mirror of
https://github.com/samba-team/samba.git
synced 2025-02-10 13:57:47 +03:00
Add support for 'restrict anonymous=2' and make the doco give a slight hint
as to what it now does in 3.0. Needs more work, but better than documenting the old functionality :-). As the security benifits of this are nullified by a setting of 'guest ok' on any share, we might want to put some documentation there too. Andrew Bartlett (This used to be commit ab812ada56b740ac986de8e1f4ca36641ec61c01)
This commit is contained in:
parent
abc32ea850
commit
a75f1ba9d4
@ -6544,30 +6544,12 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
|
||||
<listitem><para>This is a boolean parameter. If it is <constant>yes</constant>, then
|
||||
anonymous access to the server will be restricted, namely in the
|
||||
case where the server is expecting the client to send a username,
|
||||
but it doesn't. Setting it to <constant>yes</constant> will force these anonymous
|
||||
connections to be denied, and the client will be required to always
|
||||
supply a username and password when connecting. Use of this parameter
|
||||
is only recommended for homogeneous NT client environments.</para>
|
||||
<listitem><para>This is a integer parameter, and
|
||||
mirrors as much as possible the functinality the
|
||||
<constant>RestrictAnonymous</constant>
|
||||
registry key does on NT/Win2k.
|
||||
|
||||
<para>This parameter makes the use of macro expansions that rely
|
||||
on the username (%U, %G, etc) consistent. NT 4.0
|
||||
likes to use anonymous connections when refreshing the share list,
|
||||
and this is a way to work around that.</para>
|
||||
|
||||
<para>When restrict anonymous is <constant>yes</constant>, all anonymous connections
|
||||
are denied no matter what they are for. This can effect the ability
|
||||
of a machine to access the Samba Primary Domain Controller to revalidate
|
||||
its machine account after someone else has logged on the client
|
||||
interactively. The NT client will display a message saying that
|
||||
the machine's account in the domain doesn't exist or the password is
|
||||
bad. The best way to deal with this is to reboot NT client machines
|
||||
between interactive logons, using "Shutdown and Restart", rather
|
||||
than "Close all programs and logon as a different user".</para>
|
||||
|
||||
<para>Default: <command>restrict anonymous = no</command></para>
|
||||
<para>Default: <command>restrict anonymous = 0</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -3625,7 +3625,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
|
||||
lp_add_auto_services(lp_auto_services());
|
||||
|
||||
if (add_ipc) {
|
||||
lp_add_ipc("IPC$", True);
|
||||
/* When 'restrict anonymous = 2' guest connections to ipc$
|
||||
are denied */
|
||||
lp_add_ipc("IPC$", (lp_restrict_anonymous() < 2));
|
||||
lp_add_ipc("ADMIN$", False);
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user