From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- docs-xml/smbdotconf/security/maptoguest.xml | 76 +++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 docs-xml/smbdotconf/security/maptoguest.xml (limited to 'docs-xml/smbdotconf/security/maptoguest.xml') diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000000..0f680ae71c --- /dev/null +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -0,0 +1,76 @@ + + + This parameter is only useful in + security modes other than security = share + and security = server + - i.e. user, and domain. + + This parameter can take four different values, which tell + smbd + 8 what to do with user + login requests that don't match a valid UNIX user in some way. + + The four settings are : + + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + + + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the . + + + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the . Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + + Bad Uid - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface. + + + + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share and server. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. This parameter is not useful with + security = server as in this security mode + no information is returned about whether a user logon failed due to + a bad username or bad password, the same error is returned from a modern server + in both cases. + + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. + + +Never +Bad User + -- cgit