1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-10 13:57:47 +03:00

Add support for 'restrict anonymous=2' and make the doco give a slight hint

as to what it now does in 3.0.  Needs more work, but better than documenting
the old functionality :-).

As the security benifits of this are nullified by a setting of 'guest ok' on
any share, we might want to put some documentation there too.

Andrew Bartlett
(This used to be commit ab812ada56b740ac986de8e1f4ca36641ec61c01)
This commit is contained in:
Andrew Bartlett 2002-11-22 02:40:21 +00:00
parent abc32ea850
commit a75f1ba9d4
2 changed files with 8 additions and 24 deletions

View File

@ -6544,30 +6544,12 @@
<varlistentry>
<term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
<listitem><para>This is a boolean parameter. If it is <constant>yes</constant>, then
anonymous access to the server will be restricted, namely in the
case where the server is expecting the client to send a username,
but it doesn't. Setting it to <constant>yes</constant> will force these anonymous
connections to be denied, and the client will be required to always
supply a username and password when connecting. Use of this parameter
is only recommended for homogeneous NT client environments.</para>
<listitem><para>This is a integer parameter, and
mirrors as much as possible the functinality the
<constant>RestrictAnonymous</constant>
registry key does on NT/Win2k.
<para>This parameter makes the use of macro expansions that rely
on the username (%U, %G, etc) consistent. NT 4.0
likes to use anonymous connections when refreshing the share list,
and this is a way to work around that.</para>
<para>When restrict anonymous is <constant>yes</constant>, all anonymous connections
are denied no matter what they are for. This can effect the ability
of a machine to access the Samba Primary Domain Controller to revalidate
its machine account after someone else has logged on the client
interactively. The NT client will display a message saying that
the machine's account in the domain doesn't exist or the password is
bad. The best way to deal with this is to reboot NT client machines
between interactive logons, using "Shutdown and Restart", rather
than "Close all programs and logon as a different user".</para>
<para>Default: <command>restrict anonymous = no</command></para>
<para>Default: <command>restrict anonymous = 0</command></para>
</listitem>
</varlistentry>

View File

@ -3625,7 +3625,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
lp_add_auto_services(lp_auto_services());
if (add_ipc) {
lp_add_ipc("IPC$", True);
/* When 'restrict anonymous = 2' guest connections to ipc$
are denied */
lp_add_ipc("IPC$", (lp_restrict_anonymous() < 2));
lp_add_ipc("ADMIN$", False);
}