>From 53f2b9f0ad1977471b8b87569a38c27a4ac3d711 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 13 Nov 2010 18:03:25 +0100 Subject: [PATCH] s3: Fix "force group" with ntlmssp guest session setup This one is subtle: Set "force group = " together with "guest ok = yes". Then try "smbclient //server/share -U%". Works. Then try to connect to the same share from Windows 2003 using an anonymous connection. Breaks with make_connection: connection to share denied due to security descriptor although the share_info.tdb is empty. I've seen reports of this on the lists, but I could never ever nail it until a customer gave me access to such a box. What happens? With an empty share_info.tdb we create a security descriptor allow everything to the world. The problem with the above parameter combination is that S-1-1-0 (World) is lost in the token. When you look at the callers of create_local_token, they are only called if the preceding check_ntlm_password did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if we get a NTLMSSP session setup with user="", domain="", pass="" we call create_local_token even though check_guest_security() via make_server_info_guest() has already correctly done so. In this case create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the primary group sid of the user logging in. "force group" then overwrites this -> the world is gone -> "denied due to security descriptor". Why don't you see it with smbclient -U% (anonymous connection)? smbclient does not use ntlmssp for anon session setup. This seems not to happen to 3.6. Volker --- source3/auth/auth_ntlmssp.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 034d354..0e2c61a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -126,12 +126,13 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, auth_ntlmssp_state->server_info->nss_token |= username_was_mapped; - nt_status = create_local_token(auth_ntlmssp_state->server_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed: %s\n", - nt_errstr(nt_status))); - return nt_status; + if (auth_ntlmssp_state->server_info->ptok == NULL) { + nt_status = create_local_token(auth_ntlmssp_state->server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(nt_status))); + return nt_status; + } } if (auth_ntlmssp_state->server_info->user_session_key.length) { -- 1.7.0.4