We've been attempting to upgrade from Samba 2.0.7 to 2.2.0 in the light of
the recent security issue. However, we found that smb.conf lines of the form
allow hosts = .dept1.xxx.ac.uk .dept2.xxx.ac.uk
would no longer grant access to systems within these DNS domains (this worked
in 2.0.7 and appears to still be documented for 2.2.0).
After some investigation, I believe that the problem lies with line 269 of
source/lib/access.c. In the absence of a '/' character in the input
string,
this simply returns a pointer to the entire string. This is then incorrectly
assumed to be an IP address and hostname-based authentication breaks.
Replacing the strtok() function call with a simple strchr() call, along with
a change to the corresponding DEBUG line (see diff below) seems to have
resolved the problem for us, although I can't guarantee this hasn't
caused
something else to break!
*** source/lib/access.c.orig Sat Apr 14 22:22:02 2001
--- source/lib/access.c Thu Apr 19 22:46:07 2001
***************
*** 264,277 ****
/*
* if we failed, make surethat it was not because the token
* was a network/netmask pair. Only network/netmask pairs
* have a '/' in them
*/
! if ((p=strtok(tok, "/")) == NULL)
{
only_ip = False;
! DEBUG(3,("only_ipaddrs_in_list: list [%s] has non-ip address
%s\n", list, p));
break;
}
}
}
--- 264,277 ----
/*
* if we failed, make surethat it was not because the token
* was a network/netmask pair. Only network/netmask pairs
* have a '/' in them
*/
! if ((p=strchr(tok, '/')) == NULL)
{
only_ip = False;
! DEBUG(3,("only_ipaddrs_in_list: list [%s] has non-ip address
%s\n", list, tok));
break;
}
}
}
I hope this is of some use to someone!
Regards,
Andrew.
--
+-----------------------------------------------------------------------------+
| Andrew Dawson, Operating Systems Group Manager, Information Systems, |
| Education & Information Support Division, University College London
|
+-----------------------------------------------------------------------------+