[PATCH] Allow guest access depending on the domain guest account in Samba 4

Andrew Bartlett abartlet at samba.org
Sun Mar 23 01:15:50 MDT 2014

On Thu, 2013-11-07 at 09:57 +0100, Samuel Cabrero wrote:
> Hello all,
> this patch set enables SMB guest access on samba 4 based on the enabled status 
> of the domain guest account, mapping users not found in the SAM to it.

Thanks.  I do apologise for the incredible delay in dealing with this. 

> I have checked with a Windows Server 2008 R2 and the behavior is the same:
> * If the user is not found in the SAM database and the domain guest account is 
> disabled, access is denied.
> * If the user is not found in the SAM database, the domain guest account is 
> enabled and doesn't have password set, access is allowed.
> * If the user is not found in the SAM database, the domain guest account is 
> enabled and has password set, the password is checked and access allowed.
> In any case, the user is not authenticated and added to the S-1-5-11 
> (authenticated users) group, even if the guest account has a password set 
> http://technet.microsoft.com/en-us/library/cc780850(v=ws.10).aspx
> I have also added a new test unix.guest. This test check that guest access is 
> only allowed then the domain guest account is enabled, the guest password is 
> honored and checks the SMB access tokens and LDAP token groups granted by the 
> server, in AD DC and domain member environments.
> The patch set also includes two related changes:
> * The UF_PASSWD_NOTREQD bit was cleared when enabling an account, which differs 
> from the Windows Server 2008 R2 behavior and breaks the guest access. 
> * Print message on success disabling a user (samba-tool user disable)

I'm sorry for the delay dealing with this, as I do have a few issues
with your patch.  

It is critically important that the guest account, when used, does not
become a member of 'authenticated users', so just swapping the 'account'
being authenticated is not the correct approach, but I do understand how
it seems to match what you see in Windows. 

To verify that, please check the 'guest' bit in the SMB setup reply, as
otherwise we can break the security of 'security=server' style

We also need to be very, very careful how this is handled - what is
valid over SMB may not be right over NETLOGON or LDAP, for example. 

We should also not change the meaning of ACB_PWNOREQ back to it's
incorrect meaning from passdb.  While in the classic DC and smbd use
case this means 'no password on this account', we understand that in AD
it means 'no password policy is required to apply'.  That is, a ""
password is valid to be stored, but that not returning a password at all
(never stored) isn't the same thing.  This is particularly critical on
the RODC, as we often do not have password attributes for many users. 

I would prefer that we had a method for creating a 'guest' token
(distinct from the anonymous token used for anonymous connections) and
that a layer further up the stack handled that, with switching the user
at the core of the auth stack. That is, something much more like how
'map to guest = bad user' is handled in the source3 code, but perhaps
re-sending the authentication with the new (guest) user set.  We
probably should also have a method where that parameter also
enables/overrides/complements this, for more consistent behaviour while
trying to be a correct AD DC. 

Finally, as this is corporate copyright, please ensure new files are
LGPL licenced and you have sent in the Samba 'DCO' paperwork per


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list