smbclient -N --no-pass broken

[Michael Schwendt]

On Thu, 17 Jul 2008 20:08:49 -0700, Skunk Worx wrote:

> Michael Schwendt wrote:
> > On Wed, 16 Jul 2008 19:01:59 -0700, Skunk Worx wrote:
> > 
> >> Example :
> >>
> >> $ smbclient -A /tmp/foo -N //192.168.200.10/a_share -D / -c ls
> >>
> >> Where :
> >> /tmp/foo contains :
> >>
> >> username=uname
> >> password=pass
> >>
> >> Under F7 this worked fine. The -N (or --no-pass) option helps deal with 
> >> broken credentials files (/tmp/foo) so no prompt is requested or shown. 
> >> For example in scripts, which should not hang.
> >>
> >> Under F9 this fails with :
> >> Anonymous login successful
> >> Domain=[FOO] OS=[Windows 5.0] Server=[Windows 2000 Lan Manager]
> >> tree connect failed : NT_STATUS_ACCESS_DENIED
> >>
> >> I don't see anything in bugzilla about this. Should I bz or ask 
> >> elsewhere about this?
> > 
> > Options -A and -N are unrelated. Both skip the password prompt to
> > make smbclient non-interactive. -A because it can read the credentials
> > from a file. -N because it is used when no password is needed (login
> > as guest/nobody). Either one worked for you, but access to the share
> > was denied. What do you think is the bug?
> > 
> 
> I definitely think -A and -N are related, because :
> 
> 1) Sometimes a credentials file has a username and no password.

Why? password=  in the credentials file skips the password prompt, too,
when no valid password is required.

> Without 
> -N it prompts for the password; with -N it does not, and is suitable for 
> a script, and should fail without prompting, whereas from the command 
> line, as a test, it prompts, using the same credentials file either way.
> 
> 2) If the credentials file is mangled, e.g; a sysadmin has misspelled 
> 'password=', -N prevents the broken -A file from hanging the script.

Misspelled or invalid credentials files make a script more difficult to
debug anyway. Admin doesn't know whether the login failed or whether
smbclient submitted the null password because of -N.  When not using
a credentials file but entering the password in the command-line, -N
even overrides the given password with the null password. So, for
debugging a script, this is not helpful.
 
> Today I found removing -N from the above example only improves things.
> 
> On F9 :
> Adding the -N option causes 100% failure. Without the -N option, the 
> example command works about 80% of the time. The other 20% of the calls 
> give the "anonymous,tree connect,NT_STATUS_ACCESS_DENIED" as described 
> above.

Let me sum up: Even without -N you get access denied at 20%. So, your
authentication problems are unrelated to -N.

That's impossible to comment on without verifying the Win2000 share setup.
Can you confirm F9's smbclient behaviour when accessing a local Samba share?

> On F7 :
> Same scripts, same subnet, same server : 100% success.
> 
> Since mount -t cifs appears to be 100% reliable on F7 and F9, and 
> supports credentials files, I plan on abandoning the smb tools and 
> re-writing the scripts unless something changes very soon.