Situational Deadlock in Samba 3.0.1

Esh, Andrew Andrew_Esh at
Tue Jan 27 20:03:39 GMT 2004

I think I may have found the problem. I had always thought a specific user was being used in the test that was failing, but some operations are done anonymously. I noticed that the user being rejected is being registered as a guest:

[2004/01/27 13:46:24, 10, pid=28927, effective(0, 0), real(0, 0)] smbd/password.c:register_vuid(216)
  register_vuid: (99,99) nobody golem R2C2N131 guest=1

... and I have "guest ok" set GLOBALLY in smb.conf. The share being mapped does not have a "guest ok" setting.

And I also noticed that in smbd/uid.c, change_to_user and check_user_ok conspire to deny access to this user. There doesn't seem to be a check to allow a guest user to access a "guest ok" share. I added this to the top of check_user_ok:

	if ( vuser->guest && GUEST_OK(conn->service) ) {
		DEBUG(10,("check_user_ok: Guest user OK\n"));

... and now I see my user being allowed access on that basis:

[2004/01/27 13:45:56, 3, pid=28766, effective(0, 0), real(0, 0)] smbd/process.c:switch_message(685)
  switch message SMBtrans2 (pid 28766)
[2004/01/27 13:45:56, 10, pid=28766, effective(0, 0), real(0, 0)] smbd/uid.c:check_user_ok(66)
  check_user_ok: Guest user OK

My question is: Is this an obvious omission? Have I opened security to the point of humor? It seems like the right thing to do, based on the doc for "guest ok".

Andrew C. Esh                mail:Andrew_Esh[at]
Adaptec, Inc.
2905 Northwest Blvd., Suite 20        763-557-9005 (main)
Plymouth, MN 55441-2644 USA      763-551-6418 (direct)

More information about the samba-technical mailing list