URL: https://github.com/freeipa/freeipa/pull/2373 Author: abbra Title: #2373: Support Samba 4.9 Action: opened
PR body: """ Samba 4.9 became a bit more strict about creating a local NT token and a failure to resolve or create BUILTIN\Guests group will cause a rejection of the connection for a successfully authenticated one. Add a default mapping of the nobody group to BUILTIN\Guests. BUILTIN\Guests is a special group SID that is added to the NT token for authenticated users. For real guests there is 'guest account' option in smb.conf which defaults to 'nobody' user. This was implicit behavior before as 'guest account = nobody' by default would pick up 'nobody' group as well. Fixes: https://pagure.io/freeipa/issue/7705 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2373/head:pr2373 git checkout pr2373
From b42423a031247d8c9728d5f7477b5dbdd39acd10 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Fri, 21 Sep 2018 10:57:23 +0300 Subject: [PATCH] Support Samba 4.9 Samba 4.9 became a bit more strict about creating a local NT token and a failure to resolve or create BUILTIN\Guests group will cause a rejection of the connection for a successfully authenticated one. Add a default mapping of the nobody group to BUILTIN\Guests. BUILTIN\Guests is a special group SID that is added to the NT token for authenticated users. For real guests there is 'guest account' option in smb.conf which defaults to 'nobody' user. This was implicit behavior before as 'guest account = nobody' by default would pick up 'nobody' group as well. Fixes: https://pagure.io/freeipa/issue/7705 --- ipaserver/install/adtrustinstance.py | 12 ++++++++++++ ipaserver/install/plugins/adtrust.py | 19 ++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 178d8839af..80646801e3 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -111,6 +111,14 @@ def make_netbios_name(s): return ''.join([c for c in s.split('.')[0].upper() \ if c in ALLOWED_NETBIOS_CHARS])[:15] +def map_Guests_to_nobody(): + env = {'LC_ALL': 'C'} + args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546', + 'unixgroup=nobody', 'type=builtin'] + + logger.debug("Map BUILTIN\\Guests to a group 'nobody'") + ipautil.run(args, env=env, raiseonerr=False, capture_error=True) + class ADTRUSTInstance(service.Service): ATTR_SID = "ipaNTSecurityIdentifier" @@ -523,6 +531,9 @@ def __write_smb_registry(self): tmp_conf.flush() ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) + def __map_Guests_to_nobody(self): + map_Guests_to_nobody() + def __setup_group_membership(self): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use @@ -825,6 +836,7 @@ def create_instance(self): self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) + self.step("map BUILTIN\\Guests to nobody group", self.__map_Guests_to_nobody) self.step("adding cifs Kerberos principal", self.request_service_keytab) self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index bec5a09c1c..4603882726 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -23,7 +23,7 @@ from ipalib import Updater from ipapython.dn import DN from ipaserver.install import sysupgrade -from ipaserver.install.adtrustinstance import ADTRUSTInstance +from ipaserver.install.adtrustinstance import ADTRUSTInstance, map_Guests_to_nobody logger = logging.getLogger(__name__) @@ -382,3 +382,20 @@ def execute(self, **options): return False, () return False, () + + +@register() +class update_mapping_Guests_to_nobody(Updater): + """ + Map BUILTIN\\Guests group to nobody + + Samba 4.9 became more strict on availability of builtin Guests group + """ + def execute(self, **options): + # First, see if trusts are enabled on the server + if not self.api.Command.adtrust_is_enabled()['result']: + logger.debug('AD Trusts are not enabled on this server') + return False, [] + + map_Guests_to_nobody() + return False, []
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
