Re: [Samba] \map to guest = bad user\ ignored in Samba 4?
Hi Andrew, I have written a small patch for this issue. I would appreciate if someone could take a look at and comment. I have tested it on XP machines and seems to work properly. Cheers. -- Samuel Cabrero - Developer scabr...@zentyal.com Easy IT for small business www.zentyal.comdiff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index f234f72..582eb0d 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -69,6 +69,58 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } / + Look for the guest account in the sam, return ldb result structures +/ + +static NTSTATUS authsam_search_guest_account(TALLOC_CTX *mem_ctx, + struct ldb_context *sam_ctx, + struct ldb_dn *domain_dn, + struct ldb_message **ret_msg) +{ + int ret; + const struct dom_sid *domain_sid; + struct dom_sid *guest_sid; + + domain_sid = samdb_domain_sid(sam_ctx); + if (domain_sid == NULL) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + guest_sid = dom_sid_add_rid(mem_ctx, domain_sid, DOMAIN_RID_GUEST); + if (guest_sid == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* pull the user attributes */ + ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, + LDB_SCOPE_SUBTREE, + user_attrs, + DSDB_SEARCH_SHOW_EXTENDED_DN, + ((objectSID=%s)(objectclass=user)), + ldap_encode_ndr_dom_sid(mem_ctx, guest_sid)); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + DEBUG(3,(%s: Couldn't find guest user in samdb, under %s\n, + __func__, + ldb_dn_get_linearized(domain_dn))); + return NT_STATUS_NO_SUCH_USER; + } + if (ret != LDB_SUCCESS) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* Return no such user if the account is disabled */ + uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, + *ret_msg, domain_dn); + if (acct_flags ACB_DISABLED) { + DEBUG(3,(%s: Account for guest user is disabled.\n, + __func__)); + return NT_STATUS_NO_SUCH_USER; + } + + return NT_STATUS_OK; +} + +/ Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. / @@ -269,15 +321,28 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_NO_SUCH_DOMAIN; } - nt_status = authsam_search_account(tmp_ctx, ctx-auth_ctx-sam_ctx, account_name, domain_dn, msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - nt_status = authsam_authenticate(ctx-auth_ctx, tmp_ctx, ctx-auth_ctx-sam_ctx, domain_dn, msg, user_info, - user_sess_key, lm_sess_key); - if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = authsam_search_account(tmp_ctx, ctx-auth_ctx-sam_ctx, + account_name, domain_dn, msg); + if (NT_STATUS_IS_OK(nt_status)) { + nt_status = authsam_authenticate(ctx-auth_ctx, +tmp_ctx, ctx-auth_ctx-sam_ctx, domain_dn, +msg, user_info, user_sess_key, lm_sess_key); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3, (%s: User %s not found, mapping to guest account\n, + __func__, account_name)); + nt_status = authsam_search_guest_account(tmp_ctx, +ctx-auth_ctx-sam_ctx, domain_dn, msg); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + user_sess_key = data_blob(NULL, 0); + lm_sess_key = data_blob(NULL, 0); + } else { talloc_free(tmp_ctx); return nt_status; } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] \map to guest = bad user\ ignored in Samba 4?
