thr3ads.net - samba - [Samba] SMB Signing with "map to guest = " options [Feb 2019]

If this information is useful, please help other people find it:
Share via:

shivappa Sangapur

2019-Feb-14 05:58 UTC

[Samba] SMB Signing with "map to guest = " options

Hi,

I'm using samba-4.7.x
I have some confusions over "map to guest=" options with setting SMB
Signing
1. Set "*Server signing =auto*", "*map to guest=bad uid*"
and set "client
signing in windows 2k12 server group policy" to "Microsoft network
client:
Digitally sign communications (Always)” = *Disable*"
SMB_Server is joined to Windows 2k12 Active Directory with user01.
Windows PC is logged to windows 2k12 Activer Directory with user02.
I login to share of my SMB_Server from Windows client PC(where i logged with
user02),* it opens shares *without any popup on client PC.
Here NO signing is done.

2. Set "*Server signing =auto*", "*map to guest=bad uid*"
and set "client
signing in windows 2k12 server group policy" to "Microsoft network
client:
Digitally sign communications (Always)” = *Enable*"
SMB_Server is joined to Windows 2k12 Active Directory with user01.
Windows PC is logged to windows 2k12 Activer Directory with user02.
I login to share of my SMB_Server from Windows client PC(where i logged with
user02),* it fails to open shares.*
Here Signing is done but fails to open

3. Set "*Server signing =auto*", "*map to guest=never*" and
set "client
signing in windows 2k12 server group policy" to "Microsoft network
client:
Digitally sign communications (Always)” = *Disable*"
SMB_Server is joined to Windows 2k12 Active Directory with user01.
Windows PC is logged to windows 2k12 Activer Directory with user02.
I login to share of my SMB_Server from Windows client PC(where i logged with
*user02*),* it popups to enter credentials, after providing the use01 only
the shares opens*on client PC.
Here NO Signing.

4. Set "*Server signing =auto*", "*map to guest=never*" and
set "client
signing in windows 2k12 server group policy" to "Microsoft network
client:
Digitally sign communications (Always)” = *Enable*"
SMB_Server is joined to Windows 2k12 Active Directory with user01.
Windows PC is logged to windows 2k12 Activer Directory with user02.
I login to share of my SMB_Server from Windows client PC(where i logged with
user02),* it popups to enter credentials, after providing the use01 only the
shares opens*on client PC. (I know that only user01 is added in samba db)
Here, signing is done.

5. Set "*Server signing =mandatory*", "*map to guest=bad
uid*" and set
"client signing in windows 2k12 server group policy" to
"Microsoft network
client: Digitally sign communications (Always)” = *Enable*"
SMB_Server is joined to Windows 2k12 Active Directory with user01.
Windows PC is logged to windows 2k12 Activer Directory with user02.
I login to share of my SMB_Server from Windows client PC(where i logged with
user02),* it fails to open shares.*
Here Signing is done but fails to open


I want to understand why in case of *#2 and #5* it is not opening shares of
my smb-4.7.x shares,




--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

Rowland Penny

2019-Feb-14 08:50 UTC

head link

[Samba] SMB Signing with "map to guest = " options

On Wed, 13 Feb 2019 23:58:57 -0600 (CST)
shivappa Sangapur via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm using samba-4.7.x
> I have some confusions over "map to guest=" options with setting
SMB
> Signing 1. Set "*Server signing =auto*", "*map to guest=bad
uid*" and
> set "client signing in windows 2k12 server group policy" to
> "Microsoft network client: Digitally sign communications (Always)”
> *Disable*" SMB_Server is joined to Windows 2k12 Active Directory with
> user01. Windows PC is logged to windows 2k12 Activer Directory with
> user02. I login to share of my SMB_Server from Windows client
> PC(where i logged with user02),* it opens shares *without any popup
> on client PC. Here NO signing is done.
> 
> 2. Set "*Server signing =auto*", "*map to guest=bad
uid*" and set
> "client signing in windows 2k12 server group policy" to
"Microsoft
> network client: Digitally sign communications (Always)” = *Enable*"
> SMB_Server is joined to Windows 2k12 Active Directory with user01.
> Windows PC is logged to windows 2k12 Activer Directory with user02.
> I login to share of my SMB_Server from Windows client PC(where i
> logged with user02),* it fails to open shares.*
> Here Signing is done but fails to open
> 
> 3. Set "*Server signing =auto*", "*map to guest=never*"
and set
> "client signing in windows 2k12 server group policy" to
"Microsoft
> network client: Digitally sign communications (Always)” = *Disable*"
> SMB_Server is joined to Windows 2k12 Active Directory with user01.
> Windows PC is logged to windows 2k12 Activer Directory with user02.
> I login to share of my SMB_Server from Windows client PC(where i
> logged with *user02*),* it popups to enter credentials, after
> providing the use01 only the shares opens*on client PC.
> Here NO Signing.
> 
> 4. Set "*Server signing =auto*", "*map to guest=never*"
and set
> "client signing in windows 2k12 server group policy" to
"Microsoft
> network client: Digitally sign communications (Always)” = *Enable*"
> SMB_Server is joined to Windows 2k12 Active Directory with user01.
> Windows PC is logged to windows 2k12 Activer Directory with user02.
> I login to share of my SMB_Server from Windows client PC(where i
> logged with user02),* it popups to enter credentials, after providing
> the use01 only the shares opens*on client PC. (I know that only
> user01 is added in samba db) Here, signing is done.
> 
> 5. Set "*Server signing =mandatory*", "*map to guest=bad
uid*" and set
> "client signing in windows 2k12 server group policy" to
"Microsoft
> network client: Digitally sign communications (Always)” = *Enable*"
> SMB_Server is joined to Windows 2k12 Active Directory with user01.
> Windows PC is logged to windows 2k12 Activer Directory with user02.
> I login to share of my SMB_Server from Windows client PC(where i
> logged with user02),* it fails to open shares.*
> Here Signing is done but fails to open
> 
> 
> I want to understand why in case of *#2 and #5* it is not opening
> shares of my smb-4.7.x shares,
> 
Please post your smb.conf

