Situational Deadlock in Samba 3.0.1
Esh, Andrew
Andrew_Esh at adaptec.com
Tue Jan 27 20:03:39 GMT 2004
I think I may have found the problem. I had always thought a specific user was being used in the test that was failing, but some operations are done anonymously. I noticed that the user being rejected is being registered as a guest:
[2004/01/27 13:46:24, 10, pid=28927, effective(0, 0), real(0, 0)] smbd/password.c:register_vuid(216)
register_vuid: (99,99) nobody golem R2C2N131 guest=1
... and I have "guest ok" set GLOBALLY in smb.conf. The share being mapped does not have a "guest ok" setting.
And I also noticed that in smbd/uid.c, change_to_user and check_user_ok conspire to deny access to this user. There doesn't seem to be a check to allow a guest user to access a "guest ok" share. I added this to the top of check_user_ok:
if ( vuser->guest && GUEST_OK(conn->service) ) {
DEBUG(10,("check_user_ok: Guest user OK\n"));
return(True);
}
... and now I see my user being allowed access on that basis:
[2004/01/27 13:45:56, 3, pid=28766, effective(0, 0), real(0, 0)] smbd/process.c:switch_message(685)
switch message SMBtrans2 (pid 28766)
[2004/01/27 13:45:56, 10, pid=28766, effective(0, 0), real(0, 0)] smbd/uid.c:check_user_ok(66)
check_user_ok: Guest user OK
My question is: Is this an obvious omission? Have I opened security to the point of humor? It seems like the right thing to do, based on the doc for "guest ok".
---
Andrew C. Esh mail:Andrew_Esh[at]adaptec.com
Adaptec, Inc.
2905 Northwest Blvd., Suite 20 763-557-9005 (main)
Plymouth, MN 55441-2644 USA 763-551-6418 (direct)
More information about the samba-technical
mailing list