FIX: NT sending null username effects %U expansion
thwartedefforts at wonky.org
thwartedefforts at wonky.org
Wed Oct 28 02:44:33 GMT 1998
On Mon, 26 October 1998, Luke Kenneth Casson Leighton wrote:
> hi, yes it does make a difference. docs are being updated this week. the
> only "proper" fix is to deny all anynomous connections, causing clients to
> send username / password instead.
>
> this will break things, unfortunately. it was the original "NT 3.1" and
> "NT 3.5" model, which microsoft deliberately brok in " NT 4.0".
>
> luke
I understand that. But this doesn't explain the explict copy of user to
sesssetup_user because that second if will _always_ succeed. I propose the
following patch to that second if in smbd/reply.c (against cvs 981026):
*** smbd/reply.c.orig Tue Oct 27 09:28:39 1998
--- smbd/reply.c Tue Oct 27 09:28:55 1998
***************
*** 597,603 ****
* working.
*/
! if((lp_security() != SEC_SHARE) || *user)
pstrcpy(sesssetup_user,user);
reload_services(True);
--- 597,603 ----
* working.
*/
! if(((lp_security() != SEC_SHARE) || *user) && !guest)
pstrcpy(sesssetup_user,user);
reload_services(True);
This change will make sesssetup_user be the same as user _only_ if samba is
not implictly forcing guest access when the client passes a null
username/password. I've tested this and am unable to reproduce the effect I
originally described. This also makes non-null sessions override each other
thereby changing what %U expands to and reading a different configuration file
if a different username is used -- I believe this is wanted effect.
But, I still don't know how that is going to change the intended effect on
share level security (although, I suspect not at all, seeing as how usernames
are useless in share level security, and thus the value of %U is
useless -- correct?).
If this doesn't fall under "proper" fix, or even close to it, can someone
please explain why?
Dave Andruczyk, could you try this out and see if it fixes your problem?
Rereading your description makes me think it might, but I'm unable to
figure out exactly where your problem lies -- it maybe outside the scope of
implict guest access.
References:
Original description of problem:
http://samba.anu.edu.au/listproc/samba-ntdom/2264.html
Note of always true condition in smbd/reply.c
http://samba.anu.edu.au/listproc/samba-ntdom/2289.html
Dave's related(?) problem:
http://samba.anu.edu.au/listproc/samba-ntdom/2272.html
Andy.
thwartedefforts at wonky.org
More information about the samba-ntdom
mailing list