[Samba] Samba 3: "restrict anonymous = 2" breaks domain joining
abartlet at samba.org
Mon Dec 19 03:18:41 GMT 2005
On Sun, 2005-12-18 at 16:12 +0100, Marek Szuba wrote:
> As it turned out, the setting which made me unable to join the domain
> from the Linux box itself by calling "net -U domadm join DOMAIN" was
> "restrict anonymous = 2". When it is set, executing the command fails
> after a few seconds' delay even though the machine account gets added
> to LDAP; when I change the number to 0 or 1, the command succeeds
> immediately despite still showing the "no results from AD" warning I
> mentioned in my previous message.
The warning is because it is trying an AD style join, which Samba3
doesn't support. Samba3 (due to NT4 protocol limitations) doesn't
support being a DC and having 'restrict anonymous = 2' set.
Even if Samba worked around this (there are ways), I believe a windows
client would not work.
> Considering what I'm trying to do here is talk to a Samba PDC (which
> does support this setting) using Samba's native tool (which, logic
> dictates, should support it too), this is kind of weird - especially
> taking into account that one of my shares is set to "guest ok = yes"
> ATM and that is said to nullify the effect of "restrict anonymous = 2".
It is the other way around. If you set 'restrict anonymous = 2', then
you cannot get to a share as a guest, even with 'guest ok = yes', as the
anonymous connection has already been denied.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051218/dee20429/attachment.bin
More information about the samba