"guest only" documentation incorrect?
abartlet at pcug.org.au
Sun Aug 12 21:14:58 GMT 2001
Steve Langasek wrote:
> A bug has been filed with the Debian BTS which I believe represents a
> documentation problem. I'm hoping someone can confirm my understanding.
> According to smb.conf(5):
> There are a number of ways in which a user can connect to
> a service. The server uses the following steps in deter
> mining if it will allow a connection to a specified ser
> vice. If all the steps fail, then the connection request
> is rejected. However, if one of the steps succeeds, then
> the following steps are not checked.
> If the service is marked "guest only = yes" then steps 1
> to 5 are skipped.
> 1. If the client has passed a username/password pair
> and that username/password pair is validated by the
> UNIX system's password programs then the connection
> is made as that username. Note that this includes
> the \\server\service%username method of passing a
> 6. If the service is a guest service then a connection
> is made as the username given in the "guest account
> =" for the service, irrespective of the supplied
> In practice, it appears that steps one through five are only skipped if the
> client is smbclient (or possibly WFW). Neither Win98 nor NT4 will fall back
> to using a guest connection to the server; they will continue trying to
> connect as an authenticated user, and continue prompting the user for a
> password until they give one that works.
> So while it's correct that the *share* will not enforce username&password
> restrictions, and all access to the share will be made as the guest user, it
> appears that the *server* doesn't allow this because at the time of
> session setup it's not possible to distinguish between a connection to a
> guest-only share and a connection to a normal share. Is this accurate?
> What is the behavior of a guest-only share when running with share-level
> security? I've only tested with security=user and security=domain. Perhaps
> the current description is accurate for security=share?
Correct, and I'm doing work to make the code (and probably eventually
the related documentation) into some form of sainity.
The new rule for USER level security will be quite simple: you get what
you logged in as, with things like rhosts being moved into the password
check stage for sainity.
abartlet at pcug.org.au
abartlet at samba.org
More information about the samba-technical