Can I kill 'restrict anonymous'?

Andrew Bartlett abartlet at
Sat Nov 10 18:59:01 GMT 2001

Jeremy Allison wrote:
> On Sun, Nov 11, 2001 at 11:00:29AM +1100, Andrew Bartlett wrote:
> > It depends on what you call 'compleatly anonymous'.  If by that you just
> > mean a guest logon, then yes we have that and it passed all the way down
> > to the vuser.
> >
> > This would need sorting with the authenticated pipe code as well, (hence
> > my proposals to unify the way we deal with both entry points).
> >
> > Apart from that its a trivial modificaion, and a worthwhile addition.
> >
> > As you know this code better, could you look into it?  It could be done
> > either by an NT ACL or a simple guest flag check.  I'll kill off the
> > session setup stuff.
> Sure, I'll look at it (not right now though, I'm off to see "Grease" at the
> theatre and I'm already late :-). There's a difference between "guest" and "anonymous". We
> just need an extra flag so we know when a user presented no credentials
> as compared with someone who did, even if they both end up as the same
> UNIX "guest" uid.
> Jeremy.

Correct, and this is the way the code now works.  The 'guest' flag on
the vuser (and the server_info) is only set if and only if the user
either: a) did not provide credentials or b) was 'mapped to guest' by
that ugly hack in the session setup code.  Both of these are purely
anonymous as far as this is concerned.  

In HEAD, we no longer compare unix uids to determine 'guest' status, and
an authenticated user with that uid is not treated as a guest.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Samba Team member, Build Farm maintainer        abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list