samba - Oct 2018 - DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

On Tue, 2 Oct 2018 17:00:43 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > No, but what I do know is this, you should not use guest access on a
> > domain member, Windows turns it off by default. Also 'Guest'
doesn't
> > exist on a Unix domain member, you would have to map it to the Unix
> > domain user 'nobody'
> 
> No, this is not exactly true. You forget the 'guest account'
option,
> that have the default value 'nobody'.
> 
> So, even not specifying guest mapping, guest account are mapped to
> 'nobody'.
> 
OK, Windows 'Guest' != Unix 'nobody'
It might seem if it does, but it doesn't
> 
> > If you have 'winbind use default domain = yes' in smb.conf,
winbind
> > will basically just strip off the leading 'DOMAIN\' from user
and
> > group names. so the user 'DOMAIN\fred' will become
'fred'.
> > Okay so far ?
> > Now, if you have two domains in smb.conf 'DOMAINA' &
'DOMAINB' and
> > there is a user called 'fred' in both domains and you have
'winbind
> > use default domain = yes', you will end up with two users called
> > 'fred'.
> 
> Ok, perfectly clear. But manpage seems to me say something different:
> 
>  This parameter specifies whether the winbindd(8) daemon should
> operate on users without domain component in their username. Users
> without a domain component are treated as is part of the winbindd
> server's own domain.
OK, it might say that, but, I have 'winbind use default domain = yes'
set on my Unix domain members and if I run 'getent passwd rowland' on
one, I get:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

But on a DC, where the line has no affect:

SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The line removes the domain name and just leaves the username. You can
use 'winbind use default domain = yes' in smb.conf if you only have one
DOMAIN set, if you set another trusted DOMAIN, you must not use it.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> OK, Windows 'Guest' != Unix 'nobody'
> It might seem if it does, but it doesn't
Rowland, clearly i know that. But you sayed:
> > > Also 'Guest' doesn't
> > > exist on a Unix domain member, you would have to map it to the
Unix
> > > domain user 'nobody'
and i'm simply saying that this (seems) not completely true, because
windows 'Guest' user are mapped 'by default' to UNIX
'nobody' user.

If i create the user 'idontexistonthedomain' on a local workstation and
i try to access to a share (and supposing DOMINIQUE is the
workstation...) DOMINIQUE\idontexistonthedomain get mapped to guest and
i can access to the share. So guest access works.

> The line removes the domain name and just leaves the username. You can
> use 'winbind use default domain = yes' in smb.conf if you only have
one
> DOMAIN set, if you set another trusted DOMAIN, you must not use it.
Perfectly clear. But still seems me a bit strange that samba strip the
domain also from users like DOMINIQUE\Administrator, where DOMINIQUE is
a workstation.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Tue, 2 Oct 2018 18:39:54 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > OK, Windows 'Guest' != Unix 'nobody'
> > It might seem if it does, but it doesn't
> 
> Rowland, clearly i know that. But you sayed:
> 
> > > > Also 'Guest' doesn't
> > > > exist on a Unix domain member, you would have to map it to
the
> > > > Unix domain user 'nobody'
> 
> and i'm simply saying that this (seems) not completely true, because
> windows 'Guest' user are mapped 'by default' to UNIX
'nobody' user.
No it isn't, by default 'map to guest' is set to 'never' and
this
means the 'guest' user isn't used. You can override this by using
'Bad User' etc instead of the default 'never'. By default Samba
uses the OS 'guest' user, which is usually 'nobody', but this
can be
changed by setting 'guest user =' to whatever local Unix user you want.
 
> 
> If i create the user 'idontexistonthedomain' on a local workstation
> and i try to access to a share (and supposing DOMINIQUE is the
> workstation...) DOMINIQUE\idontexistonthedomain get mapped to guest
> and i can access to the share. So guest access works.
Then you must have 'map to guest = Bad User' set in [global] and
'guest
ok = yes' set in the share.
What you must remember is that the windows 'Guest' user (or any other
unknown user) is 'mapped' to the Unix 'guest' user, it does not
become
the user. The concept of one OS's guest user being able to write
directly to another OS's system is alien, a guest user is only a guest
of one OS. It would be better to not use a guest user at all, you would
be better using a user that has to authenticate.
> 
> 
> > The line removes the domain name and just leaves the username. You
> > can use 'winbind use default domain = yes' in smb.conf if you
only
> > have one DOMAIN set, if you set another trusted DOMAIN, you must
> > not use it.
> 
> Perfectly clear. But still seems me a bit strange that samba strip the
> domain also from users like DOMINIQUE\Administrator, where DOMINIQUE
> is a workstation.
You shouldn't be able to connect to a domain member from a workgroup
machine (i.e. a machine that isn't a domain member), unless you are
allowing guest access and this allows ANYBODY access. The only other
way a user on a workgroup member can connect is to create all your
users on the workgroup member with the same passwords and this doesn't
make sense in a domain, you might as well join the workgroup machine
to the domain and save yourself all the hassle of keeping all the users
in sync.

Rowland