[Samba] Samba 3: "restrict anonymous = 2" breaks domain joining

Andrew Bartlett abartlet at samba.org
Mon Dec 19 03:18:41 GMT 2005

On Sun, 2005-12-18 at 16:12 +0100, Marek Szuba wrote:
> Hello,

> As it turned out, the setting which made me unable to join the domain
> from the Linux box itself by calling "net -U domadm join DOMAIN" was
> "restrict anonymous = 2". When it is set, executing the command fails
> after a few seconds' delay even though the machine account gets added
> to LDAP; when I change the number to 0 or 1, the command succeeds
> immediately despite still showing the "no results from AD" warning I
> mentioned in my previous message.

The warning is because it is trying an AD style join, which Samba3
doesn't support.  Samba3 (due to NT4 protocol limitations) doesn't
support being a DC and having 'restrict anonymous = 2' set.  

Even if Samba worked around this (there are ways), I believe a windows
client would not work.

> Considering what I'm trying to do here is talk to a Samba PDC (which
> does support this setting) using Samba's native tool (which, logic
> dictates, should support it too), this is kind of weird - especially
> taking into account that one of my shares is set to "guest ok = yes"
> ATM and that is said to nullify the effect of "restrict anonymous = 2".

It is the other way around.  If you set 'restrict anonymous = 2', then
you cannot get to a share as a guest, even with 'guest ok = yes', as the
anonymous connection has already been denied.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051218/dee20429/attachment.bin

More information about the samba mailing list