[Samba] AD DC and the Guest account

[Andrew Bartlett]

On Thu, 2013-07-25 at 17:07 +0200, info at bugblatterbeast.de wrote:
> I'm using samba4.0.1 and it works very well in general. Unfortunately  
> I'm missing something like "map to guest = bad user" and I can't get  
> the Guest account to work. Is there any way to set up some public  
> shares on an AD DC ?
> 
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN.LOCAL
>          netbios name = HOST
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
> drepl, winbind, ntp_signd, kcc, dnsupdate
> 
>          logon path = \\%L\profiles\%U
>          logon home = \\%L\%U\.9xprofile
>          logon drive = U:
> 
>          printcap name = /dev/null
>          load printers = no
>          printing = bsd
> 
>          interfaces = eth0
>          guest ok = yes
>          security = user
>          map to guest = bad user

In general they are a bad idea on the DC, and I can't recall right now
if we just talked about the patch to have it based on enabling the Guest
account in the sam, or did the work.  Certainly when matching windows
(which I would like to do for this, but understand the desire to also
have the smb.conf option work) the correct way is to see if Guest is
enabled.

Otherwise, it is a known issue, so at least don't feel bad about hitting
it.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz