samba - Sep 2005 - ldap guest account mapping looks broken

I'm running the samba-client-3.0.20-0.1 SUSE RPM. I was using the
version that came with 9.3 but upgraded to see if this specific
problem would go away.

Guest access does not appear to be working correctly, and it looks
like the problem is due to guest not getting mapped into the LDAP
query correctly.

Specifically, I can login with local account, join workstation to the
domain, browse shares, and everything else that requires
authentication, but cannot login to domain nor browse the domain in
explorer or anything else that requires guest access.

Looking at the smbd log with loglevel 4 shows:

[2005/09/01 01:00:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[] domain=[] workstation=[RHINO-VM-PC-1] len1=1 len2=0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[RHINO-VM-PC-1] with the new password interface
[2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [LABS]\[]@[RHINO-VM-PC-1]
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 2] lib/smbldap.c:smbldap_open_connection(630)
  smbldap_open_connection: connection opened
[2005/09/01 01:00:02, 3] lib/smbldap.c:smbldap_connect_system(805)
  ldap_connect_system: succesful connection to the LDAP server
[2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
  The LDAP server is succesfully connected
[2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
  ldapsam_getsampwnam: Unable to locate user [] count=0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] auth/auth_sam.c:check_sam_security(260)
  check_sam_security: Couldn't find user '' in passdb.
[2005/09/01 01:00:02, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [] -> [] FAILED with
error NT_STATUS_NO_SUCH_USER

Looking in the slapd log with loglevel 256 shows:

Sep  1 01:00:02 rhino slapd[8360]: conn=123 fd=28 ACCEPT from
IP=207.65.71.3:55418 (IP=0.0.0.0:389)
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
dn="***hidden***" method=128
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
dn="uid=root,ou=Users,dc=labs,dc=ntrg,dc=com" mech=SIMPLE ssf=0
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 RESULT tag=97 err=0
textSep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH base=""
scope=0
deref=0 filter="(objectClass=*)"
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
attr=supportedControl
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textSep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
filter="(&(?=undefined)(objectClass=sambaSamAccount))"
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SEARCH RESULT tag=101
err=0 nentries=0 textSep  1 01:00:13 rhino slapd[8360]: conn=123 fd=28 closed

It looks like
"filter="(&(?=undefined)(objectClass=sambaSamAccount))""
produces zero responses (as would be expected), which is resulting in
the "Unable to locate user [] count=0" SMB error.

smb.conf has "guest account = guest"

The output for "pdbedit --user=guest --verbose" is:

Unix username:        guest
NT username:          guest
Account Flags:        [U          ]
User SID:             S-1-5-21-284210356-3264030311-3336521042-501
Primary Group SID:    S-1-5-21-284210356-3264030311-3336521042-514
Full Name:            Unknown or guest user
Home Directory:       \\rhino\guest\.9xprofile
HomeDir Drive:        P:
Logon Script:         logon.cmd
Profile Path:         \\rhino\profiles\.msprofile
Domain:               LABS
Account desc:         Unknown or guest user
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Wed, 31 Aug 2005 22:44:22 GMT
Password can change:  Wed, 31 Aug 2005 22:44:22 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

The guest account is defined, is valid, and has a password.

I'm pretty sure the whole problem here is with the malformed LDAP
lookup but I could be wrong.

Anybody got any ideas or suggestions here?

Thanks

Judging from these lines in the log.smbd file:

| [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
|   The LDAP server is succesfully connected
| [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
|   ldapsam_getsampwnam: Unable to locate user [] count=0

and the detailed output from ldap log file:

| Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
| base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
| filter="(&(?=undefined)(objectClass=sambaSamAccount))"

it would indeed appear that the "(?=undefined)" LDAP search filter is
being generated by pdb_ldap.c but a grep through that file doesn't return
any obvious hits

Anybody got any suggestions here?


