+++ This bug was initially created as a clone of Bug #11889 +++ Some commit introduced in Samba 4.4.3 has broken guest authentication (the share has "guest ok = yes") when the [global] "security" parameter is set to "ADS" (domain member). Samba 4.4.2 and below work just fine. On the client Linux computer, I am doing, simply, mount -t cifs -r -o guest //server/Music /mnt/tmp Running { smbd -F -S -d5 } on the server with both versions 4.4.2 and 4.4.3, we have nearly identical output for the mount request until we get here: Output with version 4.4.2: 4.4.2: check_ntlm_password: Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface 4.4.2: check_ntlm_password: mapped user is: [EXAMPLE]\[]@[] 4.4.2: check_ntlm_password: guest authentication for user [] succeeded 4.4.2: check_ntlm_password: guest authentication for user [] -> [] -> [nobody] succeeded And Output with version 4.4.3: 4.4.3: check_ntlm_password: Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface 4.4.3: check_ntlm_password: mapped user is: [EXAMPLE]\[]@[] 4.4.3: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 4.4.3: push_conn_ctx(0) : conn_ctx_stack_ndx = 1 4.4.3: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 4.4.3: Security token: (NULL) 4.4.3: UNIX token of user 0 4.4.3: Primary group is 0 and contains 0 supplementary groups 4.4.3: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 4.4.3: check_ntlm_password: winbind authentication for user [] FAILED with error NT_STATUS_NO_SUCH_USER 4.4.3: check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER 4.4.3: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER 4.4.3: ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER I pared the smb.conf down to the bare minimum, to make sure it wasn't my "handiwork" that broke something. The resulting smb.conf looked like this: ----- Begin smb.conf ----- [global] workgroup = EXAMPLE realm = EXAMPLE.COM passdb backend = tdbsam security = ADS [Music] path = /usr/local/mp3-collection guest ok = Yes ----- End smb.conf ----- I have not attempted to bisect the code to figure out which commit broke guest authentication.
Created attachment 12090 [details] Possible but completely untested patches for linux master
Thanks for finding this. Reviewed, and tested against Samba 4.4.3 and it works. Merged into cifs-2.6.git
And cc: stable so it will be backported
I have found that this change breaks guest authentication against (at least) Windows 10 SMB servers. Seems to work against Windows 7 though.
(In reply to Justin Maggard from comment #4) There's actually a difference between anonymous and guest authentication. I fixed the anonymous authentication (with username = ""). Guest authentication uses a username != "" and either that user doesn't exist or the password was wrong. Maybe the 'guest' mount options should not be completely ignored, but instead set username = "guest" and password = "".
It appears that this also breaks failure cases. By this I mean that if you attempt to mount using the guest option to a share provided by a Windows 8.1 machine (probably all version newer as well) that requires authentication the mount command will appear to hang indefinitely, it isn't actually hung but rather is repeatedly trying to chase non-existent DFS referals. It usually requires kill -9 to stop the mount command. This does not occur when issuing the same command for a share on Windows 7 where the correct result of "Permission denied" is returned. Example mount command line - mount -t cifs //10.62.98.3/Share /tmp-smb/ -o guest specifying vers=2 also seems to work correctly but there are still supported hardware filers that do not support SMB ver2 (NetApp, OnTap 8 which is the last non clustered OnTap for instance).
It turns out that the reason that Windows 7 doesn't behave the same is that when the GET_DFS_REFERRAL is sent the "server" responds with STATUS_FS_DRIVER_REQUIRED. So, the behaviour is still incorrect as the DFS referral should not happen