Bug 8093 - option 'access based share enum' do not work
Summary: option 'access based share enum' do not work
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.8
Hardware: x86 Linux
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-18 09:37 UTC by Semen Soldatov
Modified: 2016-03-14 08:31 UTC (History)
5 users (show)

See Also:


Attachments
my smb.conf (10.35 KB, text/plain)
2011-04-18 09:37 UTC, Semen Soldatov
no flags Details
git-am fix for 4.3.next and 4.4.0 (1.81 KB, patch)
2016-03-03 05:52 UTC, Uri Simchoni
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Semen Soldatov 2011-04-18 09:37:53 UTC
Created attachment 6411 [details]
my smb.conf

i enable this option but this not works/ unauthorized users see the share.

[simplexe@ld-it-04 ~]$ uname -a
Linux ld-it-04 2.6.38-ARCH #1 SMP PREEMPT Sun Apr 17 14:51:34 UTC 2011 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux

[simplexe@ld-it-04 ~]$ yaourt -Qi samba
Название              : samba
Версия                : 3.5.8-2

same thing happens on openSUSE 11.4 x64 with Samba 3.5.7.
Comment 1 Guenter Kukkukk 2011-10-02 03:17:26 UTC
Hi Karolin,

i'm wondering why this one has been assigned to you.

Samba users are refering to "access based share enum"
in smb.conf on IRC - they would like to have that feature.

I tried it myself - was not able to get it working.

To whom should this one been re-assigned?

Cheers, Günter
Comment 2 Christian Ambach 2011-10-02 11:18:17 UTC
Looking at the man page, it states:

This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights.

So as long as the share security set with sharesec or via MMC has not been changed, it will default to Everyone having FULL access and so the share is listed.

I do not think that using (in)valid users parameter is good enough, you'll have to use sharesec.
Comment 3 Karolin Seeger 2011-10-03 17:45:15 UTC
(In reply to comment #1)
> Hi Karolin,
> 
> i'm wondering why this one has been assigned to you.
> 
> Samba users are refering to "access based share enum"
> in smb.conf on IRC - they would like to have that feature.
> 
> I tried it myself - was not able to get it working.
> 
> To whom should this one been re-assigned?
> 
> Cheers, Günter

Hi Günter,

I think it was originally assigned to me, because the component was not exactly right. I should have re-assigned, sorry.

Cheer,
Karolin
Comment 4 Harald Reindl (disabled account) 2011-11-23 13:41:41 UTC
yes, but why in the world is there no working option to hide shares where the user has no access?

if i use "valid users" i expect that only this user are seeing a share
instead this the log is flooded with access denied messages where nobody treid to acess anything

[2011/11/23 14:38:32.022277,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.027907,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.028033,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.581596,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.582673,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.590884,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.591000,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.597813,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.597934,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.603950,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.604054,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.610922,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.611062,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:32.616332,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:32.616430,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:38.513305,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:38.513408,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.490426,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.490581,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.498209,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.498345,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.505552,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.505683,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.511371,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.511508,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.517436,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.517624,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
[2011/11/23 14:38:39.522996,  1] smbd/service.c:777(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2011/11/23 14:38:39.523125,  1] smbd/process.c:456(receive_smb_talloc)
  read_smb_length_return_keepalive failed for client 127.0.0.1 read error = NT_STATUS_END_OF_FILE.
Comment 5 Jeremy Allison 2011-12-21 00:16:59 UTC
Just to be clear - you want the "valid users" and "invalid users" parameters to be taken into account when enumerating shares - yes ?

Jeremy.
Comment 6 Guenter Kukkukk 2012-02-04 05:17:47 UTC
Hi Jeremy,

yes, from time to time there are users/admins on irc #samba
who want to hide browsing info at all related to shares
which they cannot authenticate to at all.

So "valid users" and "invalid users" would be the right
one to limit that info.

Cheers, Günter
Comment 7 Uri Simchoni 2016-03-03 05:52:58 UTC
Created attachment 11890 [details]
git-am fix for 4.3.next and 4.4.0
Comment 8 Uri Simchoni 2016-03-03 19:01:59 UTC
Assigning to Karolin for inclusion in 4.3.next and 4.4.0.
(note commit message - fix is by Alberto Maria Fiaschi <alberto.fiaschi@estar.toscana.it>)
Comment 9 Karolin Seeger 2016-03-04 10:32:04 UTC
Pushed to autobuild-v4-[3|4]-test.
Comment 10 Karolin Seeger 2016-03-14 08:31:18 UTC
(In reply to Karolin Seeger from comment #9)
Pushed to both branches.
Closing out bug report.

Thanks!