"guest only" documentation incorrect?
Andrew Bartlett
abartlet at pcug.org.au
Sun Aug 12 21:14:58 GMT 2001
Steve Langasek wrote:
>
> Hello,
>
> A bug has been filed with the Debian BTS which I believe represents a
> documentation problem. I'm hoping someone can confirm my understanding.
>
> According to smb.conf(5):
>
> There are a number of ways in which a user can connect to
> a service. The server uses the following steps in deter
> mining if it will allow a connection to a specified ser
> vice. If all the steps fail, then the connection request
> is rejected. However, if one of the steps succeeds, then
> the following steps are not checked.
>
> If the service is marked "guest only = yes" then steps 1
> to 5 are skipped.
>
> 1. If the client has passed a username/password pair
> and that username/password pair is validated by the
> UNIX system's password programs then the connection
> is made as that username. Note that this includes
> the \\server\service%username method of passing a
> username.
>
> [...]
>
> 6. If the service is a guest service then a connection
> is made as the username given in the "guest account
> =" for the service, irrespective of the supplied
> password.
>
> In practice, it appears that steps one through five are only skipped if the
> client is smbclient (or possibly WFW). Neither Win98 nor NT4 will fall back
> to using a guest connection to the server; they will continue trying to
> connect as an authenticated user, and continue prompting the user for a
> password until they give one that works.
>
> So while it's correct that the *share* will not enforce username&password
> restrictions, and all access to the share will be made as the guest user, it
> appears that the *server* doesn't allow this because at the time of
> session setup it's not possible to distinguish between a connection to a
> guest-only share and a connection to a normal share. Is this accurate?
>
> What is the behavior of a guest-only share when running with share-level
> security? I've only tested with security=user and security=domain. Perhaps
> the current description is accurate for security=share?
Correct, and I'm doing work to make the code (and probably eventually
the related documentation) into some form of sainity.
The new rule for USER level security will be quite simple: you get what
you logged in as, with things like rhosts being moved into the password
check stage for sainity.
Andrew Bartlett
--
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org
More information about the samba-technical
mailing list