Product: Samba 4.1+ Component: File services Version: 4.13.13-4.20.1 OS: Debian Linux x86_64 While enumerating shares by opening smb://[server] sometimes additional homes shares, from users differing from the authenticated user, are listed. The [homes] section is configured with `browseable = no` and `valid users = %S` and the user homes have permissions 700. Setting `access based share enum = True` was also tested and made no difference. The samba version we are running is from the debian repos, this was tested with 4.13.13, 4.17.12 and 4.20.1 (from debian oldstable, stable and testing). # Reproducing the issue: Trying to open a homes share as user foo (uid 1000) belonging to another user (eg. bar, 1001) from win10, this results in: > [2024/06/03 16:32:28.474511, 1, pid=16163, effective(0, 0), real(0, 0)] source3/smbd/smb2_service.c:337(create_connection_session_info) > create_connection_session_info: user 'foo' (from session setup) not permitted to access this share (bar) > [2024/06/03 16:32:28.474572, 1, pid=16163, effective(0, 0), real(0, 0)] source3/smbd/smb2_service.c:519(make_connection_snum) > make_connection_snum: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED As expected. Afterwards listing all shares on the samba host from another client (tested with: debian, win10, MacOS) with any user will include the extraneous home dir accessed above (bar). > foo@client:~$ smbclient -U foo --list //server/ > Password for [WORKGROUP\foo]: > > Sharename Type Comment > --------- ---- ------- > IPC$ IPC IPC Service (Samba 4.20.1-Debian) > bar Disk Home Directories > foo Disk Home Directories From the logs the call listing the extra home looks like this: > [2024/06/03 16:32:33.448028, 8, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1524(add_a_service) > add_a_service: Creating snum = 1 for IPC$ > [2024/06/03 16:32:33.448063, 10, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1574(hash_a_service) > hash_a_service: hashing index 1 for service name IPC$ > [2024/06/03 16:32:33.448098, 3, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1686(lp_add_ipc) > adding IPC service > [2024/06/03 16:32:33.448289, 1, pid=16175, effective(0, 0), real(0, 0)] source3/printing/printer_list.c:244(printer_list_get_last_refresh) > Failed to fetch record! > [2024/06/03 16:32:33.448327, 1, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/server_reload.c:73(delete_and_reload_printers) > pcap cache not loaded > [2024/06/03 16:32:33.448432, 8, pid=16175, effective(0, 0), real(0, 0)] source3/param/service.c:56(load_registry_shares) > load_registry_shares() > [2024/06/03 16:32:33.448474, 7, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:4359(lp_servicenumber) > lp_servicenumber: couldn't find foo > [2024/06/03 16:32:33.448509, 7, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:4359(lp_servicenumber) > lp_servicenumber: couldn't find foo > [2024/06/03 16:32:33.448542, 5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:182(Get_Pwnam_alloc) > Finding user foo > [2024/06/03 16:32:33.448574, 5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:121(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is foo > [2024/06/03 16:32:33.448655, 5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:159(Get_Pwnam_internals) > Get_Pwnam_internals did find user [foo]! > [2024/06/03 16:32:33.448691, 3, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/password.c:84(register_homes_share) > Adding homes service for user 'foo' using home directory: '/home/foo' > [2024/06/03 16:32:33.448738, 8, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1524(add_a_service) > add_a_service: Creating snum = 3 for foo > [2024/06/03 16:32:33.448773, 10, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1574(hash_a_service) > hash_a_service: hashing index 3 for service name foo > [2024/06/03 16:32:33.448809, 3, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1636(lp_add_home) > adding home's share [foo] for user 'foo' at '/home/foo' > [2024/06/03 16:32:33.448867, 4, pid=16175, effective(1000, 1000), real(1000, 0)] source3/smbd/sec_ctx.c:443(pop_sec_ctx) > pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 1 > [2024/06/03 16:32:33.448908, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:683(init_srv_share_info_ctr) > NOT counting service homes > [2024/06/03 16:32:33.450657, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr) > counting service IPC$ > [2024/06/03 16:32:33.450696, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr) > counting service bar > [2024/06/03 16:32:33.450730, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr) > counting service foo > [2024/06/03 16:32:33.450775, 5, pid=16175, effective(1000, 1000), real(1000, 0)] source3/param/loadparm.c:1433(free_service) > free_service: Freeing service foo > [2024/06/03 16:32:33.450815, 5, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1746(_srvsvc_NetShareEnumAll) > _srvsvc_NetShareEnumAll: 1746 > [2024/06/03 16:32:33.450893, 4, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/sec_ctx.c:443(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2024/06/03 16:32:33.450933, 1, pid=16175, effective(0, 0), real(0, 0), class=rpc_parse] librpc/ndr/ndr.c:493(ndr_print_function_debug) > srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll > out: struct srvsvc_NetShareEnumAll > info_ctr : * > info_ctr: struct srvsvc_NetShareInfoCtr > level : 0x00000001 (1) > ctr : union srvsvc_NetShareCtr(case 1) > ctr1 : * > ctr1: struct srvsvc_NetShareCtr1 > count : 0x00000003 (3) > array : * > array: ARRAY(3) > array: struct srvsvc_NetShareInfo1 > name : * > name : 'IPC$' > type : STYPE_IPC_HIDDEN (0x80000003) > comment : * > comment : 'IPC Service (Samba 4.20.1-Debian)' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'bar' > type : STYPE_DISKTREE (0x0) > comment : * > comment : 'Home Directories' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'foo' > type : STYPE_DISKTREE (0x0) > comment : * > comment : 'Home Directories' > totalentries : * > totalentries : 0x00000003 (3) > resume_handle : * > resume_handle : 0x00000000 (0) > result : WERR_OK From that seems like the listing is built as expected, "homes" is not listed, the checks are run as user 1000 (foo). But bar (uid 1001) is still added to the list and reported. We originally noticed this issue because a mac user tried to connect to one of our data servers and found some user shares that were not hers and we would be more than happy if we could avoid this kind of information disclosure in the future... The above description is a way to reliably reproduce the issue. We'll happily provide more debugging information. Just tell us what we should look for!