Restrict Anonymous
Hello list, Has anybody coded some sort of workaround for joining domains with RestrictAnonymous set? The typical behavior I see is for NT4 domains we're able to look up sequence, but never enumerate users and groups. For ADS domains, it seems that even looking up sequence from the domain fails. I appreciate any insight. Thanks, -Marc
Re: Restrict Anonymous
On Thu, 6 Mar 2003, Marc Kaplan wrote: Hello list, Has anybody coded some sort of workaround for joining domains with RestrictAnonymous set? The typical behavior I see is for NT4 domains we're able to look up sequence, but never enumerate users and groups. For ADS domains, it seems that even looking up sequence from the domain fails. Are you referring to domain joining or having winbindd function. If the latter, winbindd in head and Samba 3.0.0 allows you to specify a username and password that winbindd can use to perform functions that it used to be able to do. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Restrict Anonymous
I am referring to having winbindd function in 3.0. How do I go about setting this option? Is it a smb.conf parameter? Thanks, -Marc -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 9:52 AM To: Marc Kaplan Cc: '[EMAIL PROTECTED]' Subject: Re: Restrict Anonymous On Thu, 6 Mar 2003, Marc Kaplan wrote: Hello list, Has anybody coded some sort of workaround for joining domains with RestrictAnonymous set? The typical behavior I see is for NT4 domains we're able to look up sequence, but never enumerate users and groups. For ADS domains, it seems that even looking up sequence from the domain fails. Are you referring to domain joining or having winbindd function. If the latter, winbindd in head and Samba 3.0.0 allows you to specify a username and password that winbindd can use to perform functions that it used to be able to do. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
RE: Restrict Anonymous
Hi Marc, For winbindd to function, you must use wbinfo -A username%passwd to store the username and password of the user you want winbindd to use for authentication. Hope this helps, Don -Original Message- From: Marc Kaplan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 11:52 To: '[EMAIL PROTECTED]' Subject: Restrict Anonymous Hello list, Has anybody coded some sort of workaround for joining domains with RestrictAnonymous set? The typical behavior I see is for NT4 domains we're able to look up sequence, but never enumerate users and groups. For ADS domains, it seems that even looking up sequence from the domain fails. I appreciate any insight. Thanks, -Marc
[patch] winbindd: try to fix 'restrict anonymous=1'
hp CR1501 and friends
This patch tries to make winbindd cope with the security option
'restrict anonymous=1' on NT4 and W2kS. When this option is set, the
DC disallows SAMR calls on unauthenticated connections, but does allow
LSA translations between names and sids.
Obviously winbindd can't be fully functional in this case, but it
ought to be able to still do these operations -- in particular, with
this patch wbinfo -n works, while it does not work without it.
I'm not sure this is right yet but I'd appreciate comments. If this
is correct, I think it ought to be ported to HEAD and 3.0 as well.
It seems to work for me. As Tim suggested I used both built in
(Administrator) and otherwise (jrhacker) SIDs for testing.
This partially reverts the cached failure case, and possibly causes
winbindd to hammer on dcs that just don't want to talk to it. You can
imagine a more detailed fix that specifically detects the ra=1 case
and handles it by using only LSA. From what I know, it doesn't seem
specifically handling that, though perhaps it would be so in HEAD.
Incidentally, gdb remote mode absolutely rocks for debugging appliances.
Thanks to Tim for patient help.
