Re: [Samba] \map to guest = bad user\ ignored in Samba 4?

[Samuel Cabrero]

Hi Andrew,

I have written a small patch for this issue. I would appreciate if someone 
could take a look at and comment. I have tested it on XP machines and seems to 
work properly.

Cheers.

-- 
Samuel Cabrero - Developer
scabr...@zentyal.com

Easy IT for small business
www.zentyal.comdiff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index f234f72..582eb0d 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -69,6 +69,58 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
 }
 
 /
+ Look for the guest account in the sam, return ldb result structures
+/
+
+static NTSTATUS authsam_search_guest_account(TALLOC_CTX *mem_ctx,
+		struct ldb_context *sam_ctx,
+		struct ldb_dn *domain_dn,
+		struct ldb_message **ret_msg)
+{
+	int ret;
+	const struct dom_sid *domain_sid;
+	struct dom_sid *guest_sid;
+
+	domain_sid = samdb_domain_sid(sam_ctx);
+	if (domain_sid == NULL) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	guest_sid = dom_sid_add_rid(mem_ctx, domain_sid, DOMAIN_RID_GUEST);
+	if (guest_sid == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* pull the user attributes */
+	ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn,
+			LDB_SCOPE_SUBTREE,
+			user_attrs,
+			DSDB_SEARCH_SHOW_EXTENDED_DN,
+			((objectSID=%s)(objectclass=user)),
+			ldap_encode_ndr_dom_sid(mem_ctx, guest_sid));
+	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+		DEBUG(3,(%s: Couldn't find guest user in samdb, under %s\n,
+	__func__,
+	ldb_dn_get_linearized(domain_dn)));
+		return NT_STATUS_NO_SUCH_USER;
+	}
+	if (ret != LDB_SUCCESS) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	/* Return no such user if the account is disabled */
+	uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
+			*ret_msg, domain_dn);
+	if (acct_flags  ACB_DISABLED) {
+		DEBUG(3,(%s: Account for guest user is disabled.\n,
+	__func__));
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/
  Do a specific test for an smb password being correct, given a smb_password and
  the lanman and NT responses.
 /
@@ -269,15 +321,28 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}
 
-	nt_status = authsam_search_account(tmp_ctx, ctx-auth_ctx-sam_ctx, account_name, domain_dn, msg);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
-		return nt_status;
-	}
-
-	nt_status = authsam_authenticate(ctx-auth_ctx, tmp_ctx, ctx-auth_ctx-sam_ctx, domain_dn, msg, user_info,
-	 user_sess_key, lm_sess_key);
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	nt_status = authsam_search_account(tmp_ctx, ctx-auth_ctx-sam_ctx,
+			account_name, domain_dn, msg);
+	if (NT_STATUS_IS_OK(nt_status)) {
+		nt_status = authsam_authenticate(ctx-auth_ctx,
+tmp_ctx, ctx-auth_ctx-sam_ctx, domain_dn,
+msg, user_info, user_sess_key, lm_sess_key);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(tmp_ctx);
+			return nt_status;
+		}
+	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
+		DEBUG(3, (%s: User %s not found, mapping to guest account\n,
+	__func__, account_name));
+		nt_status = authsam_search_guest_account(tmp_ctx,
+ctx-auth_ctx-sam_ctx, domain_dn, msg);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(tmp_ctx);
+			return nt_status;
+		}
+		user_sess_key = data_blob(NULL, 0);
+		lm_sess_key = data_blob(NULL, 0);
+	} else {
 		talloc_free(tmp_ctx);
 		return nt_status;
 	}
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] \map to guest = bad user\ ignored in Samba 4?

[Andrew Bartlett]

On Sat, 2013-05-11 at 01:25 +0200, Samuel Cabrero wrote:
 Hi Andrew,
 
 I have written a small patch for this issue. I would appreciate if someone 
 could take a look at and comment. I have tested it on XP machines and seems 
 to 
 work properly.

