ldap_nua requires guest exist and have rid 501?

[John E. Malmberg]

Andrew Bartlett wrote:
> In Samba, access by the guest user is determined per-share, so I'm 
> not sure exactly what you mean here.

The NT behavior is that if the guest account is enabled, than if any 
shares have the "everyone" group associated with them, then the shares 
can be accessed from any LANMAN client on the network.  The security log 
will log that the guest account was used to access the account.

And the "everyone" group includes anyone on the network, not just the 
workgroup or the domain.

If you set the disable flag for the guest account, then none of the 
shares will be accessable unless the user belongs to a group that is 
otherwise allowed access to the share.

The execption is getting the browse list.  This still works even if the 
guest account is disabled.  And the security log does not register this 
as a guest access.

This has bitten several OpenVMS users as they disable or do not create 
guest account because they do not plan to allow "everyone" on to access 
their shares.  It has turned out to be one of the causes of the most 
common problems reported.


Having the SAMBA guest account have different visible functionality than 
what is the visible behavior of Windows NT is going to be a continuing 
source of confusion.

It would be better to have a different name for the internal uses that 
are not directly visible, and have the guest account just be used for 
guest access.  More politically correct and accurate.

There are many sites that have security standards that prohibit a guest 
account from being enabled.

So while it may be technically correct that the NT "GUEST" account is 
used for some functions based on observations, the practice is not 
consistent with what Microsoft has been telling NT Administrators.

-John
wb8tyw at qsl.network
Personal Opinion Only