[Samba] (retry) 3.0.7: 'map to guest' incomplete behavior

Heath Kehoe hakehoe at avalon.net
Fri Oct 8 16:06:43 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(my first attempt got mangled because of the attachments, so I'm 
reposting)

I have a 3.0.7 server that is part of an active directory domain, and I
have a problem where 'map to guest = Bad User' doesn't do what I expect.

On this system, unix users are a subset of AD users.  Those users who
have accounts on both unix and AD can access the Samba server; but users
who have an AD account but not a unix account can not.  What I want is
for those users without a unix account to still be able to access the
world-readable shares as 'guest'.

In my smb.conf, I have 'map to guest = Bad User' and
'guest account = guest'.  But even with those settings, we still
get an error in the smb log: "Username DOMAIN\blah is invalid on this
system".

However, if a user specifies a bogus username when setting up the drive
map (i.e., a username that does not exist in AD) then Samba will
proceed to connect that user as 'guest'.  In other words, 'map to guest'
only works if the given username is not in AD.

I modified reply_spnego_kerberos() in smbd/sesssetup.c so that it would
use the guest user if the user is not in the unix password db and
'map to guest' is on.  The patch is available here:
	http://www.avalon.net/~hakehoe/diff2.txt

If the developers have a problem with extending the 'map to guest'
functionality in this way, then I suggest you add a new option
('unix map to guest' or something).

I know that there's a hook to have smbd create user accounts on the
fly, but that is not an acceptable solution in my environment.  I
need to have unknown (but valid) AD accounts map to 'guest'.

- - heath
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBZrsh4uXPAG0A1J4RAtW2AKDEsOTml5wkHaZQLqn7TtODEO5EHwCgi8O9
A39HNsOJIeCwUI12hMsMyVo=
=kj+J
-----END PGP SIGNATURE-----



More information about the samba mailing list