BUG: 2.2.3a (and others) - can't disable null session

Borsenkow Andrej Andrej.Borsenkow at mow.siemens.ru
Thu Apr 18 02:38:01 GMT 2002

Several people reported inability to disable null sessions in SAMBA.
This bug exhibits itself at least in case of security = DOMAIN. What
happens is (reply_sesssetup_and_X, line numbers from 2.2.3a)):

- smbd gets null user name and password(s)
- it immediately sets user name to guest account (886):

  /* If no username is sent use the guest account */
  if (!*user) {
    guest = True;

- then we ask server but ONLY if user is not null - which it is not and
CANNOT be (942):

   * Check with orig_user for security=server and
   * security=domain.
  if (*user && !check_server_security(orig_user, domain, user,
         smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
      !check_domain_security(orig_user, domain, user, smb_apasswd,
         smb_apasslen, smb_ntpasswd, smb_ntpasslen, &ptok) &&

- end of story. Now user is logged in as guest (. Any other parameter
(like guest ok - and I have guest ok = no) is happily ignored at this

The only way to disable it currently is to set guest account to
non-existent Unix account that makes it impossible for _authenticated_
users (from password server) to log in without NT <-> Unix mapping.


More information about the samba-technical mailing list