Bug 15736 - smbd fails with NT_STATUS_NO_SUCH_USER if Samba guest account is NOT in smbpasswd
Summary: smbd fails with NT_STATUS_NO_SUCH_USER if Samba guest account is NOT in smbpa...
Status: REOPENED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Printing (show other bugs)
Version: 4.21.0
Hardware: x64 All
: P5 normal (vote)
Target Milestone: ---
Assignee: printing-maintainers
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-13 21:21 UTC by Paul FM
Modified: 2024-10-22 08:31 UTC (History)
1 user (show)

See Also:


Attachments
created with: testparm -v /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt (30.75 KB, text/plain)
2024-10-13 21:21 UTC, Paul FM
no flags Details
Updated settings, using: testparm -s /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt (19.26 KB, text/plain)
2024-10-14 13:26 UTC, Paul FM
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul FM 2024-10-13 21:21:41 UTC
Created attachment 18472 [details]
created with: testparm -v /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt

In a built from source install of samba 4.21.0 configured with load printers = Yes; using net view \\server from windows FAILS, with a logged error (by smbd) of:

[2024/10/13 14:31:47.580921,  0, pid=23271] ../../source3/auth/auth_util.c:1441(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_NO_SUCH_USER
[2024/10/13 14:31:47.581060,  0, pid=23271] ../../source3/rpc_server/rpc_host.c:2905(main)
  main: init_guest_session_info failed

Windows reports:
C:\TEMP\tmp> net view \\su
System error 53 has occurred.

The network path was not found.


The workaround seems to be to add the guest user (in my case sys-smb-guest) to the smbpasswd file with: smbpasswd -n -a sys-smb-guest
(then all is well, so I am do not need a fix - but you might want to check the code).

Notes:
Exact same configuration and build options of samba 4.20.5 (and older) does not show this issue.
sys-smb-guest is already in the LOCAL /etc/passwd file.

I have found this issue on both a domain attached install, and a stand-alone install.

If you have any other reports of this issue, have them try adding the defined guest user to the smbpasswd file.
Comment 1 Rowland Penny 2024-10-14 09:17:01 UTC
(In reply to Paul FM from comment #0)

But you are not using any guest user, after wading through your extensive supplied smb.conf (please note, do not post the output of 'testparm -v', it gives EVERYTHING, please use 'testparm -s') I find that you have 'map to guest = Never' set, this is the default and means that guest is never used and if you were using guest, then Samba uses a Unix user, as stated in 'man smb.conf':

       Sections may be designated guest services, in which case no password is
       required to access them. A specified UNIX guest account is used to
       define access privileges in this case.

So, this isn't a bug, it is mis-configuration.

There are lots of mis-configurations in your smb.conf, for instance, you do not use 'idmap config' lines on a standalone server.
Comment 2 Paul FM 2024-10-14 13:26:47 UTC
Created attachment 18476 [details]
Updated settings, using: testparm -s /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt

I was already connect to the server, as an authenticated user.
smbd uses the guest account for operations that are not authenticated (for instance - for maintaining browse lists).
And yes, those parameters aren't used for a stand-alone installation (so they do nothing), and there are a coupld of depreciated settings; and, I am probably one of the few who use the "guest account =" parameter.

As I pointed out, the EXACT same configuration with 4.20.5 (and many older versions) works without this issue.

For guest mapping, I am also using:
username map script = /links/samba/etc/bin.smbd/username-remap.pl
However, the issue persists without this setting (with no logging of NT_STATUS_NO_SUCH_USER); however, I still don't get a browse list.  And again, 4.20.5 works fine with that setting removed (and no sys-smb-guest user in the smbpasswd file).

Possibly, this is just some change that is not documented in the change log (nor the man pages).  That is - that all users used by smbd, must exist in the smbpasswd file, or in the Domain (in the past, any user with a unix account could be used, and would be assumed to exist in smbpasswd with "NO PASSWORD").
If this is just a change - it just could use some additional documentation.

Thanks.
Comment 3 Rowland Penny 2024-10-14 17:06:28 UTC
(In reply to Paul FM from comment #2)

The 'guest account is used when 'guest ok' is set, from 'man smb.conf:

       guest account (G)

           This is a username which will be used for access to services which
           are specified as guest ok (see below). Whatever privileges this
           user has will be available to any client connecting to the guest
           service. This user must exist in the password file, but does not
           require a valid login. The user account "ftp" is often a good
           choice for this parameter.

       guest ok (S)

           If this parameter is yes for a service, then no password is
           required to connect to the service. Privileges will be those of the
           guest account.

However, they both rely on 'map to guest' not being set to 'never' (the default), which, as you don't have it in your revised smb.conf it is, so there is no guest access.
The default guest user is 'nobody', which is a standard Unix user and is in /etc/passwd (aka the password file), so if you replace the default guest user with another one, that user must be in /etc/passwd, it has been that way for more years than I care to remember.

The other problem is that Windows has deprecated guest access and you have to turn it back on if you require it on most enterprise versions.

As for the browse list, this is a SMBv1 thing and Samba is working hard to remove SMBv1 (Windows has deprecated it as well), so you would do well to stop relying on it.

I suggest you remove all the un-required (and probably unused) lines from your smb.conf and use Samba as a standalone server.
Comment 4 Paul FM 2024-10-15 01:09:35 UTC
Let me be clear.

This is NOT about the unix account sys-smb-guest.
I don't want samba to map any user to guest for the purpose of connecting to the server (those users should be denied access); the exception is public shares (which can be connected to as the windows NULL user)
However, a defined and authorized user should be able list the shares available on the server (which windows does by invoking a NULL user connection - requiring smbd to operate as the defined guest account).  I don't use the user nobody, as there are potential security issues with network access processes running as nobody.

This is a change since the last version of samba (it may be intentional; but, it isn't properly documented).
The sys-smb-guest account is defined in Unix properly at all times in my tests.
The failure happens when it is NOT in the smbpasswd file.
I have to add it with:
    smbpasswd -n -a sys-smb-guest
Then - all is well.

Since, I already have a solution - I am sharing it so it can be added to the documentation.
That is:
All accounts used by samba MUST now exist in BOTH the Unix users (or in the automatically created samba virtual unix account databases), and in the defined users that SAMBA works with (like AD, or the local smbpasswd file/db).


I tested if setting the guest account to nobody (the default), exhibits the same issue. I set:
        guest account = nobody
        map to guest = bad user

And still have the same issue (including the same error messages).

I then ran (without restarting samba):
    smbpasswd -n -a nobody

And the problem was cured.
(removing nobody from the smbpasswd file, immediately broke it again - no restart of samba).

So, this is even a problem with the default setting for "guest user".


I should add, that all this seems to be connected to using the parameter:
    username map script = /links/samba/etc/bin.smbd/username-remap.pl
Note, if I simply use
    username map script = /bin/echo
I have the same issue (with the other two settings set as above).
Again - fixed with: smbpasswd -n -a nobody

So, this is some change in the code for when "username map script" is defined.
I would guess it is a change either in:
    source3/auth/auth_util.c
Or (more likely):
    source3/auth/user_util.c
However, the function "map_username" in that file is not well documented, so I find it rather hard to follow (it seems to be the function directly affected by the "username map script" parameter).

Thanks.
Comment 5 Rowland Penny 2024-10-20 10:37:19 UTC
(In reply to Paul FM from comment #4)

I think you are talking about 'anonymous access' as used by smbclient:

smbclient -NL localhost
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	Demo            Disk      
	IPC$            IPC       IPC Service (Samba 4.20.4-Debian-4.20.4+dfsg-1~bpo12+1)
SMB1 disabled -- no workgroup available

If this is the case, then this still relies on the 'guest user' setting in smb.conf.
by default, if the 'guest user' isn't in /etc/passwd on a standalone server then you would get this:

smbclient -NL localhost
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

No shares.

