samba - Sep 2018 - DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

On Mon, 24 Sep 2018 17:33:47 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > I hope this helps you understanding your problem a bit more. 
> > See also: 
> >
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
> 
> No, wait. I'm probably mixed up too many things, and maked a lot of
> confusion. Restart.
> 
> Say may domain is 'LNFFVG', and my windows 7 box is
'DOMINIQUE'.
> 
> 
> Before upgrading my domain members to samba 4.8 (from 4.5) i can
> access a 'guest' share using DOMINIQUE\Administrator user without
> trouble. Probably (and correctly, for my point of view) domain member
> does not find 'DOMINIQUE\Administrator' user, and so map it to
guest.
> Bingo.
The above would be true except for this line you have in smb.conf:

	winbind use default domain = Yes
> 
> After upgrading to 4.8, i've found that i cannot anymore 'guest
> access' the share, seems because the domain member server maps
> 'DOMINIQUE\Administrator' to 'root' (as i'm expecting
it will do, but
> for 'LNFFVG\Administrator', a very different user ;) and, clearly,
> credentials does not match).
> 
> NOTE that, for other non-guest-access user shares i try an access with
> 'DOMINIQUE\Administrator', windows explorer ask me credentials, as
> expected.
>
So when either 'DOMINIQUE\Administrator' or
'LNFFVG\Administrator'
connects, they both become 'Administrator', who then gets mapped to
'root'
 
> 
> I don't want to alter the default 'Administrator' and
'guest' user on
> my workstation, nor do something strange client side... i simply need
> to restore old behaviour (or, speaking better: understand why mapping
> changed from 4.5 ot 4.8...) to have 'DOMINIQUE\Administrator' be
> mapped to guest.
> 
I don't understand why you are trying to use a local user on a domain
joined machine.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> > Before upgrading my domain members to samba 4.8 (from 4.5) i can
> > access a 'guest' share using DOMINIQUE\Administrator user
without
> > trouble. Probably (and correctly, for my point of view) domain member
> > does not find 'DOMINIQUE\Administrator' user, and so map it to
guest.
> > Bingo.
> The above would be true except for this line you have in smb.conf:
> 	winbind use default domain = Yes
Ok, but manpage seems say to me something different.

       winbind use default domain (G)

           This parameter specifies whether the winbindd(8) daemon should
operate on users without domain component in their username. Users without a
domain component are treated as is part of the
           winbindd server's own domain. While this does not benefit Windows
users, it makes SSH, FTP and e-mail function in a way much closer to the way
they would in a native unix system.

so seems to me that apply only to domainless auth, not domainful
ones...

> So when either 'DOMINIQUE\Administrator' or
'LNFFVG\Administrator'
> connects, they both become 'Administrator', who then gets mapped to
> 'root'
But looking at logs, seems to me that i connect with 'domeinful' user:

[2018/09/25 09:54:26.944813,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[dominique]\[Administrator]@[DOMINIQUE] with the new password interface
[2018/09/25 09:54:26.944826,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [dominique]\[Administrator]@[DOMINIQUE]
[2018/09/25 09:54:26.944839,  5] ../lib/util/util.c:514(dump_data)
  [0000] D7 98 F6 F1 EC 11 A2 E9                             ........ 
[2018/09/25 09:54:26.944862,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2018/09/25 09:54:26.944877,  4] ../source3/smbd/uid.c:493(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2018/09/25 09:54:26.944890,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2018/09/25 09:54:26.944907,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/09/25 09:54:26.944920,  5]
../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/09/25 09:54:26.946828,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/09/25 09:54:26.946859,  5]
../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.946889,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.946920,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018
09:54:26.946911 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:51457] m
apped to [dominique]\[Administrator]. local host [ipv4:10.5.1.26:445] 
[2018/09/25 09:54:26.947266,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp":
"2018-09-25T09:54:26.947167+0200", "type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress"
: "ipv4:10.5.1.26:445", "remoteAddress":
"ipv4:10.5.2.37:51457", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"dominique", "clientAccount": "Administrator",
"workstation": "DOMINIQ
UE", "becameAccount": null, "becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount":
"Administrator", "mappedDomain": "dominique",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonN
egotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "NTLMv2"}}
[2018/09/25 09:54:26.947315,  5]
../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
  Checking NTLMSSP password for dominique\Administrator failed:
NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.947353,  5]
../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for
dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947379,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/09/25 09:54:26.947405,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: ntlmssp[0x5594f554d970]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947422,  3]
../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947438,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: spnego[0x5594f5518ae0]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947454,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1


And, removed from the map 'Administrator' (domainless) there's no
more
map to root.

But still i get NT_STATUS_WRONG_PASSWORD, and not 'user unknown'...

> I don't understand why you are trying to use a local user on a domain
> joined machine.
Bootstrapping. After initial setup the system works with machine
account.

But i need to bootstrap it...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 25 september 2018 10:16
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and 
> machine account access troubles.
> 
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > Before upgrading my domain members to samba 4.8 (from 4.5) i can
> > > access a 'guest' share using DOMINIQUE\Administrator user
without
> > > trouble. Probably (and correctly, for my point of view) 
> domain member
> > > does not find 'DOMINIQUE\Administrator' user, and so map 
> it to guest.
> > > Bingo.
> > The above would be true except for this line you have in smb.conf:
> > 	winbind use default domain = Yes
This is true AND false!!! 
Linux <=> linux TRUE
Linux <=> Windows FALSE   
Windows <=> Window TRUE

Windows sends is always user at DOMAIN (or DOM\user(@REALM)..) 

