"guest only" documentation incorrect?
vorlon at netexpress.net
Sun Aug 12 16:08:44 GMT 2001
A bug has been filed with the Debian BTS which I believe represents a
documentation problem. I'm hoping someone can confirm my understanding.
According to smb.conf(5):
There are a number of ways in which a user can connect to
a service. The server uses the following steps in deter
mining if it will allow a connection to a specified ser
vice. If all the steps fail, then the connection request
is rejected. However, if one of the steps succeeds, then
the following steps are not checked.
If the service is marked "guest only = yes" then steps 1
to 5 are skipped.
1. If the client has passed a username/password pair
and that username/password pair is validated by the
UNIX system's password programs then the connection
is made as that username. Note that this includes
the \\server\service%username method of passing a
6. If the service is a guest service then a connection
is made as the username given in the "guest account
=" for the service, irrespective of the supplied
In practice, it appears that steps one through five are only skipped if the
client is smbclient (or possibly WFW). Neither Win98 nor NT4 will fall back
to using a guest connection to the server; they will continue trying to
connect as an authenticated user, and continue prompting the user for a
password until they give one that works.
So while it's correct that the *share* will not enforce username&password
restrictions, and all access to the share will be made as the guest user, it
appears that the *server* doesn't allow this because at the time of
session setup it's not possible to distinguish between a connection to a
guest-only share and a connection to a normal share. Is this accurate?
What is the behavior of a guest-only share when running with share-level
security? I've only tested with security=user and security=domain. Perhaps
the current description is accurate for security=share?
More information about the samba-technical