s3:smb2_server: fix hostname restrict access in 'hosts allow/hosts deny'

Jones Syuerequested to merge
samba-team/devel/samba:jones2019_fix_hosts_allow into master

When a client access a specific share through tree connect command, smbd would get a list of 'hosts allow/hosts deny' setup from a specific share, compare client's hostname with list, and see whether allow or deny client's connection. For example a share with 'hosts allow = Jones-ws22-66', the api share_sanity_checks() should restrict access to only client with hostname 'Jones-ws22-66' to enter the specific share if client's hostname and list has a match. But so far remote_hostname (rhost) is an ip address format, not a hostname format, so here is no matches. Even though clients with expected hostname 'Jones-ws22-66' but actually failed to enter share. 'hosts deny' also has this similar issue in the opposite direction.

This patch checks remote_hostname content in share_sanity_checks(); if remote_hostname (rhost) is still in a format of ip address, use get_remote_machine_name() instead.

Considered a case: allow only a client with its hostname 'Jones-ws22-66' to enter the share 'samba', so adds 'hosts allow = Jones-ws22-66' under the specific section '[samba]'. Use 'smbclient' with option '-nJones-ws22-66' to test if the client with expected hostname is able to enter the share. My env is Ubuntu 22.04.4, samba-4.20.4, and my smb.conf is:

[global]
workgroup = U2204

[samba]
path = /home/jones/samba
browsable = yes
guest ok = yes
read only = no
create mask = 0755
hosts allow = Jones-ws22-66

Before patch:

  1. Any hostname is always denied.
$# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66
tree connect failed: NT_STATUS_ACCESS_DENIED
$# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me
tree connect failed: NT_STATUS_ACCESS_DENIED
  1. server can see two denied log prompted, 'rhost' is an ip address format.
$# cat /usr/local/samba/var/log.smbd
[2024/09/05 16:06:34.970407,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from 192.168.251.232 (192.168.251.232)
[2024/09/05 16:06:42.891776,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from 192.168.251.232 (192.168.251.232)

After patch:

  1. Only 'Jones-ws22-66' is able to enter the share.
$# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66
Try "help" to get a list of possible commands.
smb: \> exit
$# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me
tree connect failed: NT_STATUS_ACCESS_DENIED
  1. server can see one denied log prompted with hostname specified, this is more understandable than the ip address format.
$# cat /usr/local/samba/var/log.smbd
[2024/09/05 16:24:18.345736,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from jones-deny-me (10.19.251.232)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15709

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

Merge request reports