[jcifs] samba server lists wrong shares

[Felix Schumacher]

 On Thu, 31 Mar 2011 13:38:42 +0200, Marcus Ilgner wrote:
> On Thu, Mar 31, 2011 at 12:59 PM, Felix Schumacher
> <felix.schumacher at internetallee.de> wrote:
>> On Wed, 30 Mar 2011 13:28:06 -0500, Christopher R. Hertel wrote:
>>>
>>> Michael B Allen wrote:
>>>>
>>>> Hi Felix,
>>>>
>>>> IIRC this is a sort of weird interaction specific to features of 
>>>> Samba
>>>> and JCIFS. JCIFS reuses connections even when credentials are
>>>> different. This is more efficient but when used with the Samba 
>>>> user
>>>> directories feature it will result in listing other users that 
>>>> share
>>>> that transport.
>>>
>>> That is because the protocol itself allows and expects multiple
>>> authentications to occur over the same transport connection.  This 
>>> is due
>>> to
>>> the nature of DOS, OS/2, and Windows systems.  They expect that 
>>> there will
>>> be a single user sitting at the console screen, but that the user 
>>> may have
>>> different identities on different servers.  Therefore, all of the 
>>> multiple
>>> authentications over the same connection are being performed by or 
>>> on the
>>> behalf of that one user.
>>>
>>> Even in an NT Domain or Active Directory environment, the Windows 
>>> client
>>> may
>>> use multiple credential sets (including guest and anonymous) to 
>>> talk to a
>>> server.  Each of these may be active at the same time.
>>
>>
>> So both of you seem to think, that my test case should succeed and 
>> it is
>> probably a samba server bug.
>>
>
> My understanding was that this isn't a bug but, as the saying goes, a
> feature.
> Samba supports multiple authentications and so if you authenticate 
> with both
> userA and userB using the same connection, you should expect to see 
> all
> shares visible by one of them.

 Well I understood, that it would be not suprising, but nonetheless a 
 bug.
>
>>>
>>>> But there could be a work-around. You can stop JCIFS from reusing
>>>> transports by setting the property jcifs.smb.client.ssnLimit = 1
>>>> (although this will cause a whole new socket and transport object 
>>>> to
>>>> be created for each unique set of credentials which uses a
>>>> considerable amount of resources). I think this will stop the
>>>> aforementioned weird interaction.
>>>
>>> What Samba is probably doing is keeping track of which users have 
>>> been
>>> authenticated over the given connection and using that list to 
>>> determine
>>> which home directories to return in the shares list.  If that's the 
>>> case,
>>> and if Windows does *not* do the same, then it may be worth 
>>> reporting as a
>>> Samba issue.
>>>
>>>> Note that JCIFS properties are global and static so beware if you 
>>>> have
>>>> other code using JCIFS for other things, setting this property 
>>>> will
>>>> affect them as well.
>>>
>>> This is, however, a worth-while test.  I would be interested in 
>>> knowing
>>> whether Samba and Windows display the same behavior.
>>
>> I would love to perform such a test, but I haven't found anyone, who 
>> could
>> tell me how I hide shares for specific users under windows.
>>
>> That means I can't set up the userA sees only share userA and userB 
>> sees
>> only share userB with a windows file server.
>>
>> Bye
>>  Felix
>>>
>>> Chris -)-----
>>
>
> I'd also be interested to hear if setting jcifs.smb.client.ssnLimit
> works for you.

 If I use jcifs.smb.client.ssnLimit=1 in my test case it succeeds. But 
 that would be
 a workaround. I would rather like it to have the root cause fixed.

 Bye
  Felix
>
> All the best
> Marcus