Libsmbclient

Alain BARBET alb at albert.com
Thu Sep 13 09:53:02 GMT 2001 

Hi,

Thanks to Richard Sharpe for his job on libsmblient library. (and others
;-) I've already wrote to this list when I build Filesys::SmbClient
(a Perl interface to this api). So today, I work in a computer
company that make a search engine. This a C++ project on GNU platform.

I've already make http, ftp, nntp, file, https retrievers and today I
want make smb retriever. For that no problem with libsmbclient
interface, I've all that I need.

But I need some additionnal functionnality:

For check if a final user can access a smb file (user perm are not
stored at index time because we don't want replicate auth job on our
database engine.)
we check at search time if authenticate HTTP user can open the file.
We gain access to user/password with nph script, and then we want check
if this user is correct.
So:
- First we ask http user to authenticate itself with user/password.
- Second we check if the user/password given by user is defined on a
IPC$ share
- Three we check list of file for this user
But interface is too high to only check if a user/password is good.
All open operation on a IPC$ share didn't work ... How can I do this ?
the smbc_server is private, and I didn't see another method.

Another thing: with this usage and in fastcgi environnment (so script
doesn't end with request of users and smb connections keep open by
libsmbclient.so), this is a big security hole:
We provide a user/password but if a successful connection has been open
before, the password isn't check and unsuccessful login user can access
file as long as he know user !

function smbc_server, extract form sources/libsmbclient.c:

    for (srv=smbc_srvs;srv;srv=srv->next) {
      if (strcmp(server,srv->server_name)==0 &&
          strcmp(share,srv->share_name)==0 &&
          strcmp(workgroup,srv->workgroup)==0 &&
          strcmp(username, srv->username) == 0)
        return srv;
    }

So if this management of user/password and connection is done, another
method must be provide to check if user/password is valid on a domain.

Thanks a lot,
--
Alain BARBET

More information about the samba-technical mailing list