Make the "map to guest" parameter work correctly with NTLMSSP

Jeremy Allison jra at
Fri Jul 16 17:41:07 MDT 2010

On Sat, Jul 17, 2010 at 09:17:24AM +1000, Andrew Bartlett wrote:
> I've been thinking about this, and the 'map to guest' logic really is at
> the wrong level.  Rather than try and trap things from outside the
> NTLMSSP layer, this really needs to be done in the auth layer.  We
> should signal for all NTLM authentication types that we want or don't
> want 'map to guest' on this connection, and this layer should not know
> it's anything more than a normal, authenticated connection.  (Perhaps
> with an indication in the server_info). 

There's already a bool flag in the server_info that signifies guest.
I needed to fix it for 3.6.0 as there's a NAS vendor testing SMB2 support
who complained this was broken with SMB2. I'd suggest we fix this in the
merge to 4.0.

> Under Kerberos, the only case where 'map to guest' might make any sense
> is if we can't map the user from the one in the ticket to a local posix
> UID and GID set. 

Yes, I'd already decided that (and the SMB2 krb5 auth code
already does this correctly :-).


More information about the samba-technical mailing list