restrict anonymous patch against 2beta2
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Dec 2 19:23:35 GMT 1998
On Thu, 3 Dec 1998 thwartedefforts at wonky.org wrote:
> This patch adds a 'restrict anonymous' parameter to samba which
> forces samba to deny anonymous connections from clients. It
> supersedes my "null overrides valid username" patch
> (http://samba.anu.edu.au/listproc/samba-ntdom/2351.html).
>
> The patch can be downloaded from
> http://www.reac.com/samba/samba2b2-restanon.diff
>
> This has two effects:
> - The %U and %G macro expansions will work in a predictable manner,
> because a username is always needed. This gets rid of cases
> where the client refreshes the share listing and shares "disappear".
> - Killing an smbd process for a WinNT client can cause the client to
> assume it's still validated, and sometimes will attempt reconnection
> anonymously. This will force it to revalidate.
>
> It has one side effect (related to how NT behaves after logout):
> - If you are using samba as a PDC, the client machine will be unable
> to revalidate it's machine account after a user logs out because
> WinNT maintains a validated connection after logout, and it tries to
> access the machine account initially using an anonymous connection.
> The solution here is to "Shutdown and restart" between interactive
> logons, rather than "Close all programs and logon as a different
> user". The fact that NT maintains a connection after logout has
> been a long standing problem with using Samba as a PDC, for which
> there is currently no know solution or workaround. If having to
> restart between interactive logons bothers you, then do not set
> restrict anonymous to true.
nt workstations maintain connections to nt servers as well, after
user-logout. this apparently causes problems on hte nt worksttation of a
security nature, as described on NTBUGTRAQ, and is therefore under
investigation at microsoft.
hopefully, the problem will be fixed in such a way that, as a side-effect,
this issue you describe here will no longer be a problem (i.e they drop
the connection on user logout).
> The restrict anonymous parameter is not designed for use in share
> level security. Do not use it if you have security=share.
>
> Restrict anonymous does effect browsing on mixed client networks, but
> I have attempted to compensate for that. What appears to be a bug in
> Win95 makes it difficult to browse non-anonymously. If restrict
> anonymous is turned on, a work around gets enabled for win95 clients
> to make browsing work. See
>
> http://samba.anu.edu.au/listproc/samba-technical/1856.html
>
> for a more detailed description of this Win95 problem. I would
> recommend that restrict anonymous only be used on homogenous NT
> networks, but I am successfully (that is, browsing works for all
> machines when restrict anonymous is on) using it in a mixed NT and
> 95 network. If a Win95 machine is on your network and the
> workaround gets enabled, a message is generated to the system logs.
>
> If restrict anonymous is turned off (the default), then the complete
> original behaviour is used.
>
> My environment:
> Samba2.0.0beta2 Primary Domain Controller (RH 5.1)
> Samba2.0.0beta2 domain member (RH 5.1)
> approx 3 dozen Windows NT4 Workstations (mixed SP3 and SP4)
> 2 Windows NT4 Server SP4
>
> Files patched are:
> source/smbd/reply.c
> source/param/loadparam.c
> yodldocs/smb.conf.5.yo
>
> The other kinds of docs will have to be regenerated from the yodl
> format docs.
>
> To apply:
>
> $ cd to the directory that contains the samba-2.0.0beta2 directory
> $ ls (to verify you are in the right place)
> samba-2.0.0beta2
> $ patch -p0 < samba2b2-restanon.diff
> patching file...
>
> I recommend GNU patch. The -p0 option is important so that it finds
> the files to patch in the subdirectories.
>
> >From the docs:
>
> restrict anonymous(G)
>
> This is a boolean parameter. If it is true, then anonymous access to
> the server will be restricted, namely in the case where the server is
> expecting the client to send a username, but it doesn't. Setting it
> to true will force these anonymous connections to be denied, and the
> client will be required to always supply a username and password when
> connecting. Use of this parameter is only recommened for homogenous
> NT client environments.
>
> This parameter makes the use of macro expansions that rely on the
> username (%U, %G, etc) consistant. NT 4.0 likes to use anonymous
> connections when refreshing the share list, and this is a way to work
> around that.
>
> When restrict anonymous is true, all anonymous connections are denied
> no matter what they are for. This can effect the ability of a
> machine to access the samba Primary Domain Controller to revalidate
> it's machine account after someone else has logged on the client
> interactively. The NT client will display a message saying that the
> machine's account in the domain doesn't exist or the password is bad.
> The best way to deal with this is to reboot NT client machines
> between interactive logons, using "Shutdown and Restart", rather than
> "Close all programs and logon as a different user".
>
>
>
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
More information about the samba-technical
mailing list