The Samba-Bugzilla – Attachment 6084 Details for
Bug 7817
"force group" broken
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 3.5
0001-s3-Fix-force-group-with-ntlmssp-guest-session-setup.patch (text/plain), 2.60 KB, created by
Volker Lendecke
on 2010-11-24 11:03:34 UTC
(
hide
)
Description:
Patch for 3.5
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2010-11-24 11:03:34 UTC
Size:
2.60 KB
patch
obsolete
>>From 53f2b9f0ad1977471b8b87569a38c27a4ac3d711 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 13 Nov 2010 18:03:25 +0100 >Subject: [PATCH] s3: Fix "force group" with ntlmssp guest session setup > >This one is subtle: Set "force group = <somegroup>" together with "guest ok = >yes". Then try "smbclient //server/share -U%". Works. Then try to connect to >the same share from Windows 2003 using an anonymous connection. Breaks with > >make_connection: connection to share denied due to security descriptor > >although the share_info.tdb is empty. I've seen reports of this on the lists, >but I could never ever nail it until a customer gave me access to such a box. > >What happens? With an empty share_info.tdb we create a security descriptor >allow everything to the world. The problem with the above parameter combination >is that S-1-1-0 (World) is lost in the token. When you look at the callers of >create_local_token, they are only called if the preceding check_ntlm_password >did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if >we get a NTLMSSP session setup with user="", domain="", pass="" we call >create_local_token even though check_guest_security() via >make_server_info_guest() has already correctly done so. In this case >create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the >primary group sid of the user logging in. "force group" then overwrites this -> >the world is gone -> "denied due to security descriptor". > >Why don't you see it with smbclient -U% (anonymous connection)? smbclient does >not use ntlmssp for anon session setup. > >This seems not to happen to 3.6. > >Volker >--- > source3/auth/auth_ntlmssp.c | 13 +++++++------ > 1 files changed, 7 insertions(+), 6 deletions(-) > >diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c >index 034d354..0e2c61a 100644 >--- a/source3/auth/auth_ntlmssp.c >+++ b/source3/auth/auth_ntlmssp.c >@@ -126,12 +126,13 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, > > auth_ntlmssp_state->server_info->nss_token |= username_was_mapped; > >- nt_status = create_local_token(auth_ntlmssp_state->server_info); >- >- if (!NT_STATUS_IS_OK(nt_status)) { >- DEBUG(10, ("create_local_token failed: %s\n", >- nt_errstr(nt_status))); >- return nt_status; >+ if (auth_ntlmssp_state->server_info->ptok == NULL) { >+ nt_status = create_local_token(auth_ntlmssp_state->server_info); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ DEBUG(10, ("create_local_token failed: %s\n", >+ nt_errstr(nt_status))); >+ return nt_status; >+ } > } > > if (auth_ntlmssp_state->server_info->user_session_key.length) { >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6084">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 7817
: 6084