NT sending guest username and parameter parsing problem
thwartedefforts at wonky.org
thwartedefforts at wonky.org
Sat Oct 24 20:10:24 GMT 1998
>> NT Workstations (SP3) seem to be sending 'guest' as the username at times
>> when requesting a list of shares. This makes the %U parameter mostly
>> useless. Take the following example (please!):
>
> it's not nt wkstas, it's samba. and no, there isn't really a good
> solution. i've seen this happen with win95 too.
Right. I said that wrong. NT wrkst is sending a blank username, which samba
interpretes as guest.
Looking at the code in smbd/reply.c, approx line 582, in function
reply_sessetup_and_X, I see this block of code:
/* If no username is sent use the guest account */
if (!*user)
{
pstrcpy(user,lp_guestaccount(-1));
/* If no user and no password then set guest flag. */
if( *smb_apasswd == 0)
guest = True;
}
strlower(user);
/*
* In share level security, only overwrite sesssetup_use if
* it's a non null-session share. Helps keep %U and %G
* working.
*/
if((lp_security() != SEC_SHARE) || *user)
pstrcpy(sesssetup_user,user);
reload_services(True);
The first if statement, by checking for no username and always setting it to
guest, makes the second if always succeed because *user is always true.
I'm not sure what the comment before the second if is saying. The assignment
to sesssetup_user is being done so that the username that was sent is being
used by the reload_services call, but should that be done when security is
SEC_SHARE? I have a feeling the second if should be:
if((lp_security() == SEC_SHARE) && *user)
or
if((lp_security() != SEC_SHARE) && *user)
(depending on how you interprete the comment)
or the reload_services call could be moved up between the two ifs (but then
in share level security, 'guest' won't be used in the call to
reload_services, if that is what you want), or these two ifs should some
how change position. I'm still trying to figure out how to move things
around and change the conditions to get the effect I think is needed.
These are the conditions I'm trying to end up with:
- sesssetup_user should be set to something meaninful (non-guest if
possible) before calling reload_services.
- sesssetup_user should not be an empty string (otherwise %U expands to
nothing).
- sesssetup_user should keep it's value if it's not empty and no username
was sent by the client.
- sesssetup_user should get the value of user if sesssetup_user is the
guest account and a non-guest account was sent by the client.
- can't set sam_logon_in_ssb to true because sometimes samlogon_user isn't
set (like after a reconnection when smbd is killed). Although, my
impression is that as long as the server is up and connections are
maintained throughout the life of a client logon, then samlogon_user
should contain the username of the user who logged on.
Did I miss anything?
During my tests, I've noticed that in reply_sesssetup_and_X conn is always
NULL. When does conn get a value? There are some fields in it that I wanted
to take a look at, but it seems to go unused.
As a side note, where is the option 'security = domain' documented? I can't
figure out exactly what it does. The man page only documents share, user,
and server, and an examination of the files in docs/ doesn't give any usefull
information. As an educated guess, does it implement trust relationships for
a samba server being a member of a domain, and if so, how is that different
than security = server (other than requiring a machine account in the domain).
Andy.
thwartedefforts at wonky.org
More information about the samba-ntdom
mailing list