Skip to end of metadata
Go to start of metadata

SMB Guest access

This was a message on OmniOS-discuss in April 2016,
subject: cifs anonymous troubles
https://lists.omniti.com/pipermail/omnios-discuss/2016-April/006733.html

There were several bugs fixed as part of the "extended security" work:
1122 smbsrv should use SPNEGO (inbound authentication)

One of those was that we used to give a client a "guest" logon
if they tried to logon to SMB with _any_ unrecognized account.
No, that was never a good idea. Not only was it questionable
for security, but it confused issues about failed logon.  Example:
Windows user does NOT get the expected pop-up dialog asking
for new credentials when they try to connect to a share using
an invalid user name.  Instead, they would get connected,
but would fail to have access to anything in the share.

So with that bug fixed, one can logon as "guest" only if:
(1) you actually ask for guest in your logon request,
(2) a local Unix account named "guest" exists, and
(3) the guest account is enabled for SMB

Therefore, if you were using guest access before 1122 was fixed,
(and were depending on accidental guest access working),
you'll need to do the following to re-enable guest access:

    useradd (options] guest
    smbadm enable-user guest

The guest account password is ignored by SMB, so
all that matters to SMB is whether that account is
marked as enabled in /var/smb/smbpasswd

To keep Unix users from using guest for login, you can
set the Unix password hash to something invalid, etc.

Here's what the guest account looks like (by default) on NexentaStor:

root@ns5:/export/home/admin# grep guest /etc/passwd /etc/shadow /var/smb/smbpasswd
/etc/passwd:guest:x:101:1::/export/home/guest:/usr/bin/false
/etc/shadow:guest:*LK*:::::::
/var/smb/smbpasswd:guest:101:*DIS*:*DIS*

 

Labels:
  1. Jan 04, 2017

    May also need to setup an idmap rule, i.e.:

    idmap add winname:Guest unixuser:guest