Some commit introduced in Samba 4.4.3 has broken guest authentication (the share has "guest ok = yes") when the [global] "security" parameter is set to "ADS" (domain member). Samba 4.4.2 and below work just fine. On the client Linux computer, I am doing, simply, mount -t cifs -r -o guest //server/Music /mnt/tmp Running { smbd -F -S -d5 } on the server with both versions 4.4.2 and 4.4.3, we have nearly identical output for the mount request until we get here: Output with version 4.4.2: 4.4.2: check_ntlm_password: Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface 4.4.2: check_ntlm_password: mapped user is: [EXAMPLE]\[]@[] 4.4.2: check_ntlm_password: guest authentication for user [] succeeded 4.4.2: check_ntlm_password: guest authentication for user [] -> [] -> [nobody] succeeded And Output with version 4.4.3: 4.4.3: check_ntlm_password: Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface 4.4.3: check_ntlm_password: mapped user is: [EXAMPLE]\[]@[] 4.4.3: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 4.4.3: push_conn_ctx(0) : conn_ctx_stack_ndx = 1 4.4.3: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 4.4.3: Security token: (NULL) 4.4.3: UNIX token of user 0 4.4.3: Primary group is 0 and contains 0 supplementary groups 4.4.3: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 4.4.3: check_ntlm_password: winbind authentication for user [] FAILED with error NT_STATUS_NO_SUCH_USER 4.4.3: check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER 4.4.3: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER 4.4.3: ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER I pared the smb.conf down to the bare minimum, to make sure it wasn't my "handiwork" that broke something. The resulting smb.conf looked like this: ----- Begin smb.conf ----- [global] workgroup = EXAMPLE realm = EXAMPLE.COM passdb backend = tdbsam security = ADS [Music] path = /usr/local/mp3-collection guest ok = Yes ----- End smb.conf ----- I have not attempted to bisect the code to figure out which commit broke guest authentication.
Changed the bug "Subject" to reflect that this bug is not dependent upon "security = ADS". I have tried "server role = standalone" and the bug persists.
Can you please upload a capture, see https://wiki.samba.org/index.php/Capture_Packets What kernel version are you using?
(In reply to Stefan Metzmacher from comment #2) This a actually a bug in the kernel module, it sends a NULL username, with a none null NTLMv2_Response. This will also fail against a Windows server. Using "map to guest = bad user" in the [global] section on the server should be able to let it work again. Can you test that please? I'll propose a fix for the kernel module...
(In reply to Stefan Metzmacher from comment #3) I confirm that using "map to guest = bad user" works around this issue.
Also confirming here that Stefan Metzmacher's suggestion in comment #3 works correctly. As such, I'll skip the upload of the packet trace, as it seems as if the root cause is already well known. I guess this could be closed as Not A Bug, even though a "fix" applied looks like a regression against 4.4.2. I'll mark it as Resolved:Moved (hopefully that's the right idiom?). Stefan, could you submit this for a kernel fix as suggested?