"guest only" documentation incorrect?

Andrew Bartlett abartlet at pcug.org.au
Sun Aug 12 21:14:58 GMT 2001

Steve Langasek wrote:
> Hello,
> A bug has been filed with the Debian BTS which I believe represents a
> documentation problem.  I'm hoping someone can confirm my understanding.
> According to smb.conf(5):
>        There  are a number of ways in which a user can connect to
>        a service. The server uses the following steps  in  deter­
>        mining  if  it will allow a connection to a specified ser­
>        vice. If all the steps fail, then the  connection  request
>        is  rejected.  However, if one of the steps succeeds, then
>        the following steps are not checked.
>        If the service is marked "guest only = yes" then  steps  1
>        to 5 are skipped.
>        1.     If  the  client has passed a username/password pair
>               and that username/password pair is validated by the
>               UNIX system's password programs then the connection
>               is made as that username. Note that  this  includes
>               the  \\server\service%username  method of passing a
>               username.
>        [...]
>        6.     If the service is a guest service then a connection
>               is made as the username given in the "guest account
>               =" for the service, irrespective  of  the  supplied
>               password.
> In practice, it appears that steps one through five are only skipped if the
> client is smbclient (or possibly WFW).  Neither Win98 nor NT4 will fall back
> to using a guest connection to the server; they will continue trying to
> connect as an authenticated user, and continue prompting the user for a
> password until they give one that works.
> So while it's correct that the *share* will not enforce username&password
> restrictions, and all access to the share will be made as the guest user, it
> appears that the *server* doesn't allow this because at the time of
> session setup it's not possible to distinguish between a connection to a
> guest-only share and a connection to a normal share.  Is this accurate?
> What is the behavior of a guest-only share when running with share-level
> security?  I've only tested with security=user and security=domain.  Perhaps
> the current description is accurate for security=share?

Correct, and I'm doing work to make the code (and probably eventually
the related documentation) into some form of sainity.

The new rule for USER level security will be quite simple:  you get what
you logged in as, with things like rhosts being moved into the password
check stage for sainity.

Andrew Bartlett

Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org

More information about the samba-technical mailing list