How to hide shares for users that have no rights

Bruce bruce at
Thu Oct 26 06:39:36 GMT 2000

Hi there,
I think we came across the same thing but I didn't know about the
restrict anonymous option.
For us, we configured %u (lowercase) for our Win98/ME users and for
the very few Windows NT users (all servers) fixed IP adresses (%I)
include /.../%u for the user names and
include /.../%I/sharename/fred or whatever username

This restricts access to a specific user on a specific WinNT IP address
while allowing them to access everything normally
from other Win98 systems under their same users code %u or fred!!

That way we catered for BOTH winNT/Win2000Server and Win98/ME users
in a strictly controlled way. No borrowing of usernames possible on the NT

Must try restrict anonymous...


>> > Consider using something like
>> >
>> > include = /path/smb.conf.%U
>> > include = /path/smb.conf.%G
>> >
>> > and in /path/smb.conf.UserA put shares for UserA only
>> > ...
>> > and in /path/smb.conf.GroupA put shares for GroupA only
>> > ...
>> I am not sure that will work.  At the time the config file is read those
>two meta
>> vars are not set.  I may be wrong but that is what I understood.
>Actually %U works and we use it here all the time. (note that this is the
>uppercase %U, not the lowercase one).
>There is however a problem with NT based clients because they tend to
>request the list of shares without authenticating themselves. The fix if you
>have NT machines it to use the "restrict anonymous" option in your smb.conf
>file. However you will break the Win9x clients because of the way they send
>the authentication info... Basically if you have a mixed environment (9x/NT)
>you are out of luck.
>I have writen a patch to samba that partly solves that issue by adding more
>options for the "restrict anonymous" option. With this patch, you can set it
>- no (the default)
>- all / yes (same as today)
>- NT (only NT workstations are required to authenticate themselves)
>The patch is against samba 2.0.7
>Good luck.
>Content-Type: application/octet-stream;
>	name="restrict.patch"
>Content-Disposition: attachment;
>	filename="restrict.patch"
>Attachment converted: Tuscan Adventure:restrict.patch (????/----) (000D4C1E)

More information about the samba mailing list