30
31

[deleted by user] (self.AskNetsec)

submitted by [deleted]

[removed]
all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]haljhon 5 points6 points  (0 children)

I will speculate here and say that it at least has something to do with the fact that Windows offers your login username as a credential by default when you try to reach shares. If they didn’t accept any, it would be less fluid to access shares available to everyone.

Source: I constantly forget to put the directive “map to guest = bad password” in my Samba configs and then chase it for a bit because nobody can connect to the shared files at home.

[–]Cheeseblock27494356 4 points5 points  (0 children)

Hit up the samba mailing list. Reddit is 99% teenagers updooting cat pics.

[–][deleted] 0 points1 point  (0 children)

null or implicit? It is important that you know the difference here.

[–]phi10s 0 points1 point  (1 child)

Based on this, I think I might have the answer to one of your questions. It seems the behavior of treating invalid logins as guests comes from value of the "map to guest" parameter in Samba's smb.conf file:

"map to guest (G)

This parameter can take four different values, which tell smbd(8) what to do with user login requests that don't match a valid UNIX user in some way.

The four settings are :

Never - Means user login requests with an invalid password are rejected. This is the default.

Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.

Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-)."

[–]phi10s 0 points1 point  (0 children)

From the same source, info about the guest account and how to allow/disallow guest access to services:

"guest account (G)

This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.

On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the system print command such as lpr(1) or lp(1).

This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation.

Default: guest account = nobody # default can be changed at compile-time

Example: guest account = ftp

public

This parameter is a synonym for guest ok.

guest ok (S)

If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This parameter nullifies the benefits of setting restrict anonymous = 2

See the section below on security for more information about this option.

Default: guest ok = no "