[PATCH] Fix bug #9746 - guest ok + force user + force group doesn't work
Jeremy Allison
jra at samba.org
Wed Apr 3 16:57:51 MDT 2013
On Thu, Apr 04, 2013 at 09:06:46AM +1100, Andrew Bartlett wrote:
>
> If authentication/authorization code isn't obviously correct to me, then
> I stand by it not being obviously correct. If it is un-obviously
> correct, then we need clarifications and comments so it becomes so.
>
> The ordering in make_connection_snum() is subtle, and while we check the
> 'guest ok' smb.conf parameter first-up, the check against the share ACL
> is currently after the force user/group stuff, and this change.
>
> >From here, I would like to understand where we use the is_guest flag for
> the (reasonable to assume, and clearly the basis for which you claim
> this is obviously correct) task of substituting in the guest token, and
> therefore not the named user. I can't see that code in my master tree.
>
> To be clear, I'm not worried about fixing the uid/gid the account
> becomes, I'm worried about the other implications of dropping the guest
> bit (and so adding the authenticated users SID to an un-authenticated
> user).
>
> I hope this explains my fears better, so we can work out a way to fix
> this and alleviate them.
Been working with Andrew on IRC, and he's suggested a better
way to fix this and uploaded to the bug report, so I'm withdrawing
this patch :-).
Cheers,
Jeremy.
More information about the samba-technical
mailing list