This certainly appears to match what I understand to be the Windows
behaviour.  However, we need tests, in particular I need to know if this
behaviour happens over LDAP, and if so, the test specifically needs to
inspect the tokenGroups attribute in the rootDSE, to ensure we match
Windows, specifically with regards to the 'authenticated user' entry in
the token.

I know this is a pain, but we do need to get this right, as marking a
guest user as 'authenticated' would be a very bad idea.

Finally, if you can prepare the patches with git format-patch, it will
make it easier for me to apply them, once we verify these things.

The test to extend is torture/unix/whoami.c invoked from
source3/selftest/tests.py

Thanks!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Sebastian Arcus]

On 16/02/13 03:45, Andrew Bartlett wrote:

On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote:

I would like to migrate some of my Samba 3.x domains to Samba 4. Part of
the functionality of the current system is allowing some Windows XP Pro
computers, which are not joined to the domain, access to some public
shares on the Samba server. I tried using map to guest = bad user with
Samba 4 - but it appears to be completely ignored and the Windows XP
machine keeps on prompting for username/password when trying to access
the server share. Has this option been dropped in Samba 4? Is there
another way to accomplish the same?


This sounds correct.  This isn't currently supported against the AD DC.
Guest access to the domain should be based on the 'guest' account being
enabled, but this isn't hooked in either.


Otherwise my Samba 4 domain seems to be working fine - and the Windows
XP Pro machines which are joined to it can access the share fine.

As a side note, I find it hard to figure out which smb.conf options are
still available for Samba 4 and which are not. I've googled around and
can't seem to find a wiki page or authoritative page.


You have hit one of the areas where this isn't well documented.

Sorry,


Thanks Andrew. It is at least useful I can come here and find out what 
can and can't work at the moment. I'll just have to postpone installing 
Samba 4 at sites where I can't do the whole conversion to domain in one 
step.


Many thanks,

Sebastian

--
Linux vehicle CCTV - www.open-t.co.uk/iroko
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Sebastian Arcus]

Thanks Ricky. I've enabled the file system requirements in fstab and 
checked the kernel supports them (not sure how I managed to skip that 
step during installation). Now the permissions changes do stick. 
However, as per Andrew's email (part of this thread) - the server still 
prompts for credentials on the workgroup machine when trying to access 
the public/full permissions share, although I allowed full access to 
Guests and Everyone. It seems there is no way to provide unauthenticated 
access to shares at this moment in Samba 4.


It would have been rather useful with migrating workgroups to domains 
gradually, instead of in one step - but one must be happy with one's 
blessings :-) - so I'll make do the way things are.


Cheers,

Sebastian


On 15/02/13 18:00, Ricky Nance wrote:

Have you taken a look at
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_System_Support to
ensure your file system will handle ACL's?

Ricky


On Fri, Feb 15, 2013 at 10:35 AM, Sebastian Arcus s...@open-t.co.uk
mailto:s...@open-t.co.uk wrote:

Hi Ricky,

Thanks for the reply. I have tried changing the permissions on the
netlogon share and the strange thing is that none of the changes I
do in the Security/ACL tab from the Windows XP machine which is
joined to the domain (but on the netlogon share which is on the
server) actually stick. I can access the shares fine with that
machine, but if I change the permissions, it seems to just ignore
the changes - no error message. I am logged in as the domain
Administrator - so it seems like a bit of a mystery. Then again -
maybe I've done something silly when I've setup this Samba AD DC -
although I've followed all the instructions on the Samba wiki and
everything else seems to be working fine.


Sebastian



On 14/02/13 05:31, Ricky Nance wrote:

Hi Sebastian,
Many of the per share options can now be done using ACL's. In
this case
you would open the netlogon share (via windows) start - run -
\\MY-SERVER\netlogon (then press enter), then right click on a blank
spot in that folder (not on any other file or folder) and select
properties. Find the security tab and you can make the
modifications you
want (specifically adding Everyone with full permissions should
give you
what you are looking for, though I have not been able to test
this yet).
If I get a chance soon I will do some testing to make sure that
the acl
change is all that is needed.

