Bug 11889 - Regression: Samba 4.4.3 breaks guest authentication
Regression: Samba 4.4.3 breaks guest authentication
Status: RESOLVED MOVED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.4.3
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on:
Blocks: 11913
  Show dependency treegraph
 
Reported: 2016-05-02 19:13 UTC by Kris Karas
Modified: 2016-05-09 16:06 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kris Karas 2016-05-02 19:13:23 UTC
Some commit introduced in Samba 4.4.3 has broken guest authentication (the share has "guest ok = yes") when the [global] "security" parameter is set to "ADS" (domain member).  Samba 4.4.2 and below work just fine.

On the client Linux computer, I am doing, simply,
   mount -t cifs -r -o guest //server/Music /mnt/tmp

Running { smbd -F -S -d5 } on the server with both versions 4.4.2 and 4.4.3, we have nearly identical output for the mount request until we get here:

Output with version 4.4.2:
4.4.2: check_ntlm_password:  Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface
4.4.2: check_ntlm_password:  mapped user is: [EXAMPLE]\[]@[]
4.4.2: check_ntlm_password: guest authentication for user [] succeeded
4.4.2: check_ntlm_password:  guest authentication for user [] -> [] -> [nobody] succeeded

And Output with version 4.4.3:
4.4.3: check_ntlm_password:  Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface
4.4.3: check_ntlm_password:  mapped user is: [EXAMPLE]\[]@[]
4.4.3: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
4.4.3: push_conn_ctx(0) : conn_ctx_stack_ndx = 1
4.4.3: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
4.4.3: Security token: (NULL)
4.4.3: UNIX token of user 0
4.4.3: Primary group is 0 and contains 0 supplementary groups
4.4.3: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
4.4.3: check_ntlm_password: winbind authentication for user [] FAILED with error NT_STATUS_NO_SUCH_USER
4.4.3: check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
4.4.3: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER
4.4.3: ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER

I pared the smb.conf down to the bare minimum, to make sure it wasn't my "handiwork" that broke something.  The resulting smb.conf looked like this:

----- Begin smb.conf -----
[global]
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  passdb backend = tdbsam
  security = ADS
[Music]
  path = /usr/local/mp3-collection
  guest ok = Yes
----- End smb.conf -----

I have not attempted to bisect the code to figure out which commit broke guest authentication.
Comment 1 Kris Karas 2016-05-02 21:54:59 UTC
Changed the bug "Subject" to reflect that this bug is not dependent upon
"security = ADS".  I have tried "server role = standalone" and the bug persists.
Comment 2 Stefan Metzmacher 2016-05-03 10:09:24 UTC
Can you please upload a capture, see https://wiki.samba.org/index.php/Capture_Packets

What kernel version are you using?
Comment 3 Stefan Metzmacher 2016-05-03 10:42:18 UTC
(In reply to Stefan Metzmacher from comment #2)

This a actually a bug in the kernel module,
it sends a NULL username, with a none null NTLMv2_Response.

This will also fail against a Windows server.

Using "map to guest = bad user" in the [global] section
on the server should be able to let it work again.

Can you test that please?

I'll propose a fix for the kernel module...
Comment 4 Björn Baumbach 2016-05-03 17:22:48 UTC
(In reply to Stefan Metzmacher from comment #3)

I confirm that using "map to guest = bad user" works around this issue.
Comment 5 Kris Karas 2016-05-03 20:23:33 UTC
Also confirming here that Stefan Metzmacher's suggestion in comment #3 works correctly.  As such, I'll skip the upload of the packet trace, as it seems as if the root cause is already well known.

I guess this could be closed as Not A Bug, even though a "fix" applied looks like a regression against 4.4.2.  I'll mark it as Resolved:Moved (hopefully that's the right idiom?).  Stefan, could you submit this for a kernel fix as suggested?