samba - Dec 2005 - Samba 3: "restrict anonymous = 2" breaks domain joining

Hello,

Despite not having received any input on my last problem, I managed to
work it out and now I've finally got a working Linux PDC with ldapsam
and non-root domain admin. As it turned out, the problems were caused
by a combination of Samba settings, too tight security on Windows boxes
and, in case of XP x64, a need for some patches against Samba source
code; here I would like to ask a question about the former.

As it turned out, the setting which made me unable to join the domain
from the Linux box itself by calling "net -U domadm join DOMAIN" was
"restrict anonymous = 2". When it is set, executing the command fails
after a few seconds' delay even though the machine account gets added
to LDAP; when I change the number to 0 or 1, the command succeeds
immediately despite still showing the "no results from AD" warning I
mentioned in my previous message.

Considering what I'm trying to do here is talk to a Samba PDC (which
does support this setting) using Samba's native tool (which, logic
dictates, should support it too), this is kind of weird - especially
taking into account that one of my shares is set to "guest ok = yes"
ATM and that is said to nullify the effect of "restrict anonymous =
2".

What is the catch here?

Regards,
-- 
MS

On Sun, 2005-12-18 at 16:12 +0100, Marek Szuba wrote:
> Hello,
> As it turned out, the setting which made me unable to join the domain
> from the Linux box itself by calling "net -U domadm join DOMAIN"
was
> "restrict anonymous = 2". When it is set, executing the command
fails
> after a few seconds' delay even though the machine account gets added
> to LDAP; when I change the number to 0 or 1, the command succeeds
> immediately despite still showing the "no results from AD"
warning I
> mentioned in my previous message.
The warning is because it is trying an AD style join, which Samba3
doesn't support.  Samba3 (due to NT4 protocol limitations) doesn't
support being a DC and having 'restrict anonymous = 2' set.  

Even if Samba worked around this (there are ways), I believe a windows
client would not work.
> Considering what I'm trying to do here is talk to a Samba PDC (which
> does support this setting) using Samba's native tool (which, logic
> dictates, should support it too), this is kind of weird - especially
> taking into account that one of my shares is set to "guest ok =
yes"
> ATM and that is said to nullify the effect of "restrict anonymous =
2".
It is the other way around.  If you set 'restrict anonymous = 2', then
you cannot get to a share as a guest, even with 'guest ok = yes', as the
anonymous connection has already been denied.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051218/dee20429/attachment.bin