Andrew Bartlett wrote:
In Samba, access by the guest user is determined per-share, so I'm not sure exactly what you mean here.The NT behavior is that if the guest account is enabled, than if any shares have the "everyone" group associated with them, then the shares can be accessed from any LANMAN client on the network. The security log will log that the guest account was used to access the account.
And the "everyone" group includes anyone on the network, not just the workgroup or the domain.
If you set the disable flag for the guest account, then none of the shares will be accessable unless the user belongs to a group that is otherwise allowed access to the share.
The execption is getting the browse list. This still works even if the guest account is disabled. And the security log does not register this as a guest access.
This has bitten several OpenVMS users as they disable or do not create guest account because they do not plan to allow "everyone" on to access their shares. It has turned out to be one of the causes of the most common problems reported.
Having the SAMBA guest account have different visible functionality than what is the visible behavior of Windows NT is going to be a continuing source of confusion.
It would be better to have a different name for the internal uses that are not directly visible, and have the guest account just be used for guest access. More politically correct and accurate.
There are many sites that have security standards that prohibit a guest account from being enabled.
So while it may be technically correct that the NT "GUEST" account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators.
-John
[EMAIL PROTECTED]
Personal Opinion Only
