samba - Feb 2018 - Again guest access and machine account...

I'm still fighting a bit with guest access to shares via machine
account.

Little fast rewind: i'm using samba 4.5.8+dfsg-2+deb9u1~bpo8+1 (louis
packages), and i use an SCM system called WPKG to deploy ad manage
windows machine; that system do their works as SYSTEM account on local
windows workstation.


If the machine account (say, MALCOBB$) have a valid UID/GID, machine
account are used to logon to the shares; but i've found now that, if
there's no UID/GID, there's no fallback on guest account, log say:

 [2018/02/08 12:21:49.457857,  3, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
   Kerberos ticket principal name is [MALCOBB$@AD.FVG.LNF.IT]
 [2018/02/08 12:21:49.457896, 10, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
   Domain is [LNFFVG] (using PAC)
 [2018/02/08 12:21:49.457938,  4, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:362(map_username)
   Scanning username map /etc/samba/user.map
 [2018/02/08 12:21:49.457980, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:196(user_in_list)
   user_in_list: checking user LNFFVG\MALCOBB$ in list
 [2018/02/08 12:21:49.458018, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\Administrator|
 [2018/02/08 12:21:49.458051, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\administrator|
 [2018/02/08 12:21:49.458073, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |Administrator|
 [2018/02/08 12:21:49.458095, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |administrator|
 [2018/02/08 12:21:49.458124,  8, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:435(map_username)
   The user 'LNFFVG\MALCOBB$' has no mapping. Skip it next time.
 [2018/02/08 12:21:49.458150,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user LNFFVG\MALCOBB$
 [2018/02/08 12:21:49.458173,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is lnffvg\malcobb$
 [2018/02/08 12:21:49.458521,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is LNFFVG\MALCOBB$
 [2018/02/08 12:21:49.458752,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in lnffvg\malcobb$
 [2018/02/08 12:21:49.458796,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [LNFFVG\MALCOBB$]!
 [2018/02/08 12:21:49.458827,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user MALCOBB$
 [2018/02/08 12:21:49.458850,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is malcobb$
 [2018/02/08 12:21:49.459067,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is MALCOBB$
 [2018/02/08 12:21:49.459300,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in malcobb$
 [2018/02/08 12:21:49.459350,  5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [MALCOBB$]!
 [2018/02/08 12:21:49.459489,  3, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
   get_user_from_kerberos_info: Username LNFFVG\MALCOBB$ is invalid on this
system
 [2018/02/08 12:21:49.459520,  3, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
   auth3_generate_session_info_pac: Failed to map kerberos principal to system
user (NT_STATUS_LOGON_FAILURE)
 [2018/02/08 12:21:49.459588,  3, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
 [2018/02/08 12:21:49.459627, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
   smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8]
dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
 [2018/02/08 12:21:49.459663, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:912(smb2_set_operation_credit)
   smb2_set_operation_credit: requested 31, charge 1, granted 1, current
possible/max 512/512, total granted/max/low/range 1/8192/2/1

Share is simply defined as:

 [wpkg]
        comment = WPKG Automated Software Deploying System
        path = /srv/samba/wpkg
        guest ok = yes
        browseable = no
        writable = no  
        force create mode = 0664
        force directory mode = 2775
        wide links = yes

and the only way i've found to ''solve'' this is to define:

	map to guest = Bad Uid

(normally i use 'Bad User'), that confirm me that samba try to map
machine account to an UID/GID and fail.


But... why samba does not fallback to Guest access? Someone can explain
me? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 2018-02-08 at 13:02 +0100, Marco Gaiarin via samba
wrote:
> But... why samba does not fallback to Guest access? Someone can explain
> me? Thanks.
All accounts, both user and computer should have a valid UID.  Computer
accounts routinely access the network as you have noticed.  In general
use winbindd to ensure all the accounts exist automatically.  

Computers are people too! ;-)

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> Computers are people too! ;-)
...for me, servers have the names of the characters from 'Neuromancer'
novel, clients characters from 'Harry Potter'. ;-)


Anyway, there's still one or two thing that i don't understand.

If i set 'guest ok = yes' for a share, clients does not try a guest
access after a (failed) access?
Be forced to set 'map to guest = Bad Uid' lead to think me that
effectivaly NO, because user exist but does not have a UID map (so the
error is different (Bad UID, indeed).


So, the question:

a) having machine account doing guest access (setting 'map to guest = Bad
 Uid') instead of normal auth, could lead to troubles?
Considering that client have access to domain controller (here we are
speaking about domain members, indeed), make me think NO.

b) there's some way to set 'map to guest' both to 'Bad Uid'
OR 'Bad
 User' (eg, so guest access happen both if user does not exist or have
not a UID mapping)?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)