Bug 2691 - Guest access with Kerberos does not work
Summary: Guest access with Kerberos does not work
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.20
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-09 05:04 UTC by Markus Moeller
Modified: 2006-04-08 07:43 UTC (History)
0 users

See Also:


Attachments
Patch to allow guest access when kerberos keytab is enabled (910 bytes, patch)
2005-05-09 05:06 UTC, Markus Moeller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Moeller 2005-05-09 05:04:34 UTC
If the server is setup with

  security = ADS
  password server = *
  use kerberos keytab = yes
  encrypt passwords = yes
  client ntlmv2 auth = no
  lanman auth = no
  ntlm auth = no
  map to guest = Bad User

guest access is not working. The below patch should make it work.

Regards
Markus



*** sesssetup.c 2005-05-09 10:35:08.000000000 +0100
--- sesssetup_new.c     2005-05-09 10:34:51.000000000 +0100
***************
*** 253,258 ****
--- 253,259 ----
        pw = smb_getpwnam( user, real_username, True );

        if (!pw) {
+               if (!NT_STATUS_IS_OK(ret =
do_map_to_guest(NT_STATUS_NO_SUCH_USER, &server_info, user, domain))) {
                        DEBUG(1,("Username %s is invalid on this system\n",user));
                        SAFE_FREE(user);
                        SAFE_FREE(client);
***************
*** 260,265 ****
--- 261,267 ----
                        data_blob_free(&session_key);
                        return ERROR_NT(NT_STATUS_LOGON_FAILURE);
                }
+        } else {

                /* setup the string used by %U */

***************
*** 275,280 ****
--- 277,283 ----
                        data_blob_free(&session_key);
                        return ERROR_NT(ret);
                }
+       }

          /* make_server_info_pw does not set the domain. Without this we end up
         * with the local netbios name in substitutions for %D. */
Comment 1 Markus Moeller 2005-05-09 05:06:46 UTC
Created attachment 1209 [details]
Patch to allow guest access when kerberos keytab is enabled
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-04-08 07:42:05 UTC
I think what you really want is the 2.2 compatioble behavior 
provided by 'map to guest = bad uid'.  'Bad user' implies that the 
authentication failed.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-04-08 07:43:44 UTC
Cleaning up versions.  There was no 3.0.15 so leaving it in bugzilla 
is causing some confusion.  Moving these nuder 3.0.20.
Originally files against 3.0.15preX.