ldap_nua requires guest exist and have rid 501?
John E. Malmberg
wb8tyw at qsl.net
Tue Nov 12 05:13:00 GMT 2002
Andrew Bartlett wrote:
> In Samba, access by the guest user is determined per-share, so I'm
> not sure exactly what you mean here.
The NT behavior is that if the guest account is enabled, than if any
shares have the "everyone" group associated with them, then the shares
can be accessed from any LANMAN client on the network. The security log
will log that the guest account was used to access the account.
And the "everyone" group includes anyone on the network, not just the
workgroup or the domain.
If you set the disable flag for the guest account, then none of the
shares will be accessable unless the user belongs to a group that is
otherwise allowed access to the share.
The execption is getting the browse list. This still works even if the
guest account is disabled. And the security log does not register this
as a guest access.
This has bitten several OpenVMS users as they disable or do not create
guest account because they do not plan to allow "everyone" on to access
their shares. It has turned out to be one of the causes of the most
common problems reported.
Having the SAMBA guest account have different visible functionality than
what is the visible behavior of Windows NT is going to be a continuing
source of confusion.
It would be better to have a different name for the internal uses that
are not directly visible, and have the guest account just be used for
guest access. More politically correct and accurate.
There are many sites that have security standards that prohibit a guest
account from being enabled.
So while it may be technically correct that the NT "GUEST" account is
used for some functions based on observations, the practice is not
consistent with what Microsoft has been telling NT Administrators.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-technical
mailing list