[jcifs] Problem with guest user access

Tue Jan 11 02:18:30 GMT 2005

Eric Rotick said:
> From my experience the current implementation is already a source of
> considerable confusion and here's why.
>
> The application was developed and everything was tested and shown to
> be working to spec. This was then deployed and ran for several months
> without any problem. The Samba server of one of the clients then
> decided to create a new user for some new service. Still all OK. The
> sysadmin then decided that this new service was not regarded as secure
> by any means and so set the quest account directive to that user. The
> application then broke.

Ahh, so you really can set what user Samba considers 'guest'. Odd.

> We tested everything again and also setup a guest account but we used
> the default username guest for this and so everything worked for us.
> The next thing was to look at the source and, bingo, there's the
> problem. A quick change to the source to prove the theory and we're
> back in business.
>
> I would humbly suggest that the current implementation is inconsistent
> in that when the server side changes the guest user to be anything
> other than "guest" the client side will fail unless the username is
> also "guest". The Samba docs say that guest is used to mark a service
> as not requiring a password. It doesn't say that guest must also be
> used as the username.

Well, you have to realize that the jCIFS and Samba projects are really
separate entities. JCIFS tries to be compliant with generally accepted
CIFS protocol practices. Being able to change which username is considered
to be 'guest' is not a standard feature. At least I've never heard of it
until now.

It doesn't matter though because the whole concept of logging someone in
as "guest" if their authentication fails is explicitly NOT supported in
JCIFS. If the username is "guest" then we permit it but otherwise our
internal structures are immutible so it's very difficult to support such a
feature.

> When the Jsifs application is configured a username and password is
> used to access any number of services. That application would then
> need to know that the server side has changed a service to be guest.
> Surely that's a server side decision only and not something which
> should be reflected in the client.

CIFS as a protocol does not support changing the username that the server
considers to be 'guest'. That is apparently a Samba-ism.

> Having removed the code in SmbSession everything now works as we would
> expect. Is there some behaviour which is broken as a result of this?

I don't understand the question but if you simply remove the three lines
in SmbSession that check for guest then the client will behave as you
expect. Note however that if you then do 'file.getPrincipal().getName()'
the name will not be "guest" or whatever the username is that is
considered on the server to be guest. It will be the username specified in
the NtlmPasswordAuthentication object originally used to construct the
file. And that is ultimately why we do not support the concept of
defaulting to different credentials (e.g. guest) than the ones supplied.

Mike