1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/docs-xml/smbdotconf/security/maptoguest.xml
Michael Adam 63e3c75374 docs:smbdotconf: add enumlist property to parameters where missing
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:29 +02:00

63 lines
2.9 KiB
XML

<samba:parameter name="map to guest"
type="enum"
context="G"
enumlist="enum_map_to_guest"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter can take four different values, which tell
<citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> what to do with user
login requests that don't match a valid UNIX user in some way.</para>
<para>The four settings are :</para>
<itemizedlist>
<listitem>
<para><constant>Never</constant> - Means user login
requests with an invalid password are rejected. This is the
default.</para>
</listitem>
<listitem>
<para><constant>Bad User</constant> - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
mapped into the <smbconfoption name="guest account"/>.</para>
</listitem>
<listitem>
<para><constant>Bad Password</constant> - Means user logins
with an invalid password are treated as a guest login and mapped
into the <smbconfoption name="guest account"/>. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as &quot;guest&quot; - and
will not know the reason they cannot access files they think
they should - there will have been no message given to them
that they got their password wrong. Helpdesk services will
<emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
guest</parameter> parameter this way :-).</para>
</listitem>
<listitem>
<para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
in some type of domain mode security (security = {domain|ads}) and means that
user logins which are successfully authenticated but which have no valid Unix
user account (and smbd is unable to create one) should be mapped to the defined
guest account. This was the default behavior of Samba 2.x releases. Note that
if a member server is running winbindd, this option should never be required
because the nss_winbind library will export the Windows domain users and groups
to the underlying OS via the Name Service Switch interface.</para>
</listitem>
</itemizedlist>
<para>Note that this parameter is needed to set up &quot;Guest&quot;
share services. This is because in these modes the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client so the server
cannot make authentication decisions at the correct time (connection
to the share) for &quot;Guest&quot; shares. </para>
</description>
<value type="default">Never</value>
<value type="example">Bad User</value>
</samba:parameter>