Make the "map to guest" parameter work correctly with NTLMSSP

Andrew Bartlett abartlet at
Fri Jul 16 17:53:10 MDT 2010

On Fri, 2010-07-16 at 16:41 -0700, Jeremy Allison wrote:
> On Sat, Jul 17, 2010 at 09:17:24AM +1000, Andrew Bartlett wrote:
> > 
> > I've been thinking about this, and the 'map to guest' logic really is at
> > the wrong level.  Rather than try and trap things from outside the
> > NTLMSSP layer, this really needs to be done in the auth layer.  We
> > should signal for all NTLM authentication types that we want or don't
> > want 'map to guest' on this connection, and this layer should not know
> > it's anything more than a normal, authenticated connection.  (Perhaps
> > with an indication in the server_info). 
> There's already a bool flag in the server_info that signifies guest.
> I needed to fix it for 3.6.0 as there's a NAS vendor testing SMB2 support
> who complained this was broken with SMB2. I'd suggest we fix this in the
> merge to 4.0.

No worries, I'll handle that when we merge the auth layers.  Do we have
a testsuite for it, so I can't forget?

> > Under Kerberos, the only case where 'map to guest' might make any sense
> > is if we can't map the user from the one in the ticket to a local posix
> > UID and GID set. 
> Yes, I'd already decided that (and the SMB2 krb5 auth code
> already does this correctly :-).

Good :-)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list