diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/maptoguest.xml')
-rw-r--r-- | docs-xml/smbdotconf/security/maptoguest.xml | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000000..0f680ae71c --- /dev/null +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -0,0 +1,76 @@ +<samba:parameter name="map to guest" + type="enum" + context="G" + advanced="1" developer="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter is only useful in <smbconfoption name="SECURITY"> + security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> + and <parameter moreinfo="none">security = server</parameter> + - i.e. <constant>user</constant>, and <constant>domain</constant>.</para> + + <para>This parameter can take four different values, which tell + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> what to do with user + login requests that don't match a valid UNIX user in some way.</para> + + <para>The four settings are :</para> + + <itemizedlist> + <listitem> + <para><constant>Never</constant> - Means user login + requests with an invalid password are rejected. This is the + default.</para> + </listitem> + + <listitem> + <para><constant>Bad User</constant> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <smbconfoption name="guest account"/>.</para> + </listitem> + + <listitem> + <para><constant>Bad Password</constant> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <smbconfoption name="guest account"/>. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to + guest</parameter> parameter this way :-).</para> + </listitem> + <listitem> + <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.</para> + </listitem> + </itemizedlist> + + <para>Note that this parameter is needed to set up "Guest" + share services when using <parameter moreinfo="none">security</parameter> modes other than + share and server. This is because in these modes the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. This parameter is not useful with + <parameter moreinfo="none">security = server</parameter> as in this security mode + no information is returned about whether a user logon failed due to + a bad username or bad password, the same error is returned from a modern server + in both cases.</para> + + <para>For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the <constant> + GUEST_SESSSETUP</constant> value in local.h.</para> +</description> + +<value type="default">Never</value> +<value type="example">Bad User</value> +</samba:parameter> |