[PATCH] Fix bug #9746 - guest ok + force user + force group doesn't work

Jeremy Allison jra at samba.org
Wed Apr 3 16:57:51 MDT 2013

On Thu, Apr 04, 2013 at 09:06:46AM +1100, Andrew Bartlett wrote:
> If authentication/authorization code isn't obviously correct to me, then
> I stand by it not being obviously correct.  If it is un-obviously
> correct, then we need clarifications and comments so it becomes so.  
> The ordering in make_connection_snum() is subtle, and while we check the
> 'guest ok' smb.conf parameter first-up, the check against the share ACL
> is currently after the force user/group stuff, and this change. 
> >From here, I would like to understand where we use the is_guest flag for
> the (reasonable to assume, and clearly the basis for which you claim
> this is obviously correct) task of substituting in the guest token, and
> therefore not the named user.  I can't see that code in my master tree.
> To be clear, I'm not worried about fixing the uid/gid the account
> becomes, I'm worried about the other implications of dropping the guest
> bit (and so adding the authenticated users SID to an un-authenticated
> user). 
> I hope this explains my fears better, so we can work out a way to fix
> this and alleviate them.

Been working with Andrew on IRC, and he's suggested a better
way to fix this and uploaded to the bug report, so I'm withdrawing
this patch :-).



More information about the samba-technical mailing list