[Samba] Samba 3: "restrict anonymous = 2" breaks domain joining

Marek Szuba scriptkiddie at wp.pl
Tue Dec 20 22:46:10 GMT 2005

On Sun, 18 Dec 2005 19:18:41 -0800
Andrew Bartlett <abartlet at samba.org> wrote:

> Samba3 (due to NT4 protocol limitations) doesn't support being a DC and having > 'restrict anonymous = 2' set.  
Right, gotta stick with 1 then. Thanks for clearing it up.

> It is the other way around.  If you set 'restrict anonymous = 2', then
> you cannot get to a share as a guest, even with 'guest ok = yes', as the
> anonymous connection has already been denied.
Makes sense... Still, the manpage (both in 3.0.14a-Debian and 3.0.20b)
states the opposite. Let me dig up appropriate quotes:
 - in "guest ok" entry, line 1732: "this setting nullifies the benefits
of setting restrict anonymous = 2"
 - in "restrict anonymous" entry, line 3963: "the security advantage of
using restrict anonymous = 2 is removed by setting guest ok = yes on
any share"


More information about the samba mailing list