Several people reported inability to disable null sessions in SAMBA. This bug exhibits itself at least in case of security = DOMAIN. What happens is (reply_sesssetup_and_X, line numbers from 2.2.3a)):
- smbd gets null user name and password(s) - it immediately sets user name to guest account (886): /* If no username is sent use the guest account */ if (!*user) { pstrcpy(user,lp_guestaccount(-1)); guest = True; } - then we ask server but ONLY if user is not null - which it is not and CANNOT be (942): /* * Check with orig_user for security=server and * security=domain. */ if (*user && !check_server_security(orig_user, domain, user, smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) && !check_domain_security(orig_user, domain, user, smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen, &ptok) && !check_hosts_equiv(user)) - end of story. Now user is logged in as guest (. Any other parameter (like guest ok - and I have guest ok = no) is happily ignored at this point. The only way to disable it currently is to set guest account to non-existent Unix account that makes it impossible for _authenticated_ users (from password server) to log in without NT <-> Unix mapping. -andrej