Index: nsswitch/winbindd_cache.c
===
RCS file: /data/cvs/samba/source/nsswitch/winbindd_cache.c,v
retrieving revision 1.5.2.8
diff -u -r1.5.2.8 winbindd_cache.c
--- nsswitch/winbindd_cache.c 31 Oct 2002 23:56:32 - 1.5.2.8
+++ nsswitch/winbindd_cache.c 20 Jan 2003 10:43:58 -
@@ -201,7 +201,8 @@
refresh the domain sequence number. If force is True
then always refresh it, no matter how recently we fetched it
*/
-static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
+static NTSTATUS refresh_sequence_number(struct winbindd_domain *domain,
+ BOOL force)
{
NTSTATUS status;
unsigned time_diff;
@@ -210,7 +211,7 @@
/* see if we have to refetch the domain sequence number */
if (!force (time_diff lp_winbind_cache_time())) {
- return;
+ return NT_STATUS_OK;
}
status = wcache-backend-sequence_number(domain, domain-sequence_number);
@@ -238,6 +239,8 @@
DEBUG(10, (refresh_sequence_number: seq number is now %d\n,
domain-sequence_number));
+
+ return status;
}
/*
@@ -276,8 +279,18 @@
TDB_DATA data;
struct cache_entry *centry;
TDB_DATA key;
+ NTSTATUS result;
- refresh_sequence_number(domain, False);
+ result = refresh_sequence_number(domain, False);
+
+ /* Treat an access denied result from refresh_sequence_number as a
+ cache miss. Access denied is returned when the domain
+ controller disallows anonymous access. Perhaps we should treat
+ any error as a miss although that might increase the time it
+ takes winbindd to determine if a domain controller is down. */
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
+ return NULL;
va_start(ap, format);
smb_xvasprintf(kstr, format, ap);
@@ -738,9 +751,15 @@
do_query:
ZERO_STRUCTP(sid);
- /* Return status value returned by seq number check */
+ /* If the seq number check indicated that there is a problem
+* with this DC, then return that status... except for
+* access_denied. This is special because the dc may be in
+* restrict anonymous = 1 mode, in which case it will deny
+* most unauthenticated operations, but *will* allow the LSA
+* name-to-sid that we try as a fallback. */
- if (!NT_STATUS_IS_OK(domain-last_status))
+ if (!(NT_STATUS_IS_OK(domain-last_status)
+ || NT_STATUS_EQUAL(domain-last_status, NT_STATUS_ACCESS_DENIED)))
return domain-last_status;
status = cache-backend-name_to_sid(domain, name, sid, type);
@@ -784,9 +803,16 @@
do_query:
*name = NULL;
- /* Return status value returned by seq number check */
- if (!NT_STATUS_IS_OK(domain-last_status))
+ /* If the seq number check indicated that there is a problem
+* with this DC, then return that status... except for
+* access_denied. This is special because the dc may be in
+* restrict anonymous = 1 mode, in which case it will deny
+* most unauthenticated operations, but *will* allow the LSA
+* sid-to-name that we try as a fallback. */
+
+ if (!(NT_STATUS_IS_OK(domain-last_status)
+ || NT_STATUS_EQUAL(domain-last_status, NT_STATUS_ACCESS_DENIED)))
return domain-last_status;
status = cache-backend-sid_to_name(domain, mem_ctx, sid, name, type);
--
Martin
Re: NULL sessions - Listing shares anonymously - restrict anonymous
On Fri, 2002-11-15 at 19:40, Tim Potter wrote: On Fri, Nov 15, 2002 at 07:32:06PM +1100, Andrew Bartlett wrote: In the Samba HEAD and 3.0 branches however the parameter behaves more like the RestrictAnonymous registry setting. Only 'restrict anonymous = 1' is currently supported though. I'm going to do some research, and figure out exactly what 'restrict anonymous = 2' does. If it denies all guest logins, then it is trivial to implement. I'm pretty sure that's what it does. It would be nice to implement it in terms of security descriptors for the various rpc pipes. Actually, it allows the session setup, but denies the tree connect to IPC$. I'm about to commit a patch to this effect, but I wasn't sure about what behavior we should have: override all 'guest ok' settings for all shares allow guest access to these shares, which implies guest IPC access (because we allow IPC on all shares, not just IPC$ - at least that's my understanding) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: NULL sessions - Listing shares anonymously - restrict anonymous
Yannick Mercier wrote: : Unfortunately, Ill have to back out to samba 2.2 because I'm using this samba server as a PDC also, and when I logon with my WinXP workstation, the PC reboots during Loading desktop settings I guess its a bug in the alpha version of samba If the XP system reboots then there's a bug in XP. The fact that the alpha version of Samba excersizes the XP bug is something we will want to fix, but XP shouldn't be rebooting on error. Chris -)- -- Samba Team -- http://www.samba.org/ -)- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/-)- [EMAIL PROTECTED]
Re: NULL sessions - Listing shares anonymously - restrict anonymous
