samba - Oct 2015 - map to guest = Bad Uid not working consistently

Hi everyone;

Running Samba 3.6.23 (RHEL5 stock latest version) with the following
config:

[global]
        workgroup = DOMAIN
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/samba.log
        #log level = 0 auth:10 winbind:10 passdb:10
        log level = 10
        password server = *
        realm = DOMAIN.COM
        security = ads

        map to guest = Bad Uid
        winbind use default domain = yes

Joined to Active Directory and winbind running.

Goals are:

- Users who authenticate against the domain and have a local named
  account are mapped to that named account's UID.
- Users who authenticate against the domain but do *not* have a local
  named account are mapped to the guest user ('nobody').

This works perfectly with Kerberos logins.

However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
does *not* work.  It appears to me as though the login succeeds (test
account's
name is 'boxadmin'):

  log.wb-DOMAIN:  NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned
NT_STATUS_OK (PAM: 0)
  samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin

However, because getpwnam() calls fail, authentication is denied:

  samba.log:  Finding user boxadmin
  samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
  samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
  samba.log:  Checking combinations of 0 uppercase letters in boxadmin
  samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
  samba.log:  Failed to find authenticated user DOMAIN\boxadmin via getpwnam(),
denying access.
  samba.log:  check_ntlm_password: winbind authentication for user [boxadmin]
FAILED with error NT_STATUS_NO_SUCH_USER
  samba.log:  check_ntlm_password:  Authentication for user [boxadmin] ->
[boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER

So for some reason, the map to guest = Bad Uid directive isn't getting
used in this scenario.

Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
from Sernet.

(Oddly enough, in searching around for this found my own reference to
the issue from back in 2014[1]).

Ray

[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2

On 07/10/15 07:28, Ray Van Dolson wrote:
> Hi everyone;
>
> Running Samba 3.6.23 (RHEL5 stock latest version) with the following
> config:
>
> [global]
>          workgroup = DOMAIN
>          client signing = yes
>          client use spnego = yes
>          kerberos method = secrets and keytab
>          log file = /var/log/samba/samba.log
>          #log level = 0 auth:10 winbind:10 passdb:10
>          log level = 10
>          password server = *
>          realm = DOMAIN.COM
>          security = ads
>
>          map to guest = Bad Uid
>          winbind use default domain = yes
>
> Joined to Active Directory and winbind running.
>
> Goals are:
>
> - Users who authenticate against the domain and have a local named
>    account are mapped to that named account's UID.
Do you have users in /etc/passwd and AD with the same name

Rowland
> - Users who authenticate against the domain but do *not* have a local
>    named account are mapped to the guest user ('nobody').
>
> This works perfectly with Kerberos logins.
>
> However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
> does *not* work.  It appears to me as though the login succeeds (test
account's
> name is 'boxadmin'):
>
>    log.wb-DOMAIN:  NTLM CRAP authentication for user [DOMAIN]\[boxadmin]
returned NT_STATUS_OK (PAM: 0)
>    samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin
>
> However, because getpwnam() calls fail, authentication is denied:
>
>    samba.log:  Finding user boxadmin
>    samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
>    samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
>    samba.log:  Checking combinations of 0 uppercase letters in boxadmin
>    samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
>    samba.log:  Failed to find authenticated user DOMAIN\boxadmin via
getpwnam(), denying access.
>    samba.log:  check_ntlm_password: winbind authentication for user
[boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
>    samba.log:  check_ntlm_password:  Authentication for user [boxadmin]
-> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
>
> So for some reason, the map to guest = Bad Uid directive isn't getting
> used in this scenario.
>
> Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
> from Sernet.
>
> (Oddly enough, in searching around for this found my own reference to
> the issue from back in 2014[1]).
>
> Ray
>
> [1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2
>

On Wed, Oct 07, 2015 at 08:44:55AM +0100, Rowland Penny
wrote:
> On 07/10/15 07:28, Ray Van Dolson wrote:
> >Hi everyone;
> >
> >Running Samba 3.6.23 (RHEL5 stock latest version) with the following
> >config:
> >
> >[global]
> >         workgroup = DOMAIN
> >         client signing = yes
> >         client use spnego = yes
> >         kerberos method = secrets and keytab
> >         log file = /var/log/samba/samba.log
> >         #log level = 0 auth:10 winbind:10 passdb:10
> >         log level = 10
> >         password server = *
> >         realm = DOMAIN.COM
> >         security = ads
> >
> >         map to guest = Bad Uid
> >         winbind use default domain = yes
> >
> >Joined to Active Directory and winbind running.
> >
> >Goals are:
> >
> >- Users who authenticate against the domain and have a local named
> >   account are mapped to that named account's UID.
> 
> Do you have users in /etc/passwd and AD with the same name
> 
Yes -- well, sort of.  In NIS.

Ray
> Rowland
> 
> >- Users who authenticate against the domain but do *not* have a local
> >   named account are mapped to the guest user ('nobody').
> >
> >This works perfectly with Kerberos logins.
> >
> >However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
> >does *not* work.  It appears to me as though the login succeeds (test
account's
> >name is 'boxadmin'):
> >
> >   log.wb-DOMAIN:  NTLM CRAP authentication for user
[DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0)
> >   samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin
> >
> >However, because getpwnam() calls fail, authentication is denied:
> >
> >   samba.log:  Finding user boxadmin
> >   samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
> >   samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
> >   samba.log:  Checking combinations of 0 uppercase letters in boxadmin
> >   samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
> >   samba.log:  Failed to find authenticated user DOMAIN\boxadmin via
getpwnam(), denying access.
> >   samba.log:  check_ntlm_password: winbind authentication for user
[boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
> >   samba.log:  check_ntlm_password:  Authentication for user [boxadmin]
-> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
> >
> >So for some reason, the map to guest = Bad Uid directive isn't
getting
> >used in this scenario.
> >
> >Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
> >from Sernet.
> >
> >(Oddly enough, in searching around for this found my own reference to
> >the issue from back in 2014[1]).
> >
> >Ray
> >
> >[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2