Bug 14991 - Can't authenticate as anonymous using empty username/password anymore
Summary: Can't authenticate as anonymous using empty username/password anymore
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-02-25 21:32 UTC by Sergio Durigan Junior
Modified: 2022-02-26 13:22 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Sergio Durigan Junior 2022-02-25 21:32:52 UTC
I am not entirely sure whether this was intentional or not, but I noticed that on Samba 4.15.5 one cannot authenticate anonymously using an empty username/password anymore.

This is easy to reproduce.  Here is an example, using Samba 4.13.14 on Ubuntu:

$ PASSWD="" /usr/bin/smbclient \\\\localhost\\public -U -L
Try "help" to get a list of possible commands.
smb: \> 

Now, with Samba 4.15.5 on Ubuntu:

$ PASSWD="" smbclient \\\\localhost\\test -U -L
Password for [WORKGROUP\-L]:

As you can see, smbclient now will always request the password for the user (which it also cannot guess right).  It works if I just press Enter in the prompt, but this bug came to my attention because backuppc is broke on Samba 4.15.5 since it cannot cope with the password prompt.

Arguably, this could be said to be a bug with backuppc since it should probably be using smbclient's -N option (when the user/password of the samba share are empty) instead of relying on some obscure parsing of an empty user being specified with "-U".  In fact, I will take some time to report a bug with them as well because I think this could be improved on their side.  But as I said, it's not clear to me whether this change of behaviour was intentional or not, and so far it seems like it could be a regression.

I did some research before deciding to file this bug and I found bug 14935, which is about a regression introduced on the Samba 4.15.x that broke guest authentication (not anonymous, though).  Not sure if that's related.