On Fri, 2002-11-15 at 15:08, Tim Potter wrote: On Thu, Nov 14, 2002 at 08:50:47PM -0500, Yannick Mercier wrote: I am running 2.2.5 and I would like to know if the restrict anonymous as been implemented correctly, as it was supposed to behave from the start, in order to deny ALL anonymous connections as stated in the man : When restrict anonymous is yes, all anonymous connections are denied no matter what they are for. In the Samba 2.2 branch the 'restrict anonymous' parameter behaves as per the manual page. It's broken and unlikely to be fixed. Ive been reading some dev mailing lists and someone said that there would be 0, 1 , 2 as possible values to the restrict anonymous option, as it been done yet ? In the Samba HEAD and 3.0 branches however the parameter behaves more like the RestrictAnonymous registry setting. Only 'restrict anonymous = 1' is currently supported though. I'm going to do some research, and figure out exactly what 'restrict anonymous = 2' does. If it denies all guest logins, then it is trivial to implement. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: NULL sessions - Listing shares anonymously - restrict anonymous
I installed the samba-3.0alpha20 (latest I think) and restrict anonymous = 1 works for denying the shares Listing from non-authentified users. As what Ive read, the restrict anonymous = 2 is not implemented yet, but when it will be, it is supposed to deny all rpc calls, which will be great Unfortunately, Ill have to back out to samba 2.2 because Im using this samba server as a PDC also, and when I logon with my WinXP workstation, the PC reboots during Loading desktop settings I guess its a bug in the alpha version of samba - I'm going to do some research, and figure out exactly what 'restrict anonymous = 2' does. If it denies all guest logins, then it is trivial to implement. Andrew Bartlett On Fri, 2002-11-15 at 15:08, Tim Potter wrote: On Thu, Nov 14, 2002 at 08:50:47PM -0500, Yannick Mercier wrote: I am running 2.2.5 and I would like to know if the restrict anonymous as been implemented correctly, as it was supposed to behave from the start, in order to deny ALL anonymous connections as stated in the man : When restrict anonymous is yes, all anonymous connections are denied no matter what they are for. In the Samba 2.2 branch the 'restrict anonymous' parameter behaves as per the manual page. It's broken and unlikely to be fixed. Ive been reading some dev mailing lists and someone said that there would be 0, 1 , 2 as possible values to the restrict anonymous option, as it been done yet ? In the Samba HEAD and 3.0 branches however the parameter behaves more like the RestrictAnonymous registry setting. Only 'restrict anonymous = 1' is currently supported though.
Re: NULL sessions - Listing shares anonymously - restrict anonymous
On Thu, Nov 14, 2002 at 08:50:47PM -0500, Yannick Mercier wrote: I am running 2.2.5 and I would like to know if the restrict anonymous as been implemented correctly, as it was supposed to behave from the start, in order to deny ALL anonymous connections as stated in the man : When restrict anonymous is yes, all anonymous connections are denied no matter what they are for. In the Samba 2.2 branch the 'restrict anonymous' parameter behaves as per the manual page. It's broken and unlikely to be fixed. Ive been reading some dev mailing lists and someone said that there would be 0, 1 , 2 as possible values to the restrict anonymous option, as it been done yet ? In the Samba HEAD and 3.0 branches however the parameter behaves more like the RestrictAnonymous registry setting. Only 'restrict anonymous = 1' is currently supported though. Tim.
taking back the 'restrict anonymous' parameter
I'm thinking about taking back the restrict anonymous parameter and using it to do Good Things. Previously in HEAD and currently in 2.2 it stops people connecting to shares anonymously but I think Mr Bartlett removed it because it was either buggy or didn't do anything useful. I propose that this parameter act like the RestrictAnonymous registry setting, i.e it prevents anonymous access to the SAMR pipe and anonymous access to the NetShareEnum RPC when set to 1. When set to 2, it disallows anonymous access to all RPC pipes. Any objections? There's still some more testing and coding to be done. This may be a good opportunity to implement security descriptors on pipes. Tim.
Re: taking back the 'restrict anonymous' parameter
On Thu, May 30, 2002 at 04:37:59PM -0700, Jeremy Allison wrote:
I propose that this parameter act like the RestrictAnonymous registry
setting, i.e it prevents anonymous access to the SAMR pipe and anonymous
access to the NetShareEnum RPC when set to 1. When set to 2, it
disallows anonymous access to all RPC pipes.
Any objections? There's still some more testing and coding to be done.
This may be a good opportunity to implement security descriptors on
pipes.
Hurrah for Tim ! Good idea :-).
Great!
Any feedback on the _res.{retry,retrans} idea for minimising DNS
timeouts?
Tim.