Linux ( Samba ) make a linux system think its DOM+user or DOM\\user or \\USER or
user
Based on (if you use:)  winbind use default domain (G) and possbile other
settings.

Now remove the : map to guest =  
Setting from your smb.conf, because you wil never get this right if you keep
useing that.
Check/test without the setting and post the logs so we can see the result of
that.

My guess here is..  And please correct me if im wrong. 
You used this as example.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server 
[guest]
        # This share allows anonymous (guest) access
        # without authentication!
        path = /srv/samba/guest/
        read only = no
        guest ok = yes

But your server is a domain member.
Now with the setting : map to guest =  Bad User 
Means user logins with an invalid password are rejected, unless the username
does not exist.
How Wait ! unless the username does not exist ... But the user Does exist,
Adminstrator root, they exist.
If the user does not exist, THEN it maps to guest. 

Bad Password - Means user logins with an invalid password are treated as a guest
login and mapped into the guest account.
Is an option, but you get the risk of ... Everybody is mapped to guest...  

Bad Uid, not discussing here.

Are you setting up a  "Guest" share services OR a GUEST SERVER access
in total, also 2 different things.
For example, you setup and have the following result. 
\\server   ( access denied ) 
\\server\guestshare ( access granted ) 

Again i hope this helps you, but please try to forget the "guest"
account mapping.
If you setup as i've told you, you would be finish already..  

And if you want the behaivior back as you had in 4.5, that is possible, but only
by reverting back.
Windows and Samba have has so many security fixed which resulted in your problem
now with 4.8.
A setup with isnt compatible to current standards. 


Greetz, 

Louis

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Now remove the : map to guest =  
> Setting from your smb.conf, because you wil never get this right if you
keep useing that.
> Check/test without the setting and post the logs so we can see the result
of that.
Seems the same things.

[2018/09/25 17:48:23.191423,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[dominique]\[Administrator]@[DOMINIQUE] with the new password interface
[2018/09/25 17:48:23.191437,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [dominique]\[Administrator]@[DOMINIQUE]
[2018/09/25 17:48:23.191450,  5] ../lib/util/util.c:514(dump_data)
  [0000] B3 87 AB FB 08 65 57 E9                             .....eW. 
[2018/09/25 17:48:23.191479,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2018/09/25 17:48:23.191505,  4] ../source3/smbd/uid.c:493(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2018/09/25 17:48:23.191519,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2018/09/25 17:48:23.191532,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/09/25 17:48:23.191545,  5]
../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/09/25 17:48:23.193391,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/09/25 17:48:23.193422,  5]
../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193469,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193501,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018
17:48:23.193491 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:58918] mapped to
[dominique]\[Administrator]. local host [ipv4:10.5.1.26:445]
[2018/09/25 17:48:23.193810,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp":
"2018-09-25T17:48:23.193744+0200", "type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:10.5.1.26:445", "remoteAddress":
"ipv4:10.5.2.37:58918", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"dominique", "clientAccount": "Administrator",
"workstation": "DOMINIQUE", "becameAccount": null,
"becameDomain": null, "becameSid": "(NULL SID)",
"mappedAccount": "Administrator", "mappedDomain":
"dominique", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "NTLMv2"}}
[2018/09/25 17:48:23.193851,  5]
../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
  Checking NTLMSSP password for dominique\Administrator failed:
NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193876,  5]
../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for
dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.193902,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/09/25 17:48:23.193933,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: ntlmssp[0x5594f55535d0]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.193956,  3]
../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.194043,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: spnego[0x5594f5552720]: NT_STATUS_WRONG_PASSWORD

> Are you setting up a  "Guest" share services OR a GUEST SERVER
access in total, also 2 different things.
> For example, you setup and have the following result. 
> \\server   ( access denied ) 
> \\server\guestshare ( access granted ) 
No, guest share. If i do in explorer '\\server\', i input some domein
credential and then rerun \\server\myguestshare\myscript.bat clearly
works, because i'm using the previously input domain credentials.

> And if you want the behaivior back as you had in 4.5, that is possible, but
only by reverting back.
> Windows and Samba have has so many security fixed which resulted in your
problem now with 4.8.
> A setup with isnt compatible to current standards. 
I need 'winbind use default domain = yes'.

But i suppose applied only to ''current'' domain, eg if i have:

	security = ADS
        workgroup = LNFFVG
	winbind use default domain = yes

'LNFFVG\gaio' became 'gaio'. And manpage illude me:

	Users without a domain component are treated as is part of the
	winbindd server's own domain.

for me 'own domain' is LNFFVG.

OK, i'm reading this sentence on reverse, but by log seems clear to me
that windows client present itself as DOMINIQUE\Admnistrator, so i
don't understand why get 'mapped' to LNFFVG\Administrator...


Clearly i cannot revert to 4.5, nor backport some patcjes and manage
'my' samba version.

I'm simply asking why the behaviour changed between 4.5 and 4.8...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hai marco,
> 
> I'm simply asking why the behaviour changed between 4.5 and 4.8...
> 
This somewhere started in 4.6.
These changes where needed due to security leaks. 
See: 
https://www.samba.org/samba/history/security.html 
24 May 2017 and up. 

If i could make it better for you i would, but it is as it is. 


Greetz, 

Louis