Make the "map to guest" parameter work correctly with NTLMSSP
Andrew Bartlett
abartlet at samba.org
Fri Jul 16 17:53:10 MDT 2010
On Fri, 2010-07-16 at 16:41 -0700, Jeremy Allison wrote:
> On Sat, Jul 17, 2010 at 09:17:24AM +1000, Andrew Bartlett wrote:
> >
> > I've been thinking about this, and the 'map to guest' logic really is at
> > the wrong level. Rather than try and trap things from outside the
> > NTLMSSP layer, this really needs to be done in the auth layer. We
> > should signal for all NTLM authentication types that we want or don't
> > want 'map to guest' on this connection, and this layer should not know
> > it's anything more than a normal, authenticated connection. (Perhaps
> > with an indication in the server_info).
>
> There's already a bool flag in the server_info that signifies guest.
> I needed to fix it for 3.6.0 as there's a NAS vendor testing SMB2 support
> who complained this was broken with SMB2. I'd suggest we fix this in the
> merge to 4.0.
No worries, I'll handle that when we merge the auth layers. Do we have
a testsuite for it, so I can't forget?
> > Under Kerberos, the only case where 'map to guest' might make any sense
> > is if we can't map the user from the one in the ticket to a local posix
> > UID and GID set.
>
> Yes, I'd already decided that (and the SMB2 krb5 auth code
> already does this correctly :-).
Good :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100717/d1691efa/attachment.pgp>
More information about the samba-technical
mailing list