summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security/maptoguest.xml
blob: 4f66319928fa04131128526a69d97207cfd6bd50 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<samba:parameter name="map to guest"
                 context="G"
                 advanced="1" developer="1"
		 xmlns:samba="http://samba.org/common">
<listitem>
    <para>This parameter is only useful in <link linkend="SECURITY">
    security</link> modes other than <parameter moreinfo="none">security = share</parameter> 
    - i.e. <constant>user</constant>, <constant>server</constant>, 
    and <constant>domain</constant>.</para>

    <para>This parameter can take three different values, which tell
    <citerefentry><refentrytitle>smbd</refentrytitle>
    <manvolnum>8</manvolnum></citerefentry> what to do with user 
    login requests that don't match a valid UNIX user in some way.</para>

    <para>The three settings are :</para>

    <itemizedlist>
	<listitem>
	    <para><constant>Never</constant> - Means user login 
	    requests with an invalid password are rejected. This is the 
	    default.</para>
	</listitem>
			
	<listitem>
	    <para><constant>Bad User</constant> - Means user
	    logins with an invalid password are rejected, unless the username 
	    does not exist, in which case it is treated as a guest login and 
	    mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
	    guest account</parameter></link>.</para>
	</listitem>

	<listitem>
	    <para><constant>Bad Password</constant> - Means user logins 
	    with an invalid password are treated as a guest login and mapped 
	    into the <link linkend="GUESTACCOUNT">guest account</link>. Note that 
	    this can cause problems as it means that any user incorrectly typing 
	    their password will be silently logged on as &quot;guest&quot; - and 
	    will not know the reason they cannot access files they think
	    they should - there will have been no message given to them
	    that they got their password wrong. Helpdesk services will
	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
	    guest</parameter> parameter this way :-).</para>
	</listitem>
    </itemizedlist>

    <para>Note that this parameter is needed to set up &quot;Guest&quot; 
    share services when using <parameter moreinfo="none">security</parameter> modes other than 
    share. This is because in these modes the name of the resource being
    requested is <emphasis>not</emphasis> sent to the server until after 
    the server has successfully authenticated the client so the server 
    cannot make authentication decisions at the correct time (connection 
    to the share) for &quot;Guest&quot; shares.</para>

    <para>For people familiar with the older Samba releases, this 
    parameter maps to the old compile-time setting of the <constant>
    GUEST_SESSSETUP</constant> value in local.h.</para>

    <para>Default: <command moreinfo="none">map to guest = Never</command></para>
    <para>Example: <command moreinfo="none">map to guest = Bad User</command></para>
</listitem>
</samba:parameter>