FIX: NT sending null username effects %U expansion

[thwartedefforts at wonky.org]

On Wed, 28 October 1998, Jeremy Allison wrote:
<snip>
> I think your patch is nearly correct - the actual intent
> of the original code is :
> 
>    if((lp_security() != SEC_SHARE) || (*user && !guest))
>       pstrcpy(sesssetup_user,user);
<snip> 
> The intent was only to change sesssetup_user in share level
> security when a valid username was given.

Well, you see I'm trying to work around (what Luke described as) a
 bug in NT4.  It insists on sending a null username/password when it
 requests subsiquent share lists (it seems to send the logon
 username/password for the initial request).  This screws up the list
 of configuration files read and shares disappear and reappear
 depending on the mood of NT4.

Unfortunately, if the conditions are changed as you describe, the
 same effect still results (but, thankfully, it gets rid of that
 "always true" condition :) ). Note that I'm not using share
 level security.

Your change doesn't seem to honor your requirements:

> In user level security sesssetup_user should *always* be
> changed to match the incoming user (even if it's a null
> session).

What does "incoming user" mean?  Incoming from the client (in
 which case sesssetup_user should be "") or incoming after
 samba gets a chance to massage it (so it would be the value
 of lp_guestaccount() for null usernames).  I'm confused here.
 %U is susposed to expand to the username the client sent,
 not the username that samba eventually assigned.  Is
 assignment to the guest account not the same as assigning
 to a local UNIX user (via perhaps a map user or map file
 setting)?

In my domain, I have no need for guest access in terms of file
 services so if a client is sending a null username over an
 already validated connection, I want it to use the validated
 username in the %U expansion.  Keep in mind that sending a
 valid username (non-null) should override previous validations
 on the same connection.  This should be acceptable for the
 cases where NT4 is going "Oh, I need to request the share list
 again, but I'm not going to tell the server who I am", and
 types of clients that are sending a username.

Would an acceptable solution to this be to have a parameter like
  guest overrides valid user = yes/no (default yes)
  null overrides valid user = yes/no (default yes)
or
  force guest username expansion = yes/no (default yes)
or
  allow null username expansion = yes/no (default yes)

And wrap a check for this around the assignmnt to sesssetup_user
 in the above if?

I prefer the first set, they best describes what I'm trying to
 achieve (I can't think of any shorter parameter names), and
 offer the greatest configuration options.  The defaults of yes
 keep the current behaviour.

If we can agree on something, I'll write the patch.

Andy.