blob: 0f680ae71c4561b800975fe2f0da1dc98865c0c0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<samba:parameter name="map to guest"
type="enum"
context="G"
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter is only useful in <smbconfoption name="SECURITY">
security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter>
and <parameter moreinfo="none">security = server</parameter>
- i.e. <constant>user</constant>, and <constant>domain</constant>.</para>
<para>This parameter can take four different values, which tell
<citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> what to do with user
login requests that don't match a valid UNIX user in some way.</para>
<para>The four settings are :</para>
<itemizedlist>
<listitem>
<para><constant>Never</constant> - Means user login
requests with an invalid password are rejected. This is the
default.</para>
</listitem>
<listitem>
<para><constant>Bad User</constant> - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
mapped into the <smbconfoption name="guest account"/>.</para>
</listitem>
<listitem>
<para><constant>Bad Password</constant> - Means user logins
with an invalid password are treated as a guest login and mapped
into the <smbconfoption name="guest account"/>. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as "guest" - and
will not know the reason they cannot access files they think
they should - there will have been no message given to them
that they got their password wrong. Helpdesk services will
<emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
guest</parameter> parameter this way :-).</para>
</listitem>
<listitem>
<para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
in some type of domain mode security (security = {domain|ads}) and means that
user logins which are successfully authenticated but which have no valid Unix
user account (and smbd is unable to create one) should be mapped to the defined
guest account. This was the default behavior of Samba 2.x releases. Note that
if a member server is running winbindd, this option should never be required
because the nss_winbind library will export the Windows domain users and groups
to the underlying OS via the Name Service Switch interface.</para>
</listitem>
</itemizedlist>
<para>Note that this parameter is needed to set up "Guest"
share services when using <parameter moreinfo="none">security</parameter> modes other than
share and server. This is because in these modes the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client so the server
cannot make authentication decisions at the correct time (connection
to the share) for "Guest" shares. This parameter is not useful with
<parameter moreinfo="none">security = server</parameter> as in this security mode
no information is returned about whether a user logon failed due to
a bad username or bad password, the same error is returned from a modern server
in both cases.</para>
<para>For people familiar with the older Samba releases, this
parameter maps to the old compile-time setting of the <constant>
GUEST_SESSSETUP</constant> value in local.h.</para>
</description>
<value type="default">Never</value>
<value type="example">Bad User</value>
</samba:parameter>
|
