summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/maptoguest.xml
blob: 2dc6605b396709650352b654ee8ad28e31382d85 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<samba:parameter name="map to guest"
				 type="enum"
                 context="G"
                 advanced="1" developer="1"
		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>This parameter is only useful in <smbconfoption name="SECURITY">
    security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> 
    - i.e. <constant>user</constant>, <constant>server</constant>, 
    and <constant>domain</constant>.</para>

    <para>This parameter can take four different values, which tell
    <citerefentry><refentrytitle>smbd</refentrytitle>
    <manvolnum>8</manvolnum></citerefentry> what to do with user 
    login requests that don't match a valid UNIX user in some way.</para>

    <para>The four settings are :</para>

    <itemizedlist>
	<listitem>
	    <para><constant>Never</constant> - Means user login 
	    requests with an invalid password are rejected. This is the 
	    default.</para>
	</listitem>
			
	<listitem>
	    <para><constant>Bad User</constant> - Means user
	    logins with an invalid password are rejected, unless the username 
	    does not exist, in which case it is treated as a guest login and 
	    mapped into the <smbconfoption name="guest account"/>.</para>
	</listitem>

	<listitem>
	    <para><constant>Bad Password</constant> - Means user logins 
	    with an invalid password are treated as a guest login and mapped 
	    into the <smbconfoption name="guest account"/>. Note that 
	    this can cause problems as it means that any user incorrectly typing 
	    their password will be silently logged on as &quot;guest&quot; - and 
	    will not know the reason they cannot access files they think
	    they should - there will have been no message given to them
	    that they got their password wrong. Helpdesk services will
	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
	    guest</parameter> parameter this way :-).</para>
	</listitem>
	<listitem>
	    <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
	    in some type of domain mode security (security = {domain|ads}) and means that
	    user logins which are successfully authenticated but which have no valid Unix
	    user account (and smbd is unable to create one) should be mapped to the defined
	    guest account. This was the default behavior of Samba 2.x releases.  Note that 
	    if a member server is running winbindd,  this option should never be required
	    because the nss_winbind library will export the Windows domain users and groups
	    to the underlying OS via the Name Service Switch interface.</para>
	</listitem>
    </itemizedlist>

    <para>Note that this parameter is needed to set up &quot;Guest&quot; 
    share services when using <parameter moreinfo="none">security</parameter> modes other than 
    share. This is because in these modes the name of the resource being
    requested is <emphasis>not</emphasis> sent to the server until after 
    the server has successfully authenticated the client so the server 
    cannot make authentication decisions at the correct time (connection 
    to the share) for &quot;Guest&quot; shares.</para>

    <para>For people familiar with the older Samba releases, this 
    parameter maps to the old compile-time setting of the <constant>
		GUEST_SESSSETUP</constant> value in local.h.</para>
</description>

<value type="default">Never</value>
<value type="example">Bad User</value>
</samba:parameter>