Ray Van Dolson
2015-Oct-07 06:28 UTC
[Samba] map to guest = Bad Uid not working consistently
Hi everyone; Running Samba 3.6.23 (RHEL5 stock latest version) with the following config: [global] workgroup = DOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/samba.log #log level = 0 auth:10 winbind:10 passdb:10 log level = 10 password server = * realm = DOMAIN.COM security = ads map to guest = Bad Uid winbind use default domain = yes Joined to Active Directory and winbind running. Goals are: - Users who authenticate against the domain and have a local named account are mapped to that named account's UID. - Users who authenticate against the domain but do *not* have a local named account are mapped to the guest user ('nobody'). This works perfectly with Kerberos logins. However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this does *not* work. It appears to me as though the login succeeds (test account's name is 'boxadmin'): log.wb-DOMAIN: NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0) samba.log: [13652]: pam auth crap domain: [DOMAIN] user: boxadmin However, because getpwnam() calls fail, authentication is denied: samba.log: Finding user boxadmin samba.log: Trying _Get_Pwnam(), username as lowercase is boxadmin samba.log: Trying _Get_Pwnam(), username as uppercase is BOXADMIN samba.log: Checking combinations of 0 uppercase letters in boxadmin samba.log: Get_Pwnam_internals didn't find user [boxadmin]! samba.log: Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access. samba.log: check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER samba.log: check_ntlm_password: Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER So for some reason, the map to guest = Bad Uid directive isn't getting used in this scenario. Feels like a bug? Will see if I can reproduce w/ a newer Samba package from Sernet. (Oddly enough, in searching around for this found my own reference to the issue from back in 2014[1]). Ray [1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2
Rowland Penny
2015-Oct-07 07:44 UTC
[Samba] map to guest = Bad Uid not working consistently
On 07/10/15 07:28, Ray Van Dolson wrote:> Hi everyone; > > Running Samba 3.6.23 (RHEL5 stock latest version) with the following > config: > > [global] > workgroup = DOMAIN > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > log file = /var/log/samba/samba.log > #log level = 0 auth:10 winbind:10 passdb:10 > log level = 10 > password server = * > realm = DOMAIN.COM > security = ads > > map to guest = Bad Uid > winbind use default domain = yes > > Joined to Active Directory and winbind running. > > Goals are: > > - Users who authenticate against the domain and have a local named > account are mapped to that named account's UID.Do you have users in /etc/passwd and AD with the same name Rowland> - Users who authenticate against the domain but do *not* have a local > named account are mapped to the guest user ('nobody'). > > This works perfectly with Kerberos logins. > > However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this > does *not* work. It appears to me as though the login succeeds (test account's > name is 'boxadmin'): > > log.wb-DOMAIN: NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0) > samba.log: [13652]: pam auth crap domain: [DOMAIN] user: boxadmin > > However, because getpwnam() calls fail, authentication is denied: > > samba.log: Finding user boxadmin > samba.log: Trying _Get_Pwnam(), username as lowercase is boxadmin > samba.log: Trying _Get_Pwnam(), username as uppercase is BOXADMIN > samba.log: Checking combinations of 0 uppercase letters in boxadmin > samba.log: Get_Pwnam_internals didn't find user [boxadmin]! > samba.log: Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access. > samba.log: check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER > samba.log: check_ntlm_password: Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER > > So for some reason, the map to guest = Bad Uid directive isn't getting > used in this scenario. > > Feels like a bug? Will see if I can reproduce w/ a newer Samba package > from Sernet. > > (Oddly enough, in searching around for this found my own reference to > the issue from back in 2014[1]). > > Ray > > [1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2 >
Ray Van Dolson
2015-Oct-07 14:57 UTC
[Samba] map to guest = Bad Uid not working consistently
On Wed, Oct 07, 2015 at 08:44:55AM +0100, Rowland Penny wrote:> On 07/10/15 07:28, Ray Van Dolson wrote: > >Hi everyone; > > > >Running Samba 3.6.23 (RHEL5 stock latest version) with the following > >config: > > > >[global] > > workgroup = DOMAIN > > client signing = yes > > client use spnego = yes > > kerberos method = secrets and keytab > > log file = /var/log/samba/samba.log > > #log level = 0 auth:10 winbind:10 passdb:10 > > log level = 10 > > password server = * > > realm = DOMAIN.COM > > security = ads > > > > map to guest = Bad Uid > > winbind use default domain = yes > > > >Joined to Active Directory and winbind running. > > > >Goals are: > > > >- Users who authenticate against the domain and have a local named > > account are mapped to that named account's UID. > > Do you have users in /etc/passwd and AD with the same name >Yes -- well, sort of. In NIS. Ray> Rowland > > >- Users who authenticate against the domain but do *not* have a local > > named account are mapped to the guest user ('nobody'). > > > >This works perfectly with Kerberos logins. > > > >However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this > >does *not* work. It appears to me as though the login succeeds (test account's > >name is 'boxadmin'): > > > > log.wb-DOMAIN: NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0) > > samba.log: [13652]: pam auth crap domain: [DOMAIN] user: boxadmin > > > >However, because getpwnam() calls fail, authentication is denied: > > > > samba.log: Finding user boxadmin > > samba.log: Trying _Get_Pwnam(), username as lowercase is boxadmin > > samba.log: Trying _Get_Pwnam(), username as uppercase is BOXADMIN > > samba.log: Checking combinations of 0 uppercase letters in boxadmin > > samba.log: Get_Pwnam_internals didn't find user [boxadmin]! > > samba.log: Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access. > > samba.log: check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER > > samba.log: check_ntlm_password: Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER > > > >So for some reason, the map to guest = Bad Uid directive isn't getting > >used in this scenario. > > > >Feels like a bug? Will see if I can reproduce w/ a newer Samba package > >from Sernet. > > > >(Oddly enough, in searching around for this found my own reference to > >the issue from back in 2014[1]). > > > >Ray > > > >[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2