small bug with samba on auth/auth_sam.c [and fix]

Jesús Roncero jesus at mxtelecom.com
Tue Feb 20 18:36:51 GMT 2007 

Hi list,

On trying to upgrade an installation of samba running version 3.0.20a to 
3.0.24 a bug has come up.
I am using the mysql backend which, as you may know, lives now on 
http://pdbsql.sourceforge.net/. After getting everything compiled, we 
weren't able to access the samba shares because we were getting this error:
logon_hours_ok: "Account for user jesus not allowed to logon at this 
time" despite having set "mysql:logon hours column = NULL" on my 
smb.conf file.

Having a look at the source code, I saw that the allowed hours is set by 
the mysql module by calling pdb_set_hours that lives on 
passdb/pdb_get_set.c:

BOOL pdb_set_hours(struct samu *sampass, const uint8 *hours, enum 
pdb_value_state flag)
{
         if (!hours) {
                 memset ((char *)sampass->hours, 0, MAX_HOURS_LEN);
         } else {
                 memcpy (sampass->hours, hours, MAX_HOURS_LEN);
         }
         return pdb_set_init_flags(sampass, PDB_HOURS, flag);
}

And thus setting the whole array to 0 if the hours are not required.
When this is requested by logon_hours_ok in auth/auth_sam.c, this is 
executed at the very beggining:

         hours = pdb_get_hours(sampass);
         if (!hours) {
                 DEBUG(5,("logon_hours_ok: No hours restrictions for 
user %s\n",pdb_get_username(sampass)));
                 return True;
         }

where pdb_get_hours set hours to be a pointer to the array of integers 
previously set by pdb_set_hours so it never returns True at that point. 
A bit after in the execution, a byte in the array is tested using a 
bitmask, and, as it was all set to 0 previously, access is denied by the 
aforementioned message. Having a look at the old revisions of the source 
code, it seems that pdb_get_hours did return NULL in some cases, and 
thus activating the if(!hours) check at the beggining.

Attached is a small patch that basically sets the whole array to 0xFF 
(and thus allowing all hours in the bitmask check) so you are always 
granted access when the logon hours column is set to NULL. I guess that 
logon_hours_ok would need some changes as well, but I wonder if anyone 
here with more experience and insight into samba could have a look at it 
and verify that it doesn't break anything important :-) or that I am not 
wrong.

Many thanks.

-- 
Jesús Roncero <jesus at mxtelecom.com>
System Developer
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdb_get_set-allowed-hours.diff
Type: text/x-patch
Size: 431 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070220/dc3afb59/pdb_get_set-allowed-hours.bin

More information about the samba-technical mailing list