[PATCH] Allow guest access depending on the domain guest account in Samba 4
Samuel Cabrero
scabrero at zentyal.com
Thu Nov 7 01:57:06 MST 2013
Hello all,
this patch set enables SMB guest access on samba 4 based on the enabled status
of the domain guest account, mapping users not found in the SAM to it.
I have checked with a Windows Server 2008 R2 and the behavior is the same:
* If the user is not found in the SAM database and the domain guest account is
disabled, access is denied.
* If the user is not found in the SAM database, the domain guest account is
enabled and doesn't have password set, access is allowed.
* If the user is not found in the SAM database, the domain guest account is
enabled and has password set, the password is checked and access allowed.
In any case, the user is not authenticated and added to the S-1-5-11
(authenticated users) group, even if the guest account has a password set
http://technet.microsoft.com/en-us/library/cc780850(v=ws.10).aspx
I have also added a new test unix.guest. This test check that guest access is
only allowed then the domain guest account is enabled, the guest password is
honored and checks the SMB access tokens and LDAP token groups granted by the
server, in AD DC and domain member environments.
The patch set also includes two related changes:
* The UF_PASSWD_NOTREQD bit was cleared when enabling an account, which differs
from the Windows Server 2008 R2 behavior and breaks the guest access.
* Print message on success disabling a user (samba-tool user disable)
Cheers.
--
Samuel Cabrero - Developer
scabrero at zentyal.com
Easy IT for small business
www.zentyal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-Fallback-to-guest-account-if-user-not-found-in-.patch
Type: text/x-patch
Size: 5673 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-python-samba-tool-Do-not-toggle-UF_PASSWD_NOTREQD-en.patch
Type: text/x-patch
Size: 901 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-python-samba-tool-Print-message-on-success-disabling.patch
Type: text/x-patch
Size: 884 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-test-for-guest-access-to-SMB-and-LDAP.patch
Type: text/x-patch
Size: 33516 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Test-guest-access-in-domain-member-environment.patch
Type: text/x-patch
Size: 17793 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131107/1b9b2e77/attachment.pgp>
More information about the samba-technical
mailing list