Bug 7817 - "force group" broken
"force group" broken
Product: Samba 3.5
Classification: Unclassified
Component: File services
Other Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-11-24 11:02 UTC by Volker Lendecke
Modified: 2010-11-28 12:54 UTC (History)
0 users

See Also:

Patch for 3.5 (2.60 KB, patch)
2010-11-24 11:03 UTC, Volker Lendecke
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Volker Lendecke 2010-11-24 11:02:21 UTC
Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with

make_connection: connection to share denied due to security descriptor

although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.

What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".

Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.
Comment 1 Volker Lendecke 2010-11-24 11:03:34 UTC
Created attachment 6084 [details]
Patch for 3.5

Jeremy, I know you already acked this on the lists. To follow procedures, can you give your + here as well?


Comment 2 Jeremy Allison 2010-11-24 12:17:42 UTC
Comment on attachment 6084 [details]
Patch for 3.5

Looks good to me.
Comment 3 Jeremy Allison 2010-11-24 12:18:03 UTC
Reassigning to Karolin for inclusion in 3.5.7.
Comment 4 Karolin Seeger 2010-11-28 12:54:08 UTC
Pushed to v3-5-test.
Closing out bug report.