The branch, v3-5-test has been updated via 56b1082 s3: Fix "force group" with ntlmssp guest session setup from 49632d4 s3: Make winbind recover from a signing error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log ----------------------------------------------------------------- commit 56b1082fe436e1f99a87d3e37d9ea8b017353b39 Author: Volker Lendecke <v...@samba.org> Date: Sat Nov 13 18:03:25 2010 +0100 s3: Fix "force group" with ntlmssp guest session setup This one is subtle: Set "force group = <somegroup>" together with "guest ok = yes". Then try "smbclient //server/share -U%". Works. Then try to connect to the same share from Windows 2003 using an anonymous connection. Breaks with make_connection: connection to share denied due to security descriptor although the share_info.tdb is empty. I've seen reports of this on the lists, but I could never ever nail it until a customer gave me access to such a box. What happens? With an empty share_info.tdb we create a security descriptor allow everything to the world. The problem with the above parameter combination is that S-1-1-0 (World) is lost in the token. When you look at the callers of create_local_token, they are only called if the preceding check_ntlm_password did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if we get a NTLMSSP session setup with user="", domain="", pass="" we call create_local_token even though check_guest_security() via make_server_info_guest() has already correctly done so. In this case create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the primary group sid of the user logging in. "force group" then overwrites this -> the world is gone -> "denied due to security descriptor". Why don't you see it with smbclient -U% (anonymous connection)? smbclient does not use ntlmssp for anon session setup. This seems not to happen to 3.6. Volker Fix bug #7817 ("force group" broken). ----------------------------------------------------------------------- Summary of changes: source3/auth/auth_ntlmssp.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 034d354..0e2c61a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -126,12 +126,13 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, auth_ntlmssp_state->server_info->nss_token |= username_was_mapped; - nt_status = create_local_token(auth_ntlmssp_state->server_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed: %s\n", - nt_errstr(nt_status))); - return nt_status; + if (auth_ntlmssp_state->server_info->ptok == NULL) { + nt_status = create_local_token(auth_ntlmssp_state->server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(nt_status))); + return nt_status; + } } if (auth_ntlmssp_state->server_info->user_session_key.length) { -- Samba Shared Repository