AFS token issue in samba 3.5.5? [solution]

Chris Garrison ecgarris at
Fri Sep 17 13:14:16 MDT 2010

  So, the code is under source3/smbd/service.c and the 
WITH_FAKE_KASERVER block of code is right below the canonicalization 
check code.

I just moved that small block of fake_kaserver code above the other 
block and it does create a token before making the check, and therefore 
passes the check and succeeds now.

Is there a more elegant way to accomplish this, or should I submit it as 
a bugfix?

Thank you,


On 9/17/10 9:07 AM, Chris Garrison wrote:
>  Hello,
> We were running samba-3.4.5 with fake-kaserver compiled in to overlay 
> it on top of AFS.
> With the new security announcement, I've been trying to upgrade to 
> 3.5.5 and have run into a problem.
> If a user tries to go to the [homes] share, which uses the passwd file 
> to take them to their home directory within the AFS tree (doesn't 
> matter the client, we've tried from Mac and Windows) the connection 
> fails, and the logs indicate "canonicalize_connect_path failed for 
> service username".
> However, if the user first goes to the [afs-home] share, which doesn't 
> require AFS tokens to view, they can drill down to their home 
> directory and it will function normally.  In fact, if at this point 
> the user disconnects Samba and the comes back with a new connection to 
> their own homedir on [homes], it will work.
> It seems to me that something's changed between versions, that 
> directory permissions are now being checked *before* the token is 
> generated.  Since it worked in 3.4.5 with the same smb.conf and same 
> samba.spec options, I think it must have been a recent code change, 
> possibly even something in the security patches.
> Any help would be appreciated!
> Chris
> -- 
> Chris Garrison
> Indiana University
> Research Computing Storage
> ecgarris at

More information about the samba-technical mailing list