Bug 15058 - Bug in the handling of "hosts allow" parameter wrt LOCAL/unixdom socket
Summary: Bug in the handling of "hosts allow" parameter wrt LOCAL/unixdom socket
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.16.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-02 15:30 UTC by Denis Cardon
Modified: 2022-06-09 21:57 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2022-05-02 15:30:15 UTC
On an AD server, the "hosts allow" parameter has an unexpected behavior. It seems that it apply also to local unix socket, and if one does not add LOCAL/unixdom in the allow list, MS-RPC (RSAT ADUC, etc.) does not work.

for example the following line make ADUC NOT behave properly 
hosts allow = 192.168.201. 192.168.202. 127. localhost 

Adding the LOCAL/unixdom make it works.
hosts allow =  192.168.201. 192.168.202. 127. localhost LOCAL/unixdom 

Using the host allow line without the LOCAL/unixdom parameter, one gets this kind of error in samba log

[2022/05/02 17:08:37.619702,  0] ../../lib/util/access.c:316(allow_access)
  Denied connection from LOCAL/unixdom (LOCAL/unixdom)

There are a few post about this issue in the past
https://lists.samba.org/archive/samba/2017-July/209752.html
https://lists.samba.org/archive/samba/2013-April/172870.html
https://groups.google.com/g/mailing.unix.samba/c/RMpZvipfZPE

We seldom use the "hosts allow" parameter, and we bumped on that issue when re-using existing configuration from a client.
Comment 1 Denis Cardon 2022-05-04 14:24:58 UTC
might be another bug entry, but FWIW "hosts allow" parameter seems to not apply to internal DNS queries, ie. a client computer can make DNS queries to internal DNS server even if it is not in the "hosts allow" list.
Comment 2 Jeremy Allison 2022-06-09 21:57:51 UTC
Question - do you think "LOCAL/unixdom" should be implicitly added here to hosts allow processing ? I'd like your opinion on what you think the correct fix here should be ?

Thanks !