[OmniOS-discuss] cifs anonymous troubles

Gordon Ross gordon.w.ross at gmail.com
Sun Apr 17 15:38:54 UTC 2016 

Hi Dan,

I can take a guess what this might be about.

There were several bugs fixed as part of the "extended security" work:
1122 smbsrv should use SPNEGO (inbound authentication)

One of those was that we used to give a client a "guest" logon
if they tried to logon to SMB with _any_ unrecognized account.
No, that was never a good idea. Not only was it questionable
for security, but it confused issues about failed logon.  Example:
Windows user does NOT get the expected pop-up dialog asking
for new credentials when they try to connect to a share using
an invalid user name.  Instead, they would get connected,
but would fail to have access to anything in the share.

So with that bug fixed, one can logon as "guest" only if:
(1) you actually ask for guest in your logon request,
(2) a local Unix account named "guest" exists, and
(3) the guest account is enabled for SMB

Therefore, if you were using guest access before 1122 was fixed,
(and were depending on accidental guest access working),
you'll need to do the following to re-enable guest access:

    useradd (options] guest
    smbadm enable-user guest

The guest account password is ignored by SMB, so
all that matters to SMB is whether that account is
marked as enabled in /var/smb/smbpasswd

To keep Unix users from using guest for login, you can
set the Unix password hash to something invalid, etc.

On Fri, Apr 15, 2016 at 4:05 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
> hi,
>
> trying to set up an anonymous share on workgroup mode  I do not get it
> working.
>
> I have a dataset tank/test with these sharesmb properties:
>
> zfs get sharesmb tank/testshare
> NAME            PROPERTY  VALUE                   SOURCE
> tank/testshare  sharesmb  name=test,guestok=true  local
>
> These are the permissions on that path:
>
> # /usr/bin/ls -Vd /tank/testshare/
> drwxrwxrwx+ 14 root     root          14 Sep 11  2015 /tank/testshare/
>               everyone@:rwxpdDaARWcCos:fd-----:allow
>
> Both using a windows client (win 2012r2) as a linux smbclient (fedora 23),
> both quite modern, I cannot access the share:
>
> Linux smbclient:
> $ smbclient -U " " -L //192.168.0.172 -N
> Anonymous login successful
> Domain=[WORKGROUP] OS=[SunOS 5.11 omnios-r151018-ae314] Server=[Native SMB
> service]
>
>     Sharename       Type      Comment
>     ---------       ----      -------
>     c$              Disk      Default Share
>
>     test            Disk
> Connection to 192.168.0.172 failed (Error NT_STATUS_CONNECTION_REFUSED)
> NetBIOS over TCP disabled -- no workgroup available
>
>
> Windows client:
> C:\Users\Administrator>net view \\192.168.0.172
> System error 5 has occurred.
>
> Access is denied.
>
>
> Using a local user works, with smb2 ;-)
>
> Any one success with guestok=true and cifs?
>
> --
> Groeten,
> natxo
>
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>

More information about the OmniOS-discuss mailing list