On 9/1/2005 1:18 AM, Eric A. Hall wrote:
> I'm running the samba-3.0.20-0.1 SUSE RPM. I was using the
> version that came with 9.3 but upgraded to see if this specific
> problem would go away.
> 
> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
> 
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.
> 
> Looking at the smbd log with loglevel 4 shows:
> 
> [2005/09/01 01:00:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>   Got user=[] domain=[] workstation=[RHINO-VM-PC-1] len1=1 len2=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(219)
>   check_ntlm_password:  Checking password for unmapped user
> []\[]@[RHINO-VM-PC-1] with the new password interface
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(222)
>   check_ntlm_password:  mapped user is: [LABS]\[]@[RHINO-VM-PC-1]
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 2] lib/smbldap.c:smbldap_open_connection(630)
>   smbldap_open_connection: connection opened
> [2005/09/01 01:00:02, 3] lib/smbldap.c:smbldap_connect_system(805)
>   ldap_connect_system: succesful connection to the LDAP server
> [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
>   The LDAP server is succesfully connected
> [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
>   ldapsam_getsampwnam: Unable to locate user [] count=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth_sam.c:check_sam_security(260)
>   check_sam_security: Couldn't find user '' in passdb.
> [2005/09/01 01:00:02, 2] auth/auth.c:check_ntlm_password(317)
>   check_ntlm_password:  Authentication for user [] -> [] FAILED with
> error NT_STATUS_NO_SUCH_USER
> 
> Looking in the slapd log with loglevel 256 shows:
> 
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 fd=28 ACCEPT from
> IP=207.65.71.3:55418 (IP=0.0.0.0:389)
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="***hidden***" method=128
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="uid=root,ou=Users,dc=labs,dc=ntrg,dc=com" mech=SIMPLE ssf=0
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 RESULT tag=97 err=0
> text> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
base="" scope=0
> deref=0 filter="(objectClass=*)"
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
> attr=supportedControl
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2
SRCH
> base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> filter="(&(?=undefined)(objectClass=sambaSamAccount))"
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SEARCH RESULT tag=101
> err=0 nentries=0 text> Sep  1 01:00:13 rhino slapd[8360]: conn=123 fd=28
closed
> 
> It looks like
"filter="(&(?=undefined)(objectClass=sambaSamAccount))""
> produces zero responses (as would be expected), which is resulting in
> the "Unable to locate user [] count=0" SMB error.
> 
> smb.conf has "guest account = guest"
> 
> The output for "pdbedit --user=guest --verbose" is:
> 
> Unix username:        guest
> NT username:          guest
> Account Flags:        [U          ]
> User SID:             S-1-5-21-284210356-3264030311-3336521042-501
> Primary Group SID:    S-1-5-21-284210356-3264030311-3336521042-514
> Full Name:            Unknown or guest user
> Home Directory:       \\rhino\guest\.9xprofile
> HomeDir Drive:        P:
> Logon Script:         logon.cmd
> Profile Path:         \\rhino\profiles\.msprofile
> Domain:               LABS
> Account desc:         Unknown or guest user
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
> Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
> Password last set:    Wed, 31 Aug 2005 22:44:22 GMT
> Password can change:  Wed, 31 Aug 2005 22:44:22 GMT
> Password must change: Mon, 18 Jan 2038 22:14:07 GMT
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> The guest account is defined, is valid, and has a password.
> 
> I'm pretty sure the whole problem here is with the malformed LDAP
> lookup but I could be wrong.
> 
> Anybody got any ideas or suggestions here?
> 
> Thanks
> 
> 
> 
-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

On 9/1/2005 1:18 AM, Eric A. Hall wrote:
> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
> 
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.
...
> Judging from these lines in the log.smbd file:
>
> | [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
> |   The LDAP server is succesfully connected
> | [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
> |   ldapsam_getsampwnam: Unable to locate user [] count=0
>
> and the detailed output from ldap log file:
>
> | Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
> | base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> | filter="(&(?=undefined)(objectClass=sambaSamAccount))"
>
> it would indeed appear that the "(?=undefined)" LDAP search
filter is
> being generated by pdb_ldap.c but a grep through that file doesn't
return
> any obvious hits
Found the problem. Some gremlin (probably one of the Samba config tools I
tried using) had added "auth methods = sam" to the smb.conf file. The
"guest" method was not listed so it wasn't being processed.

The man page for smb.conf is pretty clear about explaining this. Would be
good if the logger could spit up a statement too, like "guest processing
is not enabled" or the like.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/