To find out what options are available, samba-tool testparm -v
will give
you a nice list (at least for global).

Ricky


On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus
s...@open-t.co.uk mailto:s...@open-t.co.uk
mailto:s...@open-t.co.uk mailto:s...@open-t.co.uk wrote:

 I would like to migrate some of my Samba 3.x domains to
Samba 4.
 Part of the functionality of the current system is allowing
some
 Windows XP Pro computers, which are not joined to the
domain, access
 to some public shares on the Samba server. I tried using
map to
 guest = bad user with Samba 4 - but it appears to be
completely
 ignored and the Windows XP machine keeps on prompting for
 username/password when trying to access the server share.
Has this
 option been dropped in Samba 4? Is there another way to
accomplish
 the same?

 Otherwise my Samba 4 domain seems to be working fine - and the
 Windows XP Pro machines which are joined to it can access
the share
 fine.

 As a side note, I find it hard to figure out which smb.conf
options
 are still available for Samba 4 and which are not. I've googled
 around and can't seem to find a wiki page or authoritative
page.

 I use Samba 4.1.0pre1

 Here is my smb.conf


 [global]
 workgroup = MYDOMAIN
 realm = mydomain.local
 netbios name = MY-SERVER
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 map to guest = bad user

 [netlogon]
 path = /var/lib/samba/sysvol/mydomain.local/scripts

 read only = No
 public = Yes
 --
 To unsubscribe from this list go to the following URL and
read the
 instructions:
https://lists.samba.org/mailman/options/samba
https://lists.samba.org/__mailman/options/samba
 https://lists.samba.org/__mailman/options/samba
https://lists.samba.org/mailman/options/samba




--



--
Linux vehicle CCTV - www.open-t.co.uk/iroko

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Sebastian Arcus]

Hi Ricky,

Thanks for the reply. I have tried changing the permissions on the 
netlogon share and the strange thing is that none of the changes I do in 
the Security/ACL tab from the Windows XP machine which is joined to the 
domain (but on the netlogon share which is on the server) actually 
stick. I can access the shares fine with that machine, but if I change 
the permissions, it seems to just ignore the changes - no error message. 
I am logged in as the domain Administrator - so it seems like a bit of a 
mystery. Then again - maybe I've done something silly when I've setup 
this Samba AD DC - although I've followed all the instructions on the 
Samba wiki and everything else seems to be working fine.



Sebastian


On 14/02/13 05:31, Ricky Nance wrote:

Hi Sebastian,
Many of the per share options can now be done using ACL's. In this case
you would open the netlogon share (via windows) start - run -
\\MY-SERVER\netlogon (then press enter), then right click on a blank
spot in that folder (not on any other file or folder) and select
properties. Find the security tab and you can make the modifications you
want (specifically adding Everyone with full permissions should give you
what you are looking for, though I have not been able to test this yet).
If I get a chance soon I will do some testing to make sure that the acl
change is all that is needed.

To find out what options are available, samba-tool testparm -v will give
you a nice list (at least for global).

Ricky


On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk
mailto:s...@open-t.co.uk wrote:

I would like to migrate some of my Samba 3.x domains to Samba 4.
Part of the functionality of the current system is allowing some
Windows XP Pro computers, which are not joined to the domain, access
to some public shares on the Samba server. I tried using map to
guest = bad user with Samba 4 - but it appears to be completely
ignored and the Windows XP machine keeps on prompting for
username/password when trying to access the server share. Has this
option been dropped in Samba 4? Is there another way to accomplish
the same?

Otherwise my Samba 4 domain seems to be working fine - and the
Windows XP Pro machines which are joined to it can access the share
fine.

As a side note, I find it hard to figure out which smb.conf options
are still available for Samba 4 and which are not. I've googled
around and can't seem to find a wiki page or authoritative page.

