ldap_nua requires guest exist and have rid 501?

Andrew Bartlett abartlet at samba.org
Tue Nov 12 07:25:00 GMT 2002 

On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote:
> Andrew Bartlett wrote:
> > In Samba, access by the guest user is determined per-share, so I'm 
> > not sure exactly what you mean here.
> 
> The NT behavior is that if the guest account is enabled, than if any 
> shares have the "everyone" group associated with them, then the shares 
> can be accessed from any LANMAN client on the network.  The security log 
> will log that the guest account was used to access the account.
> 
> And the "everyone" group includes anyone on the network, not just the 
> workgroup or the domain.
> 
> If you set the disable flag for the guest account, then none of the 
> shares will be accessable unless the user belongs to a group that is 
> otherwise allowed access to the share.
> 
> The execption is getting the browse list.  This still works even if the 
> guest account is disabled.  And the security log does not register this 
> as a guest access.

The exception is much more than that - all sorts of things go over IPC$,
and they are protected by their individual ACLs.  Enumerating users, all
sorts of things.  Domain logons are a particular thing that occour
initially as guest (pipe-level authentication is done on netlogon,
likewise password changes are as guest).

> This has bitten several OpenVMS users as they disable or do not create 
> guest account because they do not plan to allow "everyone" on to access 
> their shares.  It has turned out to be one of the causes of the most 
> common problems reported.
> 
> 
> Having the SAMBA guest account have different visible functionality than 
> what is the visible behavior of Windows NT is going to be a continuing 
> source of confusion.

As far as I can tell, it is quite consistent actually.

> It would be better to have a different name for the internal uses that 
> are not directly visible, and have the guest account just be used for 
> guest access.  More politically correct and accurate.
> 
> There are many sites that have security standards that prohibit a guest 
> account from being enabled.

So what does 'ident' or 'echo' or 'time' run as?  That is the point of
the guest account, Samba needs a user to become, an unprivileged user
that cannot break the entire system if Samba were to accidentally allow
file access, for example.  

So you propose having 2 accounts?  

We have the 'guest ok' parameter, NT ACLs and the 'restrict anonymous'
parameter for controlling thing kind of thing, I think adding an new
smb.conf option would just break every site out there!

On most other systems, we use the 'nobody' account, which already exists
and requires no further configuration.  The default configuration for
3.0 has a 'unixsam' backend, which maps this to the 501 rid.  So by
default, this looks exactly like NT.

> So while it may be technically correct that the NT "GUEST" account is 
> used for some functions based on observations, the practice is not 
> consistent with what Microsoft has been telling NT Administrators.

It is consistent with what occurs on the wire, and really, that's the
best we can do.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021112/527d448c/attachment.bin

More information about the samba-technical mailing list