On Tue, 2002-11-12 at 14:48, John E. Malmberg wrote: > Andrew Bartlett wrote: > > > On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote: > > > >> On a related note, does SAMBA still use the guest account in place > >> of the (unkown) internal user for enumerating shares? > >> > >> An NT client can not browse a SAMBA server with the guest account > >> disabled, but having a guest account enabled is not required on an > >> NT account to do the same thing. > > > > A Samba server must have a guest account, and (now) it must have RID > > 501. I'm not sure the guest account is 'disabled' on NT, it is just > > that the groups it is given membership of changes. IE on NT, the > > restrictanonymous setting can remove 'guest' from domain users, and > > 'everyone'. > > The GUEST account can definitely be disabled on an NT workstation. You > can not access shares through it when it is disabled, yet browsing works.
My point is that they do this by fiddling group membership. The by disabling password access to that account, it is no longer a member of the authenticated users group, or something similar. This then fails certain NT ACL checks. The account certainly still exists, and is used even on NT servers. A *lot* of NT domain operations occur as guest. > You can enable it and then access shares through the guest account. > > SAMBA should work the same way, but does not. This puts a minor > security hole in SAMBA that is not present in Microsoft Windows NT. As far as I know, we have the same defaults as NT. We do not offer shares to guest by default. Taking this further, MS implemented 'restrict anonymous' which removed further groups form the 'guest' account, making even connecting to IPC$ impossible at RestrictAnonymous=2 (I believe). We implement 'restrict anonymous =1' as a smb.conf setting in Samba 3.0. > Microsoft advises that the guest account be disabled if you are > concerned about security, and on NT Servers it is disabled by default. In Samba, access by the guest user is determined per-share, so I'm not sure exactly what you mean here. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part