public services and security = server

m.forster at ic.ac.uk m.forster at ic.ac.uk
Wed Oct 15 16:09:01 GMT 1997


I have a question regarding the functionality of public shares under
different security modes.

Using 1.9.17p2 (but also under earlier releases) compiled with the
default GUEST_SESSSETUP = 0 (in local.h), I have found the accessibility
of public samba services (public = yes in smb.conf) changes when
switching from share mode security (security = share) to user mode, or
server mode with and NT4.0 password server (which has its guest account
disabled).   Under share mode, public services were accessible to
unauthenticated or unknown users under the guest account identity.  In
server mode, users unknown to the password server and samba server are not
granted access to public services.

We are in the process of moving all our samba installations to server
mode security and the effect on public services may create problems for
some people.  How can the old behaviour for public services be retained ?
Presumably building with GUEST_SESSSETUP =  1 or 2, but is that
equivalent or does it introduce additional security concerns.  Is
GUEST_SESSSETUP other than 0 widely used ?

I'm assuming that the behaviour seen is intended.  In case it's not and
is due to a configuration or other error I've appended some debug output
(hostnames and ip addresses removed) showing the sequence of events when
an unknown user (uuu) is refused access to a public service that he is
able to access with guest privileges when samba is running in share mode.
The samba guest user is "samba".

Many thanks in advance for any information on this issue.


  Mark Forster.

       ( m.forster at ic.ac.uk )


Centre for Computing Services,  Mech. Eng. Building,  Imperial College,
Exhibition Road,  London SW7 2BX,  United Kingdom.  Phone (+44) 0171-594 6918


########################################################################
got session
password server OK
using password server validation
Selected protocol NT LM 0.12
10/15/97 10:28:19 Transaction 2 of length 135
switch message SMBsesssetupX (pid 6346)
Domain=[]  NativeOS=[Windows NT 1381] NativeLanMan=[]
sesssetupX:name=[]
samba is in 1 groups
75 
uid 75 registered to name samba
Clearing default real name
 Client requested max send size of 61440
Chained message
switch message SMBtconX (pid 6346)
Got device type ?????
Allowed connection from xxx to IPC$
ACCEPTED: guest account and guest ok
found free connection number 68
Connect path is /tmp
chdir to /tmp
chdir to /
10/15/97 10:28:20 xxx (xxx.xxx.xxx.xxx) connect to service IPC$ as user samba (uid=75,gid=75) (pid 6346)
10/15/97 10:28:20 tconX service=ipc$ user=samba cnum=68
10/15/97 10:28:20 Transaction 3 of length 192
switch message SMBsesssetupX (pid 6346)
Domain=[XXX]  NativeOS=[Windows NT 1381] NativeLanMan=[]
sesssetupX:name=[uuu]
password server ppp rejected the password
Checking password for user uuu (l=24)
Couldn't find user uuu
10/15/97 10:28:23 error packet at line 528 cmd=115 (SMBsesssetupX) eclass=2 ecode=2
error string = No such file or directory


More information about the samba mailing list