restrict anonymous patch against 2beta2

thwartedefforts at wonky.org thwartedefforts at wonky.org
Wed Dec 2 19:09:49 GMT 1998 

This patch adds a 'restrict anonymous' parameter to samba which 
forces samba to deny anonymous connections from clients.  It 
supersedes my "null overrides valid username" patch 
(http://samba.anu.edu.au/listproc/samba-ntdom/2351.html).

The patch can be downloaded from
http://www.reac.com/samba/samba2b2-restanon.diff

This has two effects:
 - The %U and %G macro expansions will work in a predictable manner,
   because a username is always needed.  This gets rid of cases 
   where the client refreshes the share listing and shares "disappear".
 - Killing an smbd process for a WinNT client can cause the client to 
   assume it's still validated, and sometimes will attempt reconnection 
   anonymously.  This will force it to revalidate.
   
It has one side effect (related to how NT behaves after logout):
 - If you are using samba as a PDC, the client machine will be unable 
   to revalidate it's machine account after a user logs out because 
   WinNT maintains a validated connection after logout, and it tries to 
   access the machine account initially using an anonymous connection.  
   The solution here is to "Shutdown and restart" between interactive 
   logons, rather than "Close all programs and logon as a different 
   user".  The fact that NT maintains a connection after logout has 
   been a long standing problem with using Samba as a PDC, for which 
   there is currently no know solution or workaround.  If having to 
   restart between interactive logons bothers you, then do not set 
   restrict anonymous to true.

The restrict anonymous parameter is not designed for use in share 
level security.  Do not use it if you have security=share.

Restrict anonymous does effect browsing on mixed client networks, but 
I have attempted to compensate for that.  What appears to be a bug in 
Win95 makes it difficult to browse non-anonymously.  If restrict 
anonymous is turned on, a work around gets enabled for win95 clients 
to make browsing work. See

http://samba.anu.edu.au/listproc/samba-technical/1856.html

for a more detailed description of this Win95 problem.  I would 
recommend that restrict anonymous only be used on homogenous NT 
networks, but I am successfully (that is, browsing works for all 
machines when restrict anonymous is on) using it in a mixed NT and 
95 network.  If a Win95 machine is on your network and the
workaround gets enabled, a message is generated to the system logs.

If restrict anonymous is turned off (the default), then the complete 
original behaviour is used.

My environment:
  Samba2.0.0beta2 Primary Domain Controller (RH 5.1)
  Samba2.0.0beta2 domain member (RH 5.1)
  approx 3 dozen Windows NT4 Workstations (mixed SP3 and SP4)
  2 Windows NT4 Server SP4

Files patched are:
  source/smbd/reply.c
  source/param/loadparam.c
  yodldocs/smb.conf.5.yo

The other kinds of docs will have to be regenerated from the yodl 
format docs.

To apply:

$ cd to the directory that contains the samba-2.0.0beta2 directory
$ ls (to verify you are in the right place)
samba-2.0.0beta2
$ patch -p0 < samba2b2-restanon.diff
patching file...

I recommend GNU patch.  The -p0 option is important so that it finds 
the files to patch in the subdirectories.

>From the docs:

restrict anonymous(G)

 This is a boolean parameter.  If it is true, then anonymous access to 
 the server will be restricted, namely in the case where the server is 
 expecting the client to send a username, but it doesn't.  Setting it 
 to true will force these anonymous connections to be denied, and the 
 client will be required to always supply a username and password when 
 connecting. Use of this parameter is only recommened for homogenous 
 NT client environments.

 This parameter makes the use of macro expansions that rely on the 
 username (%U, %G, etc) consistant.  NT 4.0 likes to use anonymous 
 connections when refreshing the share list, and this is a way to work 
 around that.

 When restrict anonymous is true, all anonymous connections are denied 
 no matter what they are for.  This can effect the ability of a 
 machine to access the samba Primary Domain Controller to revalidate 
 it's machine account after someone else has logged on the client 
 interactively.  The NT client will display a message saying that the 
 machine's account in the domain doesn't exist or the password is bad. 
 The best way to deal with this is to reboot NT client machines 
 between interactive logons, using "Shutdown and Restart", rather than 
 "Close all programs and logon as a different user".

More information about the samba-ntdom mailing list