This parameter is only useful in security modes other than security = share and security = server - i.e. user, and domain. This parameter can take four different values, which tell smbd 8 what to do with user login requests that don't match a valid UNIX user in some way. The four settings are : Never - Means user login requests with an invalid password are rejected. This is the default. Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the . Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the . Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-). Bad Uid - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface. Note that this parameter is needed to set up "Guest" share services when using security modes other than share and server. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares. This parameter is not useful with security = server as in this security mode no information is returned about whether a user logon failed due to a bad username or bad password, the same error is returned from a modern server in both cases. For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h. Never Bad User