I use Samba 4.1.0pre1

Here is my smb.conf


[global]
workgroup = MYDOMAIN
realm = mydomain.local
netbios name = MY-SERVER
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
map to guest = bad user

[netlogon]
path = /var/lib/samba/sysvol/__mydomain.local/scripts
read only = No
public = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/__mailman/options/samba
https://lists.samba.org/mailman/options/samba




--




--
Linux vehicle CCTV - www.open-t.co.uk/iroko
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Ricky Nance]

Have you taken a look at
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_System_Support to
ensure your file system will handle ACL's?

Ricky


On Fri, Feb 15, 2013 at 10:35 AM, Sebastian Arcus s...@open-t.co.uk wrote:

 Hi Ricky,

 Thanks for the reply. I have tried changing the permissions on the
 netlogon share and the strange thing is that none of the changes I do in
 the Security/ACL tab from the Windows XP machine which is joined to the
 domain (but on the netlogon share which is on the server) actually stick. I
 can access the shares fine with that machine, but if I change the
 permissions, it seems to just ignore the changes - no error message. I am
 logged in as the domain Administrator - so it seems like a bit of a
 mystery. Then again - maybe I've done something silly when I've setup this
 Samba AD DC - although I've followed all the instructions on the Samba wiki
 and everything else seems to be working fine.


 Sebastian



 On 14/02/13 05:31, Ricky Nance wrote:

 Hi Sebastian,
 Many of the per share options can now be done using ACL's. In this case
 you would open the netlogon share (via windows) start - run -
 \\MY-SERVER\netlogon (then press enter), then right click on a blank
 spot in that folder (not on any other file or folder) and select
 properties. Find the security tab and you can make the modifications you
 want (specifically adding Everyone with full permissions should give you
 what you are looking for, though I have not been able to test this yet).
 If I get a chance soon I will do some testing to make sure that the acl
 change is all that is needed.

 To find out what options are available, samba-tool testparm -v will give
 you a nice list (at least for global).

 Ricky


 On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk
 mailto:s...@open-t.co.uk wrote:

 I would like to migrate some of my Samba 3.x domains to Samba 4.
 Part of the functionality of the current system is allowing some
 Windows XP Pro computers, which are not joined to the domain, access
 to some public shares on the Samba server. I tried using map to
 guest = bad user with Samba 4 - but it appears to be completely
 ignored and the Windows XP machine keeps on prompting for
 username/password when trying to access the server share. Has this
 option been dropped in Samba 4? Is there another way to accomplish
 the same?

 Otherwise my Samba 4 domain seems to be working fine - and the
 Windows XP Pro machines which are joined to it can access the share
 fine.

 As a side note, I find it hard to figure out which smb.conf options
 are still available for Samba 4 and which are not. I've googled
 around and can't seem to find a wiki page or authoritative page.

 I use Samba 4.1.0pre1

 Here is my smb.conf


 [global]
 workgroup = MYDOMAIN
 realm = mydomain.local
 netbios name = MY-SERVER
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 map to guest = bad user

 [netlogon]
 path = /var/lib/samba/sysvol/__**mydomain.local/scripts

 read only = No
 public = Yes
 --
 To unsubscribe from this list go to the following URL and read the
 instructions: 
 https://lists.samba.org/__**mailman/options/sambahttps://lists.samba.org/__mailman/options/samba
 
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba
 




 --



 --
 Linux vehicle CCTV - www.open-t.co.uk/iroko




--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Andrew Bartlett]

On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote:
 I would like to migrate some of my Samba 3.x domains to Samba 4. Part of 
 the functionality of the current system is allowing some Windows XP Pro 
 computers, which are not joined to the domain, access to some public 
 shares on the Samba server. I tried using map to guest = bad user with 
 Samba 4 - but it appears to be completely ignored and the Windows XP 
 machine keeps on prompting for username/password when trying to access 
 the server share. Has this option been dropped in Samba 4? Is there 
 another way to accomplish the same?

This sounds correct.  This isn't currently supported against the AD DC.
Guest access to the domain should be based on the 'guest' account being
enabled, but this isn't hooked in either. 

