[Samba] Samba 3: "restrict anonymous = 2" breaks domain joining

Andrew Bartlett abartlet at samba.org
Wed Dec 21 06:49:19 GMT 2005


On Tue, 2005-12-20 at 23:46 +0100, Marek Szuba wrote:
> On Sun, 18 Dec 2005 19:18:41 -0800
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > Samba3 (due to NT4 protocol limitations) doesn't support being a DC and having > 'restrict anonymous = 2' set.  
> Right, gotta stick with 1 then. Thanks for clearing it up.

Some things might break with restrict anonymous = 1.  Test carefully.

> > It is the other way around.  If you set 'restrict anonymous = 2', then
> > you cannot get to a share as a guest, even with 'guest ok = yes', as the
> > anonymous connection has already been denied.
> Makes sense... Still, the manpage (both in 3.0.14a-Debian and 3.0.20b)
> states the opposite. Let me dig up appropriate quotes:
>  - in "guest ok" entry, line 1732: "this setting nullifies the benefits
> of setting restrict anonymous = 2"
>  - in "restrict anonymous" entry, line 3963: "the security advantage of
> using restrict anonymous = 2 is removed by setting guest ok = yes on
> any share"

I'll ponder.  I remember writing those words...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051221/4517f07a/attachment.bin


More information about the samba mailing list