samba - Aug 2003 - login on homes share despite available = no

Hi!

Today I found that a user can successfully login on a homes share despite
that share should be disabled.

To quote smb.conf(1):
   available (S)
      This parameter lets you "turn off" a service. If avail-
      able  = no, then ALL attempts to connect to the service
      will fail. Such failures are logged.

However, see the following:

% walter@qdevel2:/home/walter> smbclient //qdevel1/armin -U quadprg
added interface ip=158.226.155.221 bcast=158.226.255.255 nmask=255.255.0.0
Password:   <entered the valid password>
Domain=[A_18] OS=[Unix] Server=[Samba 2.2.8a]
smb: \> dir
  .                                   D       0  Thu Aug 21 09:10:26 2003
  ..                                  D       0  Fri Aug  8 09:14:20 2003
  .tcshrc                             A     988  Fri Aug  8 09:16:12 2003
  .history                                29275  Thu Aug 21 07:25:02 2003
[--cut--]
                35310 blocks of size 65536. 28703 blocks available
smb: \>

How is this possible? Login should be denied because of available = no !
I'm running Samba 2.2.8a under Solaris 2.6.

There is no distinct share 'armin', just a (supposedly disabled) homes
entry:
> testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
NOTE: Service homes is flagged unavailable.
...
Loaded services file OK.
Press enter to see a dump of your service definitions
[homes]
        comment = User Home Directory
        path = /home/%S
        valid users = %S
        write list = %S
        read only = No
        hosts allow = 158.226.155. 158.226.183.
        hide dot files = No
        browseable = No
        available = No

        ^^^^^^^^^^^^^^

User 'quadprg' is mapped to the real user armin:
> grep quadprg /usr/local/samba/lib/users.map
armin    = quadprg atw15cv1

which exists in /etc/passwd:
> egrep '(armin|quadprg)' /etc/passwd
armin:x:318:100::/home/armin:/usr/local/bin/tcsh

There is _no_ reference to a share or user armin in
smb.conf:
> egrep '(armin|quadprg)' /usr/local/samba/lib/smb.conf
>
Please note that user authentication is done by a M$ PDC and
security = domain.

Here are relevant lines from the samba logs (debug level = 3).
The complete logfile is attached.

[2003/08/21 09:35:37, 3] lib/username.c:map_username(168)
  Mapped user QUADPRG to armin
[2003/08/21 09:35:46, 3] lib/util_sock.c:open_socket_out(845)
  Connecting to 158.226.185.35 at port 139
[2003/08/21 09:35:46, 3] param/loadparm.c:lp_add_home(1987)
  adding home directory armin at /home/armin
[2003/08/21 09:35:46, 3] smbd/uid.c:fetch_sid_from_gid_cache(667)
  fetch sid from gid cache 50031 -> S-1-5-21-...
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(336)
  uid 318 registered to name armin
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(338)
  Clearing default real name
[2003/08/21 09:35:46, 3] smbd/password.c:register_vuid(340)
  User name: armin      Real name:
[2003/08/21 09:35:46, 3] lib/access.c:check_access(318)
  check_access: no hostnames in host allow/deny list.
[2003/08/21 09:35:46, 2] lib/access.c:check_access(329)
  Allowed connection from  (158.226.155.221)
[2003/08/21 09:35:46, 3] smbd/password.c:authorise_login(736)
  authorise_login: ACCEPTED: validated uid ok as non-guest (user=armin)
[2003/08/21 09:35:46, 3] smbd/service.c:make_connection(487)
  Connect path is /home/armin
[2003/08/21 09:35:46, 3]
smbd/uid.c:fetch_sid_from_uid_cache(591)
  fetch sid from uid cache 318 -> S-1-5-21-...
[2003/08/21 09:35:46, 3]
smbd/uid.c:fetch_sid_from_gid_cache(667)
  fetch sid from gid cache 100 -> S-1-5-21-...
[2003/08/21 09:35:46, 3]
lib/util_seaccess.c:se_access_check(269)
  se_access_check: user sid is S-1-5-21-...
[2003/08/21 09:35:46, 3] smbd/vfs.c:vfs_ChDir(574)
  vfs_ChDir to /home/armin
[2003/08/21 09:35:46, 1] smbd/service.c:make_connection(636)
  atws17vc (158.226.155.221) connect to service armin as user armin
(uid=318, gid=100) (pid 3915)

I puzzled because I always thought that it is sufficient to add
available = no to disable a service (according to the manpage)!
Apparently this is not true! Simple question: why?

Please tell me if you need any additional information!
Any comments are welcome!

Regards, Walter

On Thu, 21 Aug 2003, Walter Haidinger wrote:
> Here are relevant lines from the samba logs (debug level = 3).
> The complete logfile is attached.
The attachment was obviously filtered.
I'll repost or forward it to a private email address upon request.

Walter