AFS token issue in samba 3.5.5? [solution]
Chris Garrison
ecgarris at iupui.edu
Fri Sep 17 13:14:16 MDT 2010
So, the code is under source3/smbd/service.c and the
WITH_FAKE_KASERVER block of code is right below the canonicalization
check code.
I just moved that small block of fake_kaserver code above the other
block and it does create a token before making the check, and therefore
passes the check and succeeds now.
Is there a more elegant way to accomplish this, or should I submit it as
a bugfix?
Thank you,
Chris
On 9/17/10 9:07 AM, Chris Garrison wrote:
> Hello,
>
> We were running samba-3.4.5 with fake-kaserver compiled in to overlay
> it on top of AFS.
>
> With the new security announcement, I've been trying to upgrade to
> 3.5.5 and have run into a problem.
>
> If a user tries to go to the [homes] share, which uses the passwd file
> to take them to their home directory within the AFS tree (doesn't
> matter the client, we've tried from Mac and Windows) the connection
> fails, and the logs indicate "canonicalize_connect_path failed for
> service username".
>
> However, if the user first goes to the [afs-home] share, which doesn't
> require AFS tokens to view, they can drill down to their home
> directory and it will function normally. In fact, if at this point
> the user disconnects Samba and the comes back with a new connection to
> their own homedir on [homes], it will work.
>
> It seems to me that something's changed between versions, that
> directory permissions are now being checked *before* the token is
> generated. Since it worked in 3.4.5 with the same smb.conf and same
> samba.spec options, I think it must have been a recent code change,
> possibly even something in the security patches.
>
> Any help would be appreciated!
>
> Chris
> --
> Chris Garrison
> Indiana University
> Research Computing Storage
> ecgarris at iupui.edu
More information about the samba-technical
mailing list