"guest only" documentation incorrect?

Andrew Bartlett abartlet at pcug.org.au
Sun Aug 12 21:14:58 GMT 2001 

Steve Langasek wrote:
> 
> Hello,
> 
> A bug has been filed with the Debian BTS which I believe represents a
> documentation problem.  I'm hoping someone can confirm my understanding.
> 
> According to smb.conf(5):
> 
>        There  are a number of ways in which a user can connect to
>        a service. The server uses the following steps  in  deter­
>        mining  if  it will allow a connection to a specified ser­
>        vice. If all the steps fail, then the  connection  request
>        is  rejected.  However, if one of the steps succeeds, then
>        the following steps are not checked.
> 
>        If the service is marked "guest only = yes" then  steps  1
>        to 5 are skipped.
> 
>        1.     If  the  client has passed a username/password pair
>               and that username/password pair is validated by the
>               UNIX system's password programs then the connection
>               is made as that username. Note that  this  includes
>               the  \\server\service%username  method of passing a
>               username.
> 
>        [...]
> 
>        6.     If the service is a guest service then a connection
>               is made as the username given in the "guest account
>               =" for the service, irrespective  of  the  supplied
>               password.
> 
> In practice, it appears that steps one through five are only skipped if the
> client is smbclient (or possibly WFW).  Neither Win98 nor NT4 will fall back
> to using a guest connection to the server; they will continue trying to
> connect as an authenticated user, and continue prompting the user for a
> password until they give one that works.
> 
> So while it's correct that the *share* will not enforce username&password
> restrictions, and all access to the share will be made as the guest user, it
> appears that the *server* doesn't allow this because at the time of
> session setup it's not possible to distinguish between a connection to a
> guest-only share and a connection to a normal share.  Is this accurate?
> 
> What is the behavior of a guest-only share when running with share-level
> security?  I've only tested with security=user and security=domain.  Perhaps
> the current description is accurate for security=share?

Correct, and I'm doing work to make the code (and probably eventually
the related documentation) into some form of sainity.

The new rule for USER level security will be quite simple:  you get what
you logged in as, with things like rhosts being moved into the password
check stage for sainity.

Andrew Bartlett

-- 
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org

More information about the samba-technical mailing list