Bug 11913 - Regression: Samba 4.4.3 breaks guest authentication
Regression: Samba 4.4.3 breaks guest authentication
Status: RESOLVED FIXED
Product: CifsVFS
Classification: Unclassified
Component: kernel fs
3.x
All All
: P5 normal
: ---
Assigned To: Steve French
:
Depends on: 11889
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-09 16:06 UTC by Stefan Metzmacher
Modified: 2016-11-24 11:24 UTC (History)
4 users (show)

See Also:


Attachments
Possible but completely untested patches for linux master (9.56 KB, text/plain)
2016-05-09 16:10 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-05-09 16:06:32 UTC
+++ This bug was initially created as a clone of Bug #11889 +++

Some commit introduced in Samba 4.4.3 has broken guest authentication (the share has "guest ok = yes") when the [global] "security" parameter is set to "ADS" (domain member).  Samba 4.4.2 and below work just fine.

On the client Linux computer, I am doing, simply,
   mount -t cifs -r -o guest //server/Music /mnt/tmp

Running { smbd -F -S -d5 } on the server with both versions 4.4.2 and 4.4.3, we have nearly identical output for the mount request until we get here:

Output with version 4.4.2:
4.4.2: check_ntlm_password:  Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface
4.4.2: check_ntlm_password:  mapped user is: [EXAMPLE]\[]@[]
4.4.2: check_ntlm_password: guest authentication for user [] succeeded
4.4.2: check_ntlm_password:  guest authentication for user [] -> [] -> [nobody] succeeded

And Output with version 4.4.3:
4.4.3: check_ntlm_password:  Checking password for unmapped user [EXAMPLE]\[]@[] with the new password interface
4.4.3: check_ntlm_password:  mapped user is: [EXAMPLE]\[]@[]
4.4.3: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
4.4.3: push_conn_ctx(0) : conn_ctx_stack_ndx = 1
4.4.3: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
4.4.3: Security token: (NULL)
4.4.3: UNIX token of user 0
4.4.3: Primary group is 0 and contains 0 supplementary groups
4.4.3: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
4.4.3: check_ntlm_password: winbind authentication for user [] FAILED with error NT_STATUS_NO_SUCH_USER
4.4.3: check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
4.4.3: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER
4.4.3: ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for EXAMPLE\ failed: NT_STATUS_NO_SUCH_USER

I pared the smb.conf down to the bare minimum, to make sure it wasn't my "handiwork" that broke something.  The resulting smb.conf looked like this:

----- Begin smb.conf -----
[global]
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  passdb backend = tdbsam
  security = ADS
[Music]
  path = /usr/local/mp3-collection
  guest ok = Yes
----- End smb.conf -----

I have not attempted to bisect the code to figure out which commit broke guest authentication.
Comment 1 Stefan Metzmacher 2016-05-09 16:10:58 UTC
Created attachment 12090 [details]
Possible but completely untested patches for linux master
Comment 2 Steve French 2016-05-11 11:29:29 UTC
Thanks for finding this.

Reviewed, and tested against Samba 4.4.3 and it works.

Merged into cifs-2.6.git
Comment 3 Steve French 2016-05-11 11:29:47 UTC
And cc: stable so it will be backported
Comment 4 Justin Maggard 2016-11-10 18:22:33 UTC
I have found that this change breaks guest authentication against (at least) Windows 10 SMB servers.  Seems to work against Windows 7 though.
Comment 5 Stefan Metzmacher 2016-11-11 07:14:16 UTC
(In reply to Justin Maggard from comment #4)

There's actually a difference between anonymous and guest authentication.

I fixed the anonymous authentication (with username = "").

Guest authentication uses a username != "" and either that
user doesn't exist or the password was wrong.

Maybe the 'guest' mount options should not be completely ignored,
but instead set username = "guest" and password = "".
Comment 6 Mark Syms 2016-11-23 19:52:17 UTC
It appears that this also breaks failure cases. By this I mean that if you attempt to mount using the guest option to a share provided by a Windows 8.1 machine (probably all version newer as well) that requires authentication the mount command will appear to hang indefinitely, it isn't actually hung but rather is repeatedly trying to chase non-existent DFS referals. It usually requires kill -9 to stop the mount command.

This does not occur when issuing the same command for a share on Windows 7 where the correct result of "Permission denied" is returned.

Example mount command line - 

mount -t cifs //10.62.98.3/Share /tmp-smb/ -o guest

specifying vers=2 also seems to work correctly but there are still supported hardware filers that do not support SMB ver2 (NetApp, OnTap 8 which is the last non clustered OnTap for instance).
Comment 7 Mark Syms 2016-11-24 11:24:15 UTC
It turns out that the reason that Windows 7 doesn't behave the same is that when the GET_DFS_REFERRAL is sent the "server" responds with STATUS_FS_DRIVER_REQUIRED. So, the behaviour is still incorrect as the DFS referral should not happen