When a client access a specific share through tree connect command, smbd would get a list of 'hosts allow/hosts deny' setup from a specific share, compare client's hostname with list, and see whether allow or deny client's connection. For example a share with 'hosts allow = Jones-ws22-66', the api share_sanity_checks() should restrict access to only client with hostname 'Jones-ws22-66' to enter the specific share if client's hostname and list has a match. But so far remote_hostname (rhost) is an ip address format, not a hostname format, so here is no matches. Even though clients with expected hostname 'Jones-ws22-66' but actually failed to enter share. 'hosts deny' also has this similar issue in the opposite direction. This patch checks remote_hostname content in share_sanity_checks(); if remote_hostname (rhost) is still in a format of ip address, use get_remote_machine_name() instead. Considered a case: allow only a client with its hostname 'Jones-ws22-66' to enter the share 'samba', so adds 'hosts allow = Jones-ws22-66' under the specific section '[samba]'. Use 'smbclient' with option '-nJones-ws22-66' to test if the client with expected hostname is able to enter the share. My env is Ubuntu 22.04.4, samba-4.20.4, and my smb.conf is: [global] workgroup = U2204 [samba] path = /home/jones/samba browsable = yes guest ok = yes read only = no create mask = 0755 hosts allow = Jones-ws22-66 Before patch: 1. Any hostname is always denied. # smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66 tree connect failed: NT_STATUS_ACCESS_DENIED # smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me tree connect failed: NT_STATUS_ACCESS_DENIED 2. server can see two denied log prompted, 'rhost' is an ip address format. # cat /usr/local/samba/var/log.smbd [2024/09/05 16:06:34.970407, 0] ../../lib/util/access.c:372(allow_access) Denied connection from 192.168.251.232 (192.168.251.232) [2024/09/05 16:06:42.891776, 0] ../../lib/util/access.c:372(allow_access) Denied connection from 192.168.251.232 (192.168.251.232) After patch: 1. Only 'Jones-ws22-66' is able to enter the share. # smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66 Try "help" to get a list of possible commands. smb: \> exit # smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me tree connect failed: NT_STATUS_ACCESS_DENIED 2. server can see one denied log prompted with hostname specified, this is more understandable than the ip address format. # cat /usr/local/samba/var/log.smbd [2024/09/05 16:24:18.345736, 0] ../../lib/util/access.c:372(allow_access) Denied connection from jones-deny-me (192.168.251.232) patch will follow.
mr: https://gitlab.com/samba-team/samba/-/merge_requests/3789 ci passed: https://gitlab.com/samba-team/devel/samba/-/pipelines/1441235170