On 11/20/08 16:28, Bill Shannon wrote: > Alan M Wright wrote: >> On 11/20/08 14:49, Bill Shannon wrote: >>> Afshin Salek wrote: >>>> Guest authentication is not supported by CIFS server. >>>> We haven't had any plans to support it so the data is still new :) >>> >>> Sigh. >>> >>> I guess that means I'm back to Samba for my home network. >>> Getting authenticated access to work is just too painful. >> >> If it's for your home network, i.e. if workgroup mode is sufficient, >> it should only require two things: >> >> 1. Add pam_smb_passwd.so.1 to /etc/pam.conf >> >> 2. Choose/create a Solaris user account and run the passwd command. > > Sorry, what I meant was getting every other computer and every other > person using every other computer in my house to understand and use > authentication is just too hard.
So you're passing the buck :-) Since you mentioned compatibility with Windows... Both the guest account and null sessions are disabled by default on Windows, so you'd need to do some work to get this operational with a Windows server. > I've accepted the risk of having insecure access within my home. > Just because our kernel mode CIFS support doesn't support it isn't > going to stop me from doing it, so if the goal is to force me to > have a secure network, you've failed. I'm definitely not trying to force/persuade you towards any particular level of security or mode of operation. Just pointing out that the behavior you would like is not supported. > Given that I have so many > other ways to allow unauthenticated access, including NFS, I don't > see any reason to prevent me from having that choice with kernel > mode CIFS support. > And while we're on the subject, is the client mode CIFS support > going to work with guest access to my Windows machine? Or do I > need to uninstall OpenSolaris and replace it with Linux to get that? If the CIFS client doesn't do what you need, you can use smbclient on Solaris, which is what you'd get on Linux. If you are already using Samba on Solaris, what benefit would you get by moving to Linux? >>> Is guest access really hard to implement, or is it just not considered >>> important? It's considered a security risk. If you feel support is justified, there is a mechanism in place to request it. >> As mentioned elsewhere, it's considered a security issue. Anonymous >> connections are disabled on most implementations by default. It was >> discussed during the CIFS PSARC case and we made a commitment not to >> allow anonymous user sessions. It would require an ARC case to >> introduce support for anonymous connections, which would probably >> require additional justification (than provided above) to warrant >> introducing a means of connecting to the system without traceable >> credentials or authentication. > > So, compatibility with Windows is not sufficient justification? > Isn't that why we're doing CIFS to begin with? The features we offer should be compatible with Windows but that doesn't imply that Solaris will do everything you can do with Windows. For example, we don't emulate the security flaws that exist on Windows. Alan _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
