it in both.  I can open other connections to Windows SMB shares with no problem. 

    Why is my Mac pro slow to Open folders in a Windows SMB share?   We use a Windows Server for graphics storage and I can open the share just fine, but when I attempt to open folders within that share it takes sometimes as long at 15 minutes to display the contents of the folders.  This happend before and I switched to the other NIC port, but now it is doing it in both.  I can open other connections to Windows SMB shares with no problem. 

  • Can only connect to smb share from Windows as "nobody"

    I'm trying to share some folders on my Mac using samba. When I connect from Windows, I do not get asked for a username and password, and I get connected as a guest user (nobody). What do I do to get connected as a real user? I've tried playing with /etc/smb.conf, but I'm not sure what to change.

    when you enable smb in haring system preferences on your mac, did you check the box to enable smb on a specific account?
    if you did, when you initiate smb from windows try entering
    smb://[email protected]
    instead of
    smb://mac.ip.address

Maybe you are looking for