Project

General

Profile

Bug #7676

sharesmb guest access workgroup mode broken on latest kernel

Added by Gabriele Bulfon over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
High
Category:
cifs - CIFS server and client
Start date:
2016-12-18
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

Looks like any sharesmb with "guestok=true" (workgroup mode) is not giving access to the shares.
While with "guestok=false" and correct authentication against a configured pam/smb user, you get access to shares but only can enter the authenticated one.

Here is a description to reproduce the problem. I also attach a snoop of packets while trying to access the guest shares.

=================

I updated my kernel to latest via fecth/merge on my xstreamos-illumos-gate, then finally built everything and updated my dev machine.
Everything seemed fine. I could also finally create new isos and test fresh new updated installs.
I thought I was ready for a public update.

Then I noticed I could no more access my cifs shares on the updated dev machine.
I had 3 zfs dataset, all with sharesmb "guestok=true", workgroup mode.
All 3 datasets are chmod 777, chown root:root, and I could access them always in my lan before the update.

Now I don't even see the shares, windows clients requests for credentials to access \\mydevserver.
I tried then to enable pam support for smb and created a user, then created a dataset without guestok.
Now I can access \\mydevserver with that user/pass and see the shares but I can only access the new reserved dataset.
Looks like there is a problem only accessing the guestok=true shares.

===================


Files

smb_guest_access_snoop.out (19 KB) smb_guest_access_snoop.out Gabriele Bulfon, 2016-12-18 06:36 PM
smb_typed_guest_access_snoop.out (17.3 KB) smb_typed_guest_access_snoop.out Gabriele Bulfon, 2016-12-19 10:04 PM

History

#1

Updated by Yuri Pankov over 3 years ago

  • Status changed from New to Feedback
  • Assignee set to Gabriele Bulfon
#2

Updated by Gabriele Bulfon over 3 years ago

Yuri Pankov wrote:

Did you check http://wiki.illumos.org/display/illumos/SMB+Guest+access?

Wow, I really thought that was the solution, and I did what is stated, but it still doesn't work :(

sonicle@xstreamdev:~# grep guest /etc/passwd /etc/shadow /var/smb/smbpasswd
/etc/passwd:guest:x:101:1::/home/guest:/bin/sh
/etc/shadow:guest:*LK*:17153::::::
/var/smb/smbpasswd:guest:101::

windows clients still ask for an authentication...also tried svcadm refresh smb/server, no way...

#3

Updated by Gordon Ross over 3 years ago

Your attempt to connect appears to have used your desktop logon credentials.
If you open that trace with wireshark and expand frame 33, you'll see it sent:
PGBULFON\\gabriele.bulfon

After this authentication failure, the client should show you a pop-up dialog
asking if you'd like to try again with different credentials. If you fill that in
with (servername)\guest and click OK, you should get in.

#4

Updated by Gabriele Bulfon over 3 years ago

Gordon Ross wrote:

Your attempt to connect appears to have used your desktop logon credentials.
If you open that trace with wireshark and expand frame 33, you'll see it sent:
PGBULFON\\gabriele.bulfon

After this authentication failure, the client should show you a pop-up dialog
asking if you'd like to try again with different credentials. If you fill that in
with (servername)\guest and click OK, you should get in.

Thanks Gordon, but looks like there is something more...it still doesn't work.
I attach here the snoop output, while I tried typing "guest" and Ok, still requesting auth.
I also find it quite unusual trying to mimic a windows/workgroup environement and requesting a "guest" user logon.
That's not what a windows user expects, and if I want to secure the server, I have plenty of ways, no need to change the workgroup/guest behaviour.
Isn't it?

#5

Updated by Yuri Pankov over 3 years ago

Can we close this one?

#6

Updated by Yuri Pankov about 3 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF