Bug 13543 - map untrusted to domain not working
Summary: map untrusted to domain not working
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.7.8
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
: 13739 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-07-24 03:40 UTC by tbskyd
Modified: 2019-10-04 22:33 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tbskyd 2018-07-24 03:40:00 UTC
Hi:

    after upgrade to samba 4.7, our android phone users report they can not access our file server(AD member server) anymore. after debugging, I found "map untrusted to domain = yes" is not working. our users use "user" instead of "samdom\user" to login.

    according to the manual, if I use "bogus\user" to login, samba should transfer it to "samdom\user". but checking the log, the transfer seems not complete (smbd seems not transnfer to winbind?):

>grep bogus log.*
log.smbd:  Got user=[h1102] domain=[bogus] workstation=[ANN-PC] len1=24 len2=272
log.smbd:  Mapping user [bogus]\[h1102] from workstation [ANN-PC]
log.smbd:  Mapped domain from [bogus] to [LHY] for user [h1102] from workstation [ANN-PC]
log.smbd:  check_ntlm_password:  Checking password for unmapped user [bogus]\[h1102]@[ANN-PC] with the new password interface
log.smbd:  Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
log.smbd:  ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
log.wb-LHY:  [ 6352]: pam auth crap domain: bogus user: h1102
log.wb-LHY:  NTLM CRAP authentication for user [bogus]\[h1102] returned NT_STATUS_NO_SUCH_USER
log.winbindd:  [ 6377]: domain_info [bogus]
log.winbindd:  Did not find domain [bogus]
log.winbindd:  [ 6377]: pam auth crap domain: [bogus] user: h1102
Comment 1 tbskyd 2018-07-24 03:50:38 UTC
Hi:
  part of the message of log.smbd.

[2018/07/24 09:55:36.907652,  5] ../source3/auth/auth_util.c:123(make_user_info_map)
  Mapping user [bogus]\[h1102] from workstation [ANN-PC]
[2018/07/24 09:55:36.907970,  5] ../source3/auth/auth_util.c:144(make_user_info_map)
  Mapped domain from [bogus] to [LHY] for user [h1102] from workstation [ANN-PC]
[2018/07/24 09:55:36.907989,  5] ../source3/auth/user_info.c:62(make_user_info)
  attempting to make a user_info for h1102 (h1102)
[2018/07/24 09:55:36.908005,  5] ../source3/auth/user_info.c:70(make_user_info)
  making strings for h1102's user_info struct
[2018/07/24 09:55:36.908016,  5] ../source3/auth/user_info.c:108(make_user_info)
  making blobs for h1102's user_info struct
[2018/07/24 09:55:36.908026,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [bogus]\[h1102]@[ANN-PC] with the new password interface
[2018/07/24 09:55:36.908036,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [LHY]\[h1102]@[ANN-PC]
[2018/07/24 09:55:36.908046,  5] ../lib/util/util.c:555(dump_data)
  [0000] 7C 4A 67 E1 4D 77 54 07                             |Jg.MwT.
[2018/07/24 09:55:36.908073,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/07/24 09:55:36.908083,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/07/24 09:55:36.908093,  4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/07/24 09:55:36.908102,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/07/24 09:55:36.908110,  5] ../source3/auth/token_util.c:640(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/07/24 09:55:36.910848,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/07/24 09:55:36.910881,  5] ../source3/auth/auth.c:252(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [h1102] FAILED with error NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910914,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [h1102] -> [h1102] FAILED with error NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910927,  5] ../source3/auth/auth_ntlmssp.c:188(auth3_check_password)
  Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910939,  5] ../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)
  ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910951,  2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
Comment 2 Björn Jacke 2018-12-09 15:08:11 UTC
that parameter was removed in Samba 4.8 finally because of the various design issues with it.
Comment 3 michael li 2019-01-08 07:37:41 UTC
so now we all need to user domain user to access for this case?
Comment 4 tbskyd 2019-01-09 23:16:21 UTC
this is unfortunate.
in single domain environment, it is very convenient to input user part only.
any other way to archive the same behavior?
it's sad that samba is losing more and more unique features.
Comment 5 Björn Jacke 2019-01-11 08:57:49 UTC
*** Bug 13739 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Metzmacher 2019-01-11 21:50:18 UTC
There might be ways to reimplement map untrusted to domain, if it's really required, but it means the authentication request is send to the dc twice,
first as is and if the answer id NO_SUCH_USER and authoritative is 0,
we would send it again with the domain part changed replaced.

In make_auth3_context_for_ntlm() we would let a member use:

"anonymous sam winbind winbind_owndomain sam_ignoredomain"

And winbind_owndomain would implement map untrusted to domain
or just pass on to the next module depending on the configuration.
Comment 7 Stefan Metzmacher 2019-01-11 21:53:02 UTC
(In reply to Stefan Metzmacher from comment #6)

But I'm not sure it will work with NTLMv2, which should be required
in most setups.
Comment 8 Stefan Metzmacher 2019-01-11 21:57:44 UTC
It could only work on a DC by using:

"sam_netlogon3 winbind sam_ignoredomain" in make_auth3_context_for_netlogon()
Comment 9 tbskyd 2019-01-14 11:50:35 UTC
(In reply to Stefan Metzmacher from comment #6)

it is convenience in single domain environment.
no matter user input "user","samdom\user","bogus\user", all transfer to "samdom\user" before next step. then we can prevent send it twice. but I don't know if that is possible.
Comment 10 Stefan Metzmacher 2019-01-17 14:06:05 UTC
(In reply to tbskyd from comment #9)

Try what I propose in comment #8, but I'm not yet sure we want such
a change in upstream Samba, sorry.