New docs & a fundamental change

Jeremy Allison jallison at cthulhu.engr.sgi.com
Tue Nov 10 18:51:27 GMT 1998 

Andrew Tridgell wrote:

> 
> make a particular point that the name of the resource being requested
> is _not_ sent to the server until after the server has successfully
> authenticated the client. That is why guest shares don't work in user
> level security.
> 

Ok I've finally tackled this issue in both the docs and the
code.

By the time you are awake I'll have checked this code
in :-) - so if *really* hate it I can back it out :-).

Due to the fact that we now ship many more binaries 
than source distributions, and recompiling and
changing the value of GUEST_SESSSETUP to make
guest shares work with out pre-compiled binaries is
not really an option for most users, I've added the
following parameter :

"map to guest"

which can take three possible values :

"Never" - the default - maps to GUEST_SESSSETUP=0

"Bad User" - maps to GUEST_SESSSETUP=1

"Bad Password" - maps to GUEST_SESSSETUP=2

Here are the docs :

	Cheers,

		Jeremy.

-------------cut here---------------------------

label(maptoguest)
dit(bf(map to guest (G)))

This parameter is only useful in link(bf(security))(security) modes
other than link(bf("security=share"))(security) - ie. user, server,
and domain.

This parameter can take three different values, which tell
url(bf(smbd))(smbd.8.html) what to do with user login requests that
don't match a valid UNIX user in some way.

The three settings are :

startit()

it() bf("Never") - Means user login requests with an invalid password
are rejected. This is the default.

it() bf("Bad User") - Means user logins with an invalid password are
rejected, unless the username does not exist, in which case it is
treated as a guest login and mapped into the link(bf("guest
account"))(guestaccount).

it() bf("Bad Password") - Means user logins with an invalid
password are treated as a guest login and mapped into the
link(bf("guest account"))(guestaccount). Note that this can
cause problems as it means that any user mistyping their
password will be silently logged on a bf("guest") - and 
will not know the reason they cannot access files they think
they should - there will have been no message given to them
that they got their password wrong. Helpdesk services will
em(*hate*) you if you set the bf("map to guest") parameter
this way :-).

endit()

Note that this parameter is needed to set up bf("Guest") share
services when using link(bf(security))(security) modes other than
share. This is because in these modes the name of the resource being
requested is em(*not*) sent to the server until after the server has
successfully authenticated the client so the server cannot make
authentication decisions at the correct time (connection to the
share) for bf("Guest") shares.

For people familiar with the older Samba releases, this parameter
maps to the old compile-time setting of the GUEST_SESSSETUP value
in local.h.

  bf(Default:)
tt(	map to guest = Never)
  bf(Example):
tt(	map to guest = Bad User)



-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba-technical mailing list