vista print sharing is forgiving of the unknown user

There is a Vista box in the basement. I’ve babbled about it before. Well this time I found something rather odd about how Vista deals with smbclient. I was trying to setup a printer connected to the Vista box. The idea was to simply share it out further via a CUPS server. That of course is where it got interesting.

I was continually getting an error that featured the following:

NT_STATUS_ACCESS_DENIED

I thought this odd since I had followed the suggested guidelines to make the printer shared without password.

The next step was to trouble shoot and I fired up the trusty old terminal and tried to do some testing with smbclient to see what the Vista box was sharing:

]# smbclient -L green
Enter matthias's password: 
Anonymous login successful
Domain=[BLACKDIAMOND] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Sharename       Type      Comment
	---------       -----------
cli_rpc_pipe_open: cli_nt_create failed on pipe \\srvsvc to machine green.  Error was NT_STATUS_ACCESS_DENIED
Error returning browse list: NT_STATUS_ACCESS_DENIED
Anonymous login successful
Domain=[HOME] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

Note that I just hit enter to the password prompt and that I get Anonymous login successful followed shortly after by something that featured NT_STATUS_ACCESS_DENIED.

Some strace magic got me to try running the same command via sudo, and again just hitting enter for the password prompt:

# sudo smbclient -L green
[sudo] password for matthias: 
Enter root's password: 
Domain=[GREEN] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	All             Disk      
	C$              Disk      Default share
	Canon_iP1800    Printer   Canon iP1800 series
	D$              Disk      Default share
	http   littlejohnny 631 HP_Officejet_5610xi_raw Printer   \\\\http://littlejohnny:631\\HP_Officejet_5610xi_raw
	IPC$            IPC       Remote IPC
	print$          Disk      Printer Drivers
Domain=[GREEN] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

This time I got the list that included the printer.

So what is the problem?

Well it seems that when a user with the same name exists on the Vista side and the password is not entered correctly, you end up with the funky NT_STATUS_ACCESS_DENIED message.

Is there a workaround?

To make everything work, just add an override to the USER variable and set it to something that does not exist on the Vista side. Like this:

# USER=foo smbclient -L green
Enter foo's password: 
Domain=[GREEN] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	All             Disk      
	C$              Disk      Default share
	Canon_iP1800    Printer   Canon iP1800 series
	D$              Disk      Default share
	http   littlejohnny 631 HP_Officejet_5610xi_raw Printer   \\\\http://littlejohnny:631\\HP_Officejet_5610xi_raw
	IPC$            IPC       Remote IPC
	print$          Disk      Printer Drivers
Domain=[GREEN] OS=[Windows Vista (TM) Home Premium 6001 Service Pack 1] Server=[Windows Vista (TM) Home Premium 6.0]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

Another interesting thing to note is that for the last two versions, where there is now matching user on the Vista side, it reports the domain as the name of the host, rather than the workgroup as it did in the first and failed version.

Leave a Reply

Your email address will not be published. Required fields are marked *