[Samba] login on homes share despite available = no
Walter Haidinger
walter.haidinger at gmx.at
Thu Aug 21 08:01:42 GMT 2003
Hi!
Today I found that a user can successfully login on a homes share despite
that share should be disabled.
To quote smb.conf(1):
available (S)
This parameter lets you "turn off" a service. If avail-
able = no, then ALL attempts to connect to the service
will fail. Such failures are logged.
However, see the following:
% walter at qdevel2:/home/walter> smbclient //qdevel1/armin -U quadprg
added interface ip=158.226.155.221 bcast=158.226.255.255 nmask=255.255.0.0
Password: <entered the valid password>
Domain=[A_18] OS=[Unix] Server=[Samba 2.2.8a]
smb: \> dir
. D 0 Thu Aug 21 09:10:26 2003
.. D 0 Fri Aug 8 09:14:20 2003
.tcshrc A 988 Fri Aug 8 09:16:12 2003
.history 29275 Thu Aug 21 07:25:02 2003
[--cut--]
35310 blocks of size 65536. 28703 blocks available
smb: \>
How is this possible? Login should be denied because of available = no !
I'm running Samba 2.2.8a under Solaris 2.6.
There is no distinct share 'armin', just a (supposedly disabled) homes
entry:
> testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
NOTE: Service homes is flagged unavailable.
...
Loaded services file OK.
Press enter to see a dump of your service definitions
[homes]
comment = User Home Directory
path = /home/%S
valid users = %S
write list = %S
read only = No
hosts allow = 158.226.155. 158.226.183.
hide dot files = No
browseable = No
available = No
^^^^^^^^^^^^^^
User 'quadprg' is mapped to the real user armin:
> grep quadprg /usr/local/samba/lib/users.map
armin = quadprg atw15cv1
which exists in /etc/passwd:
> egrep '(armin|quadprg)' /etc/passwd
armin:x:318:100::/home/armin:/usr/local/bin/tcsh
There is _no_ reference to a share or user armin in smb.conf:
> egrep '(armin|quadprg)' /usr/local/samba/lib/smb.conf
>
Please note that user authentication is done by a M$ PDC and
security = domain.
Here are relevant lines from the samba logs (debug level = 3).
The complete logfile is attached.
[2003/08/21 09:35:37, 3] lib/username.c:map_username(168)
Mapped user QUADPRG to armin
[2003/08/21 09:35:46, 3] lib/util_sock.c:open_socket_out(845)
Connecting to 158.226.185.35 at port 139
[2003/08/21 09:35:46, 3] param/loadparm.c:lp_add_home(1987)
adding home directory armin at /home/armin
[2003/08/21 09:35:46, 3] smbd/uid.c:fetch_sid_from_gid_cache(667)
fetch sid from gid cache 50031 -> S-1-5-21-...
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(336)
uid 318 registered to name armin
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(338)
Clearing default real name
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(340)
User name: armin Real name:
[2003/08/21 09:35:46, 3] lib/access.c:check_access(318)
check_access: no hostnames in host allow/deny list.
[2003/08/21 09:35:46, 2] lib/access.c:check_access(329)
Allowed connection from (158.226.155.221)
[2003/08/21 09:35:46, 3] smbd/password.c:authorise_login(736)
authorise_login: ACCEPTED: validated uid ok as non-guest (user=armin)
[2003/08/21 09:35:46, 3] smbd/service.c:make_connection(487)
Connect path is /home/armin
[2003/08/21 09:35:46, 3]
smbd/uid.c:fetch_sid_from_uid_cache(591)
fetch sid from uid cache 318 -> S-1-5-21-...
[2003/08/21 09:35:46, 3]
smbd/uid.c:fetch_sid_from_gid_cache(667)
fetch sid from gid cache 100 -> S-1-5-21-...
[2003/08/21 09:35:46, 3]
lib/util_seaccess.c:se_access_check(269)
se_access_check: user sid is S-1-5-21-...
[2003/08/21 09:35:46, 3] smbd/vfs.c:vfs_ChDir(574)
vfs_ChDir to /home/armin
[2003/08/21 09:35:46, 1] smbd/service.c:make_connection(636)
atws17vc (158.226.155.221) connect to service armin as user armin
(uid=318, gid=100) (pid 3915)
I puzzled because I always thought that it is sufficient to add
available = no to disable a service (according to the manpage)!
Apparently this is not true! Simple question: why?
Please tell me if you need any additional information!
Any comments are welcome!
Regards, Walter
More information about the samba
mailing list