On Sat, 2013-05-11 at 01:25 +0200, Samuel Cabrero wrote: Hi Andrew, I have written a small patch for this issue. I would appreciate if someone could take a look at and comment. I have tested it on XP machines and seems to work properly. This certainly appears to match what I understand to be the Windows behaviour. However, we need tests, in particular I need to know if this behaviour happens over LDAP, and if so, the test specifically needs to inspect the tokenGroups attribute in the rootDSE, to ensure we match Windows, specifically with regards to the 'authenticated user' entry in the token. I know this is a pain, but we do need to get this right, as marking a guest user as 'authenticated' would be a very bad idea. Finally, if you can prepare the patches with git format-patch, it will make it easier for me to apply them, once we verify these things. The test to extend is torture/unix/whoami.c invoked from source3/selftest/tests.py Thanks! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
On 16/02/13 03:45, Andrew Bartlett wrote: On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? This sounds correct. This isn't currently supported against the AD DC. Guest access to the domain should be based on the 'guest' account being enabled, but this isn't hooked in either. Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. You have hit one of the areas where this isn't well documented. Sorry, Thanks Andrew. It is at least useful I can come here and find out what can and can't work at the moment. I'll just have to postpone installing Samba 4 at sites where I can't do the whole conversion to domain in one step. Many thanks, Sebastian -- Linux vehicle CCTV - www.open-t.co.uk/iroko -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
Thanks Ricky. I've enabled the file system requirements in fstab and checked the kernel supports them (not sure how I managed to skip that step during installation). Now the permissions changes do stick. However, as per Andrew's email (part of this thread) - the server still prompts for credentials on the workgroup machine when trying to access the public/full permissions share, although I allowed full access to Guests and Everyone. It seems there is no way to provide unauthenticated access to shares at this moment in Samba 4. It would have been rather useful with migrating workgroups to domains gradually, instead of in one step - but one must be happy with one's blessings :-) - so I'll make do the way things are. Cheers, Sebastian On 15/02/13 18:00, Ricky Nance wrote: Have you taken a look at https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_System_Support to ensure your file system will handle ACL's? Ricky On Fri, Feb 15, 2013 at 10:35 AM, Sebastian Arcus s...@open-t.co.uk mailto:s...@open-t.co.uk wrote: Hi Ricky, Thanks for the reply. I have tried changing the permissions on the netlogon share and the strange thing is that none of the changes I do in the Security/ACL tab from the Windows XP machine which is joined to the domain (but on the netlogon share which is on the server) actually stick. I can access the shares fine with that machine, but if I change the permissions, it seems to just ignore the changes - no error message. I am logged in as the domain Administrator - so it seems like a bit of a mystery. Then again - maybe I've done something silly when I've setup this Samba AD DC - although I've followed all the instructions on the Samba wiki and everything else seems to be working fine. Sebastian On 14/02/13 05:31, Ricky Nance wrote: Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk mailto:s...@open-t.co.uk mailto:s...@open-t.co.uk mailto:s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba https://lists.samba.org/__mailman/options/samba https://lists.samba.org/__mailman/options/samba https://lists.samba.org/mailman/options/samba -- -- Linux vehicle CCTV - www.open-t.co.uk/iroko
Re: [Samba] map to guest = bad user ignored in Samba 4?
Hi Ricky, Thanks for the reply. I have tried changing the permissions on the netlogon share and the strange thing is that none of the changes I do in the Security/ACL tab from the Windows XP machine which is joined to the domain (but on the netlogon share which is on the server) actually stick. I can access the shares fine with that machine, but if I change the permissions, it seems to just ignore the changes - no error message. I am logged in as the domain Administrator - so it seems like a bit of a mystery. Then again - maybe I've done something silly when I've setup this Samba AD DC - although I've followed all the instructions on the Samba wiki and everything else seems to be working fine. Sebastian On 14/02/13 05:31, Ricky Nance wrote: Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk mailto:s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/__mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/__mailman/options/samba https://lists.samba.org/mailman/options/samba -- -- Linux vehicle CCTV - www.open-t.co.uk/iroko -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
Have you taken a look at https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_System_Support to ensure your file system will handle ACL's? Ricky On Fri, Feb 15, 2013 at 10:35 AM, Sebastian Arcus s...@open-t.co.uk wrote: Hi Ricky, Thanks for the reply. I have tried changing the permissions on the netlogon share and the strange thing is that none of the changes I do in the Security/ACL tab from the Windows XP machine which is joined to the domain (but on the netlogon share which is on the server) actually stick. I can access the shares fine with that machine, but if I change the permissions, it seems to just ignore the changes - no error message. I am logged in as the domain Administrator - so it seems like a bit of a mystery. Then again - maybe I've done something silly when I've setup this Samba AD DC - although I've followed all the instructions on the Samba wiki and everything else seems to be working fine. Sebastian On 14/02/13 05:31, Ricky Nance wrote: Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk mailto:s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/__**mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/__**mailman/options/sambahttps://lists.samba.org/__mailman/options/samba https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- Linux vehicle CCTV - www.open-t.co.uk/iroko -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? This sounds correct. This isn't currently supported against the AD DC. Guest access to the domain should be based on the 'guest' account being enabled, but this isn't hooked in either. Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. You have hit one of the areas where this isn't well documented. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? The 'right' way is meant to be that you enable the guest account, but I'm pretty sure this is all just unimplemented in the AD DC mode right now. Please file a bug, or better still write up a patch :-) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] map to guest = bad user ignored in Samba 4?
I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/**mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba