ldap_nua requires guest exist and have rid 501?

Andrew Bartlett abartlet at samba.org
Tue Nov 12 04:34:00 GMT 2002 

On Tue, 2002-11-12 at 14:48, John E. Malmberg wrote:
> Andrew Bartlett wrote:
> 
> > On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote:
> >  
> >> On a related note, does SAMBA still use the guest account in place 
> >> of the (unkown) internal user for enumerating shares?
> >> 
> >> An NT client can not browse a SAMBA server with the guest account 
> >> disabled, but having a guest account enabled is not required on an 
> >> NT account to do the same thing.
> > 
> > A Samba server must have a guest account, and (now) it must have RID
> >  501.  I'm not sure the guest account is 'disabled' on NT, it is just
> >  that the groups it is given membership of changes.  IE on NT, the 
> > restrictanonymous setting can remove 'guest' from domain users, and 
> > 'everyone'.
> 
> The GUEST account can definitely be disabled on an NT workstation.  You 
> can not access shares through it when it is disabled, yet browsing works.

My point is that they do this by fiddling group membership.  The by
disabling password access to that account, it is no longer a member of
the authenticated users group, or something similar.  This then fails
certain NT ACL checks.  The account certainly still exists, and is used
even on NT servers.  A *lot* of NT domain operations occur as guest.

> You can enable it and then access shares through the guest account.
> 
> SAMBA should work the same way, but does not.  This puts a minor 
> security hole in SAMBA that is not present in Microsoft Windows NT.

As far as I know, we have the same defaults as NT.  We do not offer
shares to guest by default.  

Taking this further, MS implemented 'restrict anonymous' which removed
further groups form the 'guest' account, making even connecting to IPC$
impossible at RestrictAnonymous=2 (I believe).   We implement 'restrict
anonymous =1' as a smb.conf setting in Samba 3.0.

> Microsoft advises that the guest account be disabled if you are 
> concerned about security, and on NT Servers it is disabled by default.

In Samba, access by the guest user is determined per-share, so I'm not
sure exactly what you mean here.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021112/db9f30c3/attachment.bin

More information about the samba-technical mailing list