[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

Rowland Penny rpenny at samba.org
Tue Oct 2 17:44:59 UTC 2018


On Tue, 2 Oct 2018 18:39:54 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > OK, Windows 'Guest' != Unix 'nobody'
> > It might seem if it does, but it doesn't
> 
> Rowland, clearly i know that. But you sayed:
> 
> > > > Also 'Guest' doesn't
> > > > exist on a Unix domain member, you would have to map it to the
> > > > Unix domain user 'nobody'
> 
> and i'm simply saying that this (seems) not completely true, because
> windows 'Guest' user are mapped 'by default' to UNIX 'nobody' user.

No it isn't, by default 'map to guest' is set to 'never' and this
means the 'guest' user isn't used. You can override this by using
'Bad User' etc instead of the default 'never'. By default Samba
uses the OS 'guest' user, which is usually 'nobody', but this can be
changed by setting 'guest user =' to whatever local Unix user you want.
 
> 
> If i create the user 'idontexistonthedomain' on a local workstation
> and i try to access to a share (and supposing DOMINIQUE is the
> workstation...) DOMINIQUE\idontexistonthedomain get mapped to guest
> and i can access to the share. So guest access works.

Then you must have 'map to guest = Bad User' set in [global] and 'guest
ok = yes' set in the share.
What you must remember is that the windows 'Guest' user (or any other
unknown user) is 'mapped' to the Unix 'guest' user, it does not become
the user. The concept of one OS's guest user being able to write
directly to another OS's system is alien, a guest user is only a guest
of one OS. It would be better to not use a guest user at all, you would
be better using a user that has to authenticate.

> 
> 
> > The line removes the domain name and just leaves the username. You
> > can use 'winbind use default domain = yes' in smb.conf if you only
> > have one DOMAIN set, if you set another trusted DOMAIN, you must
> > not use it.
> 
> Perfectly clear. But still seems me a bit strange that samba strip the
> domain also from users like DOMINIQUE\Administrator, where DOMINIQUE
> is a workstation.

You shouldn't be able to connect to a domain member from a workgroup
machine (i.e. a machine that isn't a domain member), unless you are
allowing guest access and this allows ANYBODY access. The only other
way a user on a workgroup member can connect is to create all your
users on the workgroup member with the same passwords and this doesn't
make sense in a domain, you might as well join the workgroup machine
to the domain and save yourself all the hassle of keeping all the users
in sync.

Rowland
 




More information about the samba mailing list