| blob | 0f680ae71c4561b800975fe2f0da1dc98865c0c0 |
1 <samba:parameter name="map to guest"
2 type="enum"
3 context="G"
4 advanced="1" developer="1"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <description>
7 <para>This parameter is only useful in <smbconfoption name="SECURITY">
8 security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter>
9 and <parameter moreinfo="none">security = server</parameter>
10 - i.e. <constant>user</constant>, and <constant>domain</constant>.</para>
12 <para>This parameter can take four different values, which tell
13 <citerefentry><refentrytitle>smbd</refentrytitle>
14 <manvolnum>8</manvolnum></citerefentry> what to do with user
15 login requests that don't match a valid UNIX user in some way.</para>
17 <para>The four settings are :</para>
19 <itemizedlist>
20 <listitem>
21 <para><constant>Never</constant> - Means user login
22 requests with an invalid password are rejected. This is the
23 default.</para>
24 </listitem>
26 <listitem>
27 <para><constant>Bad User</constant> - Means user
28 logins with an invalid password are rejected, unless the username
29 does not exist, in which case it is treated as a guest login and
30 mapped into the <smbconfoption name="guest account"/>.</para>
31 </listitem>
33 <listitem>
34 <para><constant>Bad Password</constant> - Means user logins
35 with an invalid password are treated as a guest login and mapped
36 into the <smbconfoption name="guest account"/>. Note that
37 this can cause problems as it means that any user incorrectly typing
38 their password will be silently logged on as "guest" - and
39 will not know the reason they cannot access files they think
40 they should - there will have been no message given to them
41 that they got their password wrong. Helpdesk services will
42 <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
43 guest</parameter> parameter this way :-).</para>
44 </listitem>
45 <listitem>
46 <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
47 in some type of domain mode security (security = {domain|ads}) and means that
48 user logins which are successfully authenticated but which have no valid Unix
49 user account (and smbd is unable to create one) should be mapped to the defined
50 guest account. This was the default behavior of Samba 2.x releases. Note that
51 if a member server is running winbindd, this option should never be required
52 because the nss_winbind library will export the Windows domain users and groups
53 to the underlying OS via the Name Service Switch interface.</para>
54 </listitem>
55 </itemizedlist>
57 <para>Note that this parameter is needed to set up "Guest"
58 share services when using <parameter moreinfo="none">security</parameter> modes other than
59 share and server. This is because in these modes the name of the resource being
60 requested is <emphasis>not</emphasis> sent to the server until after
61 the server has successfully authenticated the client so the server
62 cannot make authentication decisions at the correct time (connection
63 to the share) for "Guest" shares. This parameter is not useful with
64 <parameter moreinfo="none">security = server</parameter> as in this security mode
65 no information is returned about whether a user logon failed due to
66 a bad username or bad password, the same error is returned from a modern server
67 in both cases.</para>
69 <para>For people familiar with the older Samba releases, this
70 parameter maps to the old compile-time setting of the <constant>
71 GUEST_SESSSETUP</constant> value in local.h.</para>
72 </description>
74 <value type="default">Never</value>
75 <value type="example">Bad User</value>
76 </samba:parameter>