AFS token issue in samba 3.5.5? [solution]

Gémes Géza geza at kzsdabas.hu
Sat Sep 18 00:21:47 MDT 2010 

Hi,

Could you post your patch somewhere. Or give your assigned (by bugzilla)
bug number. I also plan to upgrade to 3.5.5. (and also use fake-kaserver)

Thank you!

Geza

>  So, the code is under source3/smbd/service.c and the
> WITH_FAKE_KASERVER block of code is right below the canonicalization
> check code.
>
> I just moved that small block of fake_kaserver code above the other
> block and it does create a token before making the check, and
> therefore passes the check and succeeds now.
>
> Is there a more elegant way to accomplish this, or should I submit it
> as a bugfix?
>
> Thank you,
>
> Chris
>
> On 9/17/10 9:07 AM, Chris Garrison wrote:
>>  Hello,
>>
>> We were running samba-3.4.5 with fake-kaserver compiled in to overlay
>> it on top of AFS.
>>
>> With the new security announcement, I've been trying to upgrade to
>> 3.5.5 and have run into a problem.
>>
>> If a user tries to go to the [homes] share, which uses the passwd
>> file to take them to their home directory within the AFS tree
>> (doesn't matter the client, we've tried from Mac and Windows) the
>> connection fails, and the logs indicate "canonicalize_connect_path
>> failed for service username".
>>
>> However, if the user first goes to the [afs-home] share, which
>> doesn't require AFS tokens to view, they can drill down to their home
>> directory and it will function normally.  In fact, if at this point
>> the user disconnects Samba and the comes back with a new connection
>> to their own homedir on [homes], it will work.
>>
>> It seems to me that something's changed between versions, that
>> directory permissions are now being checked *before* the token is
>> generated.  Since it worked in 3.4.5 with the same smb.conf and same
>> samba.spec options, I think it must have been a recent code change,
>> possibly even something in the security patches.
>>
>> Any help would be appreciated!
>>
>> Chris
>> -- 
>> Chris Garrison
>> Indiana University
>> Research Computing Storage
>> ecgarris at iupui.edu
>

More information about the samba-technical mailing list