diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-11-22 02:40:21 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-11-22 02:40:21 +0000 |
commit | a75f1ba9d4b314f793bf7877f329dc420546c4b0 (patch) | |
tree | 56878021361ee5b9e3e282d0aacaab64fef05b2e | |
parent | abc32ea8506c4d586ef383c7f562ed12f7932ffd (diff) | |
download | samba-a75f1ba9d4b314f793bf7877f329dc420546c4b0.tar.gz samba-a75f1ba9d4b314f793bf7877f329dc420546c4b0.tar.bz2 samba-a75f1ba9d4b314f793bf7877f329dc420546c4b0.zip |
Add support for 'restrict anonymous=2' and make the doco give a slight hint
as to what it now does in 3.0. Needs more work, but better than documenting
the old functionality :-).
As the security benifits of this are nullified by a setting of 'guest ok' on
any share, we might want to put some documentation there too.
Andrew Bartlett
(This used to be commit ab812ada56b740ac986de8e1f4ca36641ec61c01)
-rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 30 | ||||
-rw-r--r-- | source3/param/loadparm.c | 4 |
2 files changed, 9 insertions, 25 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 8452e97329..6ed870ed3e 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -6544,30 +6544,12 @@ <varlistentry> <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term> - <listitem><para>This is a boolean parameter. If it is <constant>yes</constant>, then - anonymous access to the server will be restricted, namely in the - case where the server is expecting the client to send a username, - but it doesn't. Setting it to <constant>yes</constant> will force these anonymous - connections to be denied, and the client will be required to always - supply a username and password when connecting. Use of this parameter - is only recommended for homogeneous NT client environments.</para> - - <para>This parameter makes the use of macro expansions that rely - on the username (%U, %G, etc) consistent. NT 4.0 - likes to use anonymous connections when refreshing the share list, - and this is a way to work around that.</para> - - <para>When restrict anonymous is <constant>yes</constant>, all anonymous connections - are denied no matter what they are for. This can effect the ability - of a machine to access the Samba Primary Domain Controller to revalidate - its machine account after someone else has logged on the client - interactively. The NT client will display a message saying that - the machine's account in the domain doesn't exist or the password is - bad. The best way to deal with this is to reboot NT client machines - between interactive logons, using "Shutdown and Restart", rather - than "Close all programs and logon as a different user".</para> - - <para>Default: <command>restrict anonymous = no</command></para> + <listitem><para>This is a integer parameter, and + mirrors as much as possible the functinality the + <constant>RestrictAnonymous</constant> + registry key does on NT/Win2k. + + <para>Default: <command>restrict anonymous = 0</command></para> </listitem> </varlistentry> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ff2fe48b60..454519aecb 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -3625,7 +3625,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults, lp_add_auto_services(lp_auto_services()); if (add_ipc) { - lp_add_ipc("IPC$", True); + /* When 'restrict anonymous = 2' guest connections to ipc$ + are denied */ + lp_add_ipc("IPC$", (lp_restrict_anonymous() < 2)); lp_add_ipc("ADMIN$", False); } |