I thought it was common knowledge that for Samba to know authenticated users on a standalone server they must exist as local users in /etc/passwd and be created in Samba by running 'smbpasswd -a $USERNAME' as root. I also thought it was known that if you changed the guest user in smb.conf, the user used must be in /etc/passwd, indeed, in 'man smb.conf', under 'guest account (G)' there is this line:

This user must exist in the password file, but does not require a valid login.
Comment 6 Paul FM 2024-10-21 14:30:50 UTC
It is common knowledge - yes, the "guest user" must be in the local password (or exist as a Unix user).

The guest user (including the default "nobody"), never needed to be in the smbpasswd file or database before (which is not the /etc/passwd file).


On 2024-10-20 5:37 AM, samba-bugs@samba.org wrote:
> https://bugzilla.samba.org/show_bug.cgi?id=15736
> 
> --- Comment #5 from Rowland Penny <rpenny@samba.org> ---
> (In reply to Paul FM from comment #4)
> 
> I think you are talking about 'anonymous access' as used by smbclient:
> 
> smbclient -NL localhost
> Anonymous login successful
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          sysvol          Disk
>          netlogon        Disk
>          Demo            Disk
>          IPC$            IPC       IPC Service (Samba
> 4.20.4-Debian-4.20.4+dfsg-1~bpo12+1)
> SMB1 disabled -- no workgroup available
> 
> If this is the case, then this still relies on the 'guest user' setting in
> smb.conf.
> by default, if the 'guest user' isn't in /etc/passwd on a standalone server
> then you would get this:
> 
> smbclient -NL localhost
> Anonymous login successful
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
> SMB1 disabled -- no workgroup available
> 
> No shares.
> 
> I thought it was common knowledge that for Samba to know authenticated users on
> a standalone server they must exist as local users in /etc/passwd and be
> created in Samba by running 'smbpasswd -a $USERNAME' as root. I also thought it
> was known that if you changed the guest user in smb.conf, the user used must be
> in /etc/passwd, indeed, in 'man smb.conf', under 'guest account (G)' there is
> this line:
> 
> This user must exist in the password file, but does not require a valid login.
>
Comment 7 Björn Jacke 2024-10-21 14:40:50 UTC
Now even with useless fullquotes. Can you please move such a chatty discussion like thois to the samba mailing list and not do that in a bugzilla?
Comment 8 Paul FM 2024-10-21 15:31:42 UTC
Yes, I forgot to remove the quoted text on my last reply (not enough coffee).

There should be more than enough information in this ticket to replicate the issue (and test the work-around).

I do not understand why there are repeated suggestions that I do not have the defined "guest account" in the /etc/passwd file, as I have clearly stated that in every single test, that user is always in the /etc/passwd file (both sys-smb-guest, and nobody are in the /etc/passwd in every test).  The documentation for "guest account" in the smb.conf man page, clearly states that the user must exist in the passwd file (and has for the entire 28 years that I have been working with samba, my first installation was on SunOS for Windows clients - mainly for printing).


And - I am also suggesting that if this is an accidental change (starting with 6.21.0), that you should consider making it a permanent change (just document it, and make the error messages clearer).   As it is a good thing to require every Unix user that samba becomes, to be defined in either AD information, or the local smbpasswd file (a double check to certain configuration errors).  However, someone should check the code involved (when there is time), to make sure there wasn't some other more serious bug introduced with this change.

Please leave this ticket public (if possible) as the ticket itself should have enough information to help anyone else running into this same issue.  I would consider this a very LOW priority issue, since there is a clear work-around.

Thanks.
Comment 9 Rowland Penny 2024-10-22 08:19:42 UTC
(In reply to Paul FM from comment #8)

I am closing this, there is nothing to fix, Samba has always required that the guest user be in the password file (which is typically /etc/passwd).
Comment 10 Ralph Böhme 2024-10-22 08:31:03 UTC
Please re-read carefully what the bugreporter wrote. :)