security and guest account

Martyn Ranyard ranyardm at lineone.net
Mon Jan 28 02:31:06 GMT 2002 

I have always seen this, when connecting to SAMBA and NT SBS4.5 (Not sure 
about other NT servers).  When a machine joins the domain, it has it's own 
account, but for some reason in both NT and Samba, this shows up as a blank 
username.  This is why NT is unable to connect IMHO, you probably could do 
it if the Samba box was not PDC, but that would cause you more effort.

At 12:02 PM 1/27/02 +0100, Ionel GARDAIS wrote:
>Hi there,
>
>I have a question about samba security and the guest
>account validation.
>
>Here is my configuration : Samba 2.2.2 (from binary),
>RH 7.1 kernel 2.4.2. Clients are NTWS 4 sp 6.
>
>smb.conf shows these lines for guest :
><snip>
>    guest account = nobody
>    map to guest = Bad User
></snip>
>
>
>When running Samba, "smbstatus" shows threads owned by
>nobody and connected to ressource IPC$.
>Users from NT can connect to the server with their
>user/pass, creating thread owned by them.
>
>I have local guest account on NT worksations.
>Logging using this account on NT, allow users to
>connect to a fully shared folder but under the nobody
>account.
>
>In order to disable the connection to the samba server
>using the nobody account, I've set "Guest account" to
>"Bad User" too.
>
>But a problem appears : as soon as I've modified this
>line, NT clients couldn't connect to their account
>even using a valid username/password combination.
>On the other hand, no threads owned by nobody and
>connected to IPC$ showed in "smbstatus".
>
>
>
>Changing back "guest account" to nobody puts the
>server available for clients connections.
>Unfortunatly, nobody-owned threads are back in the
>smbstatus ressource listing.
>
>How to forbid "nobody" access in order not to see
>"nobody connects from computer XXXX [time]" in the
>logs (so users MUST use their username/pass to
>connect) ?
>
>Do I have to add "guest ok = no" to each share ?
>
>
>For personnal information, can someone tell me why do
>a nobody-owned thread connected to IPC$ must be
>running for clients to connect to server ?
>
>
>Thanks for your help,
>ionel
>
>___________________________________________________________
>Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
>Yahoo! Mail : http://fr.mail.yahoo.fr
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

Martyn

Life's a bitch, but so am I.

More information about the samba mailing list