[Samba] Confusing behavior of hosts allow/hosts deny in Samba
3.0.28/3.2.4
Eric Boehm
boehm at nortel.com
Tue Nov 4 15:43:35 GMT 2008
I saw some unexpected behavior in the interaction of hosts allow and
hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it
wasn't something that had been fixed. I saw the same behavior.
I'm not sure if it is a bug or a failure on my part to
understand the documentation or misleading documentation.
If I have a share defined as
[export]
comment = exported storage
path = /export
# admin users = boehm
hosts allow = boehm-1
hosts deny = boehm-3
oplocks = no
level2 oplocks = no
guest ok = no
create mask = 0775
directory mask = 0775
map archive = no
writeable = yes
Then host boehm-1 has access and boehm-3 is denied access. The odd
part is that every other host now has access as well (e.g., boehm-2)
Now, if I had only hosts allow and no hosts deny, only host boehm-1
would have access.
hosts allow = boehm-1
# hosts deny = boehm-3
The confusing part, to me, was that adding hosts deny for a single
host suddenly opened up the share to every host that wasn't in
hosts deny, regardless as to whether they were in hosts allow.
The man page for smb.conf has an example for both hosts allows and
hosts deny
Example 4: allow only hosts in NIS netgroup "foonet",
but deny access from one particular host
hosts allow = @foonet
hosts deny = pirate
Note Note that access still requires suitable user-level
passwords.
See testparm(1) for a way of testing your host access to
see if it does what you expect.
This doesn't mention that every host but pirate will have access, not
just those in @foonet.
I see this as a bug but I wonder if I am missing something.
--
Eric M. Boehm /"\ ASCII Ribbon Campaign
boehm at nortel.com \ / No HTML or RTF in mail
X No proprietary word-processing
Respect Open Standards / \ files in mail
More information about the samba
mailing list