"guest only" documentation incorrect?

Steve Langasek vorlon at netexpress.net
Sun Aug 12 16:08:44 GMT 2001


A bug has been filed with the Debian BTS which I believe represents a
documentation problem.  I'm hoping someone can confirm my understanding.

According to smb.conf(5):

       There  are a number of ways in which a user can connect to
       a service. The server uses the following steps  in  deter­
       mining  if  it will allow a connection to a specified ser­
       vice. If all the steps fail, then the  connection  request
       is  rejected.  However, if one of the steps succeeds, then
       the following steps are not checked.

       If the service is marked "guest only = yes" then  steps  1
       to 5 are skipped.

       1.     If  the  client has passed a username/password pair
              and that username/password pair is validated by the
              UNIX system's password programs then the connection
              is made as that username. Note that  this  includes
              the  \\server\service%username  method of passing a


       6.     If the service is a guest service then a connection
              is made as the username given in the "guest account
              =" for the service, irrespective  of  the  supplied

In practice, it appears that steps one through five are only skipped if the
client is smbclient (or possibly WFW).  Neither Win98 nor NT4 will fall back
to using a guest connection to the server; they will continue trying to
connect as an authenticated user, and continue prompting the user for a
password until they give one that works.

So while it's correct that the *share* will not enforce username&password
restrictions, and all access to the share will be made as the guest user, it
appears that the *server* doesn't allow this because at the time of
session setup it's not possible to distinguish between a connection to a
guest-only share and a connection to a normal share.  Is this accurate?

What is the behavior of a guest-only share when running with share-level
security?  I've only tested with security=user and security=domain.  Perhaps
the current description is accurate for security=share?

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list