restrict anonymous patch against 2beta2

thwartedefforts at wonky.org thwartedefforts at wonky.org
Wed Dec 2 23:32:44 GMT 1998 

On Wed, 02 December 1998, Luke Kenneth Casson Leighton wrote:
> > It has one side effect (related to how NT behaves after logout):
> >  - If you are using samba as a PDC, the client machine will be unable 
> >    to revalidate it's machine account after a user logs out because 
> >    WinNT maintains a validated connection after logout, and it tries to 
> 
> can you investigate this further by attempting to detect when an NT
> workstation user is logging out, and terminating the smbd process at the
> server-side?

I have been collecting data on this at various times in the past few weeks, but it's tough going, because sometimes I get the problem described (with restrict anonymous = true and the workstation can't validate it's own account) other times the client is only connected to the homes share, other times, its connected to other irrelevant shares (shares that were opened, but no files were accessed on the shares) in addition to the homes share.
 
> i tried this at one point, by detecting SMBulogoffs and SMBtdis or
> something, but didn't get very far.
>
> how about, say, if the first connection to a smbd process was an IPC$ and
> then subsequent connections were to [homes] or other, then if the
> connection to everything but IPC$ is closed [SMBtdis] then you drop the
> connection (exit(1))?

This is, in fact, my current plan, Luke!  Unfortunately, most of what the client does seems to happen async, and I have noticed that various logoff SMBs are sent before the profile is updated, and my hunch is that that is one of the reasons why the connection is being maintained "after logout".  That and the fact that the NT client doesn't disconnect from the shares after updating the profile is actually the heart of the problem with Microsoft's code.

I am actively investigating this problem though, because it annoys the hell out of me even though it only effects only a handful of my users (the more mobile ones).

> or other such evil behaviour...
A work around around a work around, appearently :)

Andy.

More information about the samba-technical mailing list