[Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4

Eric Boehm boehm at nortel.com
Tue Nov 4 15:43:35 GMT 2008

I saw some unexpected behavior in the interaction of hosts allow and
hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it
wasn't something that had been fixed. I saw the same behavior.

I'm not sure if it is a bug or a failure on my part to
understand the documentation or misleading documentation.

If I have a share defined as

        comment         = exported storage
        path            = /export
        # admin users   = boehm
        hosts allow     = boehm-1
        hosts deny      = boehm-3
        oplocks         = no
        level2 oplocks  = no
        guest ok        = no
        create mask     = 0775
        directory mask  = 0775
        map archive     = no
        writeable       = yes

Then host boehm-1 has access and boehm-3 is denied access. The odd
part is that every other host now has access as well (e.g., boehm-2)

Now, if I had only hosts allow and no hosts deny, only host boehm-1
would have access.

         hosts allow    = boehm-1
         # hosts deny   = boehm-3

The confusing part, to me, was that adding hosts deny for a single
host suddenly opened up the share to every host that wasn't in
hosts deny, regardless as to whether they were in hosts allow.

The man page for smb.conf has an example for both hosts allows and
hosts deny

         Example 4: allow only hosts in NIS netgroup "foonet",
         but deny access from one particular host

         hosts allow = @foonet

         hosts deny = pirate

         Note Note that access still requires suitable user-level

         See testparm(1) for a way of testing your host access to
         see if it does what you expect.

This doesn't mention that every host but pirate will have access, not
just those in @foonet.

I see this as a bug but I wonder if I am missing something.

Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm at nortel.com               \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail

More information about the samba mailing list