AFS token issue in samba 3.3.5?

Chris Garrison ecgarris at
Fri Sep 17 07:07:18 MDT 2010


We were running samba-3.4.5 with fake-kaserver compiled in to overlay it 
on top of AFS.

With the new security announcement, I've been trying to upgrade to 3.5.5 
and have run into a problem.

If a user tries to go to the [homes] share, which uses the passwd file 
to take them to their home directory within the AFS tree (doesn't matter 
the client, we've tried from Mac and Windows) the connection fails, and 
the logs indicate "canonicalize_connect_path failed for service username".

However, if the user first goes to the [afs-home] share, which doesn't 
require AFS tokens to view, they can drill down to their home directory 
and it will function normally.  In fact, if at this point the user 
disconnects Samba and the comes back with a new connection to their own 
homedir on [homes], it will work.

It seems to me that something's changed between versions, that directory 
permissions are now being checked *before* the token is generated.  
Since it worked in 3.4.5 with the same smb.conf and same samba.spec 
options, I think it must have been a recent code change, possibly even 
something in the security patches.

Any help would be appreciated!

Chris Garrison
Indiana University
Research Computing Storage
ecgarris at

More information about the samba-technical mailing list