Rowland

Andrew Bartlett

2019-Feb-18 08:33 UTC

head link

[Samba] SMB Signing with "map to guest = " options

On Wed, 2019-02-13 at 23:58 -0600, shivappa Sangapur via samba
wrote:> Hi,
> 
> I'm using samba-4.7.x
> I have some confusions over "map to guest=" options with setting
SMB
> Signing
> 
> 
> I want to understand why in case of *#2 and #5* it is not opening
> shares of
> my smb-4.7.x shares,
> 
This is probably a case we haven't really consdidered before. 

'map to guest = bad uid' is quite different to the other map to guest
options, because in this case a full authentication against the DC was
done and we have correct session keys. 

The bug is in:

NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, 
				const char *sent_nt_username,
				const char *domain,
				struct auth_serversupplied_info **server_info,
				const struct netr_SamInfo3 *info3)

The problem is this bit:

	nt_status = check_account(tmp_ctx,
				  nt_domain,
				  nt_username,
				  &found_username,
				  &pwd,
				  &username_was_mapped);

	if (!NT_STATUS_IS_OK(nt_status)) {
		/* Handle 'map to guest = Bad Uid */
		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
		    (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
		    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
			DBG_NOTICE("Try to map %s to guest account",
				   nt_username);
			nt_status = make_server_info_guest(tmp_ctx, &result);
			if (NT_STATUS_IS_OK(nt_status)) {
				*server_info = talloc_move(mem_ctx, &result);
			}
		}
		goto out;
	}

It needs to still run this part form the tail of the function, not skip over it
with the 'goto out'

	/* ensure we are never given NULL session keys */

	if (all_zero(info3->base.key.key, sizeof(info3->base.key.key))) {
		result->session_key = data_blob_null;
	} else {
		result->session_key = data_blob_talloc(
			result, info3->base.key.key,
			sizeof(info3->base.key.key));
	}

	if (all_zero(info3->base.LMSessKey.key,
		     sizeof(info3->base.LMSessKey.key))) {
		result->lm_session_key = data_blob_null;
	} else {
		result->lm_session_key = data_blob_talloc(
			result, info3->base.LMSessKey.key,
			sizeof(info3->base.LMSessKey.key));
	}

Then it might work.

I realise you were probably not expecting to be preparing patches and
writing tests (the harder part), but these clues should assist if you
do want to try.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Rowland Penny

2019-Feb-18 10:44 UTC

head link

[Samba] SMB Signing with "map to guest = " options

On Mon, 18 Feb 2019 21:33:11 +1300
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Wed, 2019-02-13 at 23:58 -0600, shivappa Sangapur via samba wrote:
> > Hi,
> > 
> > I'm using samba-4.7.x
> > I have some confusions over "map to guest=" options with
setting SMB
> > Signing
> > 
> > 
> > I want to understand why in case of *#2 and #5* it is not opening
> > shares of
> > my smb-4.7.x shares,
> > 
> 
> This is probably a case we haven't really consdidered before. 
No, it is a case of a crap smb.conf, the OP is trying to run an ADS
Unix domain member as a standalone server. To use 'bad uid' there must
not be a Unix user, but Samba will be creating one.

Rowland

Reasonably Related Threads

Search for more maybe matching threads

samba - Feb 2019 - SMB Signing with "map to guest = " options

[Samba] SMB Signing with "map to guest = " options

[Samba] SMB Signing with "map to guest = " options

[Samba] SMB Signing with "map to guest = " options

[Samba] SMB Signing with "map to guest = " options

Reasonably Related Threads