 Otherwise my Samba 4 domain seems to be working fine - and the Windows 
 XP Pro machines which are joined to it can access the share fine.
 
 As a side note, I find it hard to figure out which smb.conf options are 
 still available for Samba 4 and which are not. I've googled around and 
 can't seem to find a wiki page or authoritative page.

You have hit one of the areas where this isn't well documented. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Andrew Bartlett]

On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote:
 I would like to migrate some of my Samba 3.x domains to Samba 4. Part of 
 the functionality of the current system is allowing some Windows XP Pro 
 computers, which are not joined to the domain, access to some public 
 shares on the Samba server. I tried using map to guest = bad user with 
 Samba 4 - but it appears to be completely ignored and the Windows XP 
 machine keeps on prompting for username/password when trying to access 
 the server share. Has this option been dropped in Samba 4? Is there 
 another way to accomplish the same?

The 'right' way is meant to be that you enable the guest account, but
I'm pretty sure this is all just unimplemented in the AD DC mode right
now.  

Please file a bug, or better still write up a patch :-)

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] map to guest = bad user ignored in Samba 4?

[Sebastian Arcus]

I would like to migrate some of my Samba 3.x domains to Samba 4. Part of 
the functionality of the current system is allowing some Windows XP Pro 
computers, which are not joined to the domain, access to some public 
shares on the Samba server. I tried using map to guest = bad user with 
Samba 4 - but it appears to be completely ignored and the Windows XP 
machine keeps on prompting for username/password when trying to access 
the server share. Has this option been dropped in Samba 4? Is there 
another way to accomplish the same?


Otherwise my Samba 4 domain seems to be working fine - and the Windows 
XP Pro machines which are joined to it can access the share fine.


As a side note, I find it hard to figure out which smb.conf options are 
still available for Samba 4 and which are not. I've googled around and 
can't seem to find a wiki page or authoritative page.


I use Samba 4.1.0pre1

Here is my smb.conf


[global]
workgroup = MYDOMAIN
realm = mydomain.local
netbios name = MY-SERVER
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
map to guest = bad user

[netlogon]
path = /var/lib/samba/sysvol/mydomain.local/scripts
read only = No
public = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] map to guest = bad user ignored in Samba 4?

[Ricky Nance]

Hi Sebastian,
Many of the per share options can now be done using ACL's. In this case you
would open the netlogon share (via windows) start - run -
\\MY-SERVER\netlogon (then press enter), then right click on a blank spot
in that folder (not on any other file or folder) and select properties.
Find the security tab and you can make the modifications you want
(specifically adding Everyone with full permissions should give you what
you are looking for, though I have not been able to test this yet). If I
get a chance soon I will do some testing to make sure that the acl change
is all that is needed.

To find out what options are available, samba-tool testparm -v will give
you a nice list (at least for global).

Ricky


On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk wrote:

 I would like to migrate some of my Samba 3.x domains to Samba 4. Part of
 the functionality of the current system is allowing some Windows XP Pro
 computers, which are not joined to the domain, access to some public shares
 on the Samba server. I tried using map to guest = bad user with Samba 4 -
 but it appears to be completely ignored and the Windows XP machine keeps on
 prompting for username/password when trying to access the server share. Has
 this option been dropped in Samba 4? Is there another way to accomplish the
 same?

 Otherwise my Samba 4 domain seems to be working fine - and the Windows XP
 Pro machines which are joined to it can access the share fine.

 As a side note, I find it hard to figure out which smb.conf options are
 still available for Samba 4 and which are not. I've googled around and
 can't seem to find a wiki page or authoritative page.

 I use Samba 4.1.0pre1

 Here is my smb.conf


 [global]
 workgroup = MYDOMAIN
 realm = mydomain.local
 netbios name = MY-SERVER
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 map to guest = bad user

 [netlogon]
 path = /var/lib/samba/sysvol/**mydomain.local/scripts
 read only = No
 public = Yes
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba




--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba