The Samba-Bugzilla – Bug 7817
"force group" broken
Last modified: 2010-11-28 12:54:08 UTC
Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with
make_connection: connection to share denied due to security descriptor
although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.
What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids, which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".
Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.
Created attachment 6084 [details]
Patch for 3.5
Jeremy, I know you already acked this on the lists. To follow procedures, can you give your + here as well?
Comment on attachment 6084 [details]
Patch for 3.5
Looks good to me.
Reassigning to Karolin for inclusion in 3.5.7.
Pushed to v3-5-test.
Closing out bug report.