[Samba] Samba 3: "restrict anonymous = 2" breaks domain joining
Andrew Bartlett
abartlet at samba.org
Thu Dec 22 18:53:46 GMT 2005
On Wed, 2005-12-21 at 17:49 +1100, Andrew Bartlett wrote:
> On Tue, 2005-12-20 at 23:46 +0100, Marek Szuba wrote:
> > On Sun, 18 Dec 2005 19:18:41 -0800
> > Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > > Samba3 (due to NT4 protocol limitations) doesn't support being a DC and having > 'restrict anonymous = 2' set.
> > Right, gotta stick with 1 then. Thanks for clearing it up.
>
> Some things might break with restrict anonymous = 1. Test carefully.
>
> > > It is the other way around. If you set 'restrict anonymous = 2', then
> > > you cannot get to a share as a guest, even with 'guest ok = yes', as the
> > > anonymous connection has already been denied.
> > Makes sense... Still, the manpage (both in 3.0.14a-Debian and 3.0.20b)
> > states the opposite. Let me dig up appropriate quotes:
> > - in "guest ok" entry, line 1732: "this setting nullifies the benefits
> > of setting restrict anonymous = 2"
> > - in "restrict anonymous" entry, line 3963: "the security advantage of
> > using restrict anonymous = 2 is removed by setting guest ok = yes on
> > any share"
>
> I'll ponder. I remember writing those words...
I got confused which way around the tests were performed. The manpage
is correct, it is done at share connect time.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051223/ccb4d938/attachment.bin
More information about the samba
mailing list