dfs option, anonymous connect - auth. redirect at server

[Adam Cody]

> > I don't believe there's a current way for a samba server (member server
> > , security = domain) to have it's dfs share setup for anonymous/guest
> > connection unless one was to setup a NT guest account on the controller
> > or use a "force user" mode...which isn't a solution for obvious reasons.
> > If I missed the solution, I apologizes now for intruding on the
> > tech-list for this.
> >
> > Is there a way to have the dfs share on a samba server to allow
> > anonymous/guest type access but then have the authentication done on the
> > server when the client goes to the actually share point?
> 
> Late reply I know....
> 
> This is more a limitation of the session setup requirements.  The
> authentication is done prior to the tcon&X so you've already got
> the user credentials.  The best option here I think is just setup
> a 'guest' server (everyone gets mapped to guest) and store you're
> dfs shares on that.  You can use a virtual server for this.
> 
> cheers, jerry

Thanks for the response. I'm confused by your answer though to how dfs
authenticates. If the authentication is done only once and is from the
dfs server then why would one need to setup the backend servers with
complex authentication options -- like winbind?
If the front authenticates via "server = domain" and winbind for
example, couldn't the backend samba servers just be setup with a
simple "server = user" then and avoid having to share the winbind
mappings via ldap to the backend machines? If that is the way it would
work then there would be one advantage in that users couldn't actually
reach the shares unless they went to them via the dfs server.
Now, if that setup wouldn't actually work and the backend machines did
need to match the dfs servers authentication options then it seems
that each machine is confirming authentication , unlike you describe
above.
If you have time to explain more...I think I missing something to your
explanation.
Thanks,
Adam Cody