11833 – Possible misconfiguration or bug allowing a valid user to login with ANY domain name

Bug 11833 - Possible misconfiguration or bug allowing a valid user to login with ANY domain name

Summary: Possible misconfiguration or bug allowing a valid user to login with ANY doma...

Status:	RESOLVED DUPLICATE of bug 12709

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.1.6
Hardware:	x64 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-12 21:37 UTC by Ken Tyler
Modified:	2017-06-29 06:45 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ken Tyler 2016-04-12 21:37:45 UTC

I've been an open source tech support engineer for many years so I may have missed something.. Perhaps made a newbie mistake.

The configuration is the standard samba4 ADDC.


I will put all the relevant details at the end of the bug, version, etc ,etc.

The problem was discovered by accident. The windows machine was joined successfully and then after reboot an engineer had a typo in the domain and used mydommain.com\username to login and it worked.

SO I checked for typos in the config and in /var/lib/samba no typo..

Further testing allowed us to login with ANY domain of choice and as long as the user and password were correct we were logged into the domain.

Looking in the users directory it's correct and says C:\Users\user.MYDOMAIN.COM and not C:\Users\user.MYDOMMAIN.COM


The domain is mydomain.com but if I login with whateveriwant.com\myuser

The log shows this:

[2016/04/12 12:52:40.010628,  3] ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/XP2
[2016/04/12 12:52:40.010983,  3] ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
  schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/XP2
[2016/04/12 12:52:40.011053,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [whateveriwant.com]\[myuser]@[XP2]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[myuser]@[XP2]
[2016/04/12 12:52:40.871872,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/04/12 12:52:40.871953,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/04/12 12:52:41.157053,  3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/04/12 12:52:41.157456,  3] ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/MGMTVM
[2016/04/12 12:52:41.158356,  3] ../source4/rpc_server/dcerpc_server.c:963(dcesrv_request)
  Warning: 60 extra bytes in incoming RPC request
[2016/04/12 12:52:41.158441,  3] ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/MGMTVM
[2016/04/12 12:52:41.158495,  3] ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)
  schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/MGMTVM
[2016/04/12 12:52:41.158548,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)


And the user is logged in..


/etc/samba/smb.conf

[global]
        workgroup = MYDOMAIN
        log level = 3
        realm = MYDOMAIN.COM
        netbios name = PDC
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        allow dns updates = nonsecure and secure
        dns forwarder = 172.18.50.35
        client use spnego = yes
        client ntlmv2 auth = yes
        printing = CUPS
        printcap name = /dev/null
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind refresh tickets = yes
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        idmap * : backend = tbd
        idmap config * : range = 300000-400000
        idmap config MYDOMAIN : range =  300000-400000




root@pdc:~# dpkg --list | grep samba
ii  python-samba                        2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        Python bindings for Samba
ii  samba                               2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                        2:4.1.6+dfsg-1ubuntu2.14.04.13   all          common files used by both the Samba server and client
ii  samba-common-bin                    2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        Samba common files used by both the server and the client
ii  samba-doc                           2:4.1.6+dfsg-1ubuntu2.14.04.13   all          Samba documentation
ii  samba-dsdb-modules                  2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        Samba Directory Services Database
ii  samba-libs:amd64                    2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        Samba core libraries
ii  samba-vfs-modules                   2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64        Samba Virtual FileSystem plugins
root@pdc:~# cat /etc/debian_version
jessie/sid

Comment 1 Andrew Bartlett 2017-06-28 10:00:53 UTC

Thankfully we just fixed this.  Marking as a duplicate of the bug tagged on the commits.

Thanks!

*** This bug has been marked as a duplicate of bug 12709 ***