Bug 3436 - guest account and map to guest seem to be ignored
Summary: guest account and map to guest seem to be ignored
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.20
Hardware: Other Windows 2000
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-23 10:59 UTC by Aarti Varshney
Modified: 2020-12-15 15:19 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarti Varshney 2006-01-23 10:59:36 UTC
my security is domain, i would like to map users who fail authentication to be mapped to a guest account so they can access printers.

My conf file looks like this:
[global]
        workgroup = LAB2000DOMAIN2
        security = DOMAIN
        client schannel = No
        map to guest = Bad Password
        password server = 10.86.32.27
        log level = 4 passdb:5 auth:10 winbind:4
        log file = /local/local1/errorlog/samba.log
        max log size = 50
        smb ports = 50139
        lpq cache time = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = cups
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = 10.86.32.27
        idmap uid = 70000-200000
        idmap gid = 70000-200000
        template homedir = /local/local1/
        template shell = /admin-shell
        winbind cache time = 10
        winbind use default domain = Yes
        printer admin = @cupsAdmin
        cups options = "raw"
        force printername = Yes

[print$]
        path = /state/samba/printers
        write list = @cupsAdmin
        force user = root
        force group = root
        guest ok = Yes

[printers]
        comment = All Printers
        path = /local/local1/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No

I did see this release note, does this mean there is no way to set up guest printing?

The following issues are known changes in behavior between Samba 2.2 and 
Samba 3.0 that may affect certain installations of Samba.
  1)  When operating as a member of a Windows domain, Samba 2.2 would 
      map any users authenticated by the remote DC to the 'guest account'
      if a uid could not be obtained via the getpwnam() call.  Samba 3.0
      rejects the connection as NT_STATUS_LOGON_FAILURE.  There is no 
      current work around to re-establish the 2.2 behavior.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2006-02-07 05:45:56 UTC
This works fine in 3.0.21b (and most likely earlier 
releases as well):

  check_ntlm_password:  Authentication for user [jerry] -> 
      [jerry] FAILED with error NT_STATUS_WRONG_PASSWORD
  attempting to free (and zero) a user_info structure
  structure was created for jerry
  Registered username jerry for guest access

Why even have domain mode authentication if you want to 
just allow guest access when ever possible.  Why not just have 
a guest server that requires no authentication altogether?


Comment 2 Aarti Varshney 2006-02-07 05:56:44 UTC
(In reply to comment #1)
> This works fine in 3.0.21b (and most likely earlier 
> releases as well):
> 
>   check_ntlm_password:  Authentication for user [jerry] -> 
>       [jerry] FAILED with error NT_STATUS_WRONG_PASSWORD
>   attempting to free (and zero) a user_info structure
>   structure was created for jerry
>   Registered username jerry for guest access
> 
> Why even have domain mode authentication if you want to 
> just allow guest access when ever possible.  Why not just have 
> a guest server that requires no authentication altogether?
> 

We would like to provide authenticated printing to known users while providing guest printing to unknown users. Login and print management (Samba Printer Queues) would still require authentication as they should.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-02-07 06:20:24 UTC
verified that 'map to guest' does work as expected in 3.0.20b
Comment 4 Leon Vernikov 2006-02-17 12:51:30 UTC
This is a short explanation of the problem's root-cause

smbd daemon has a socket communication with winbindd daemon.
smbd sends request to winbindd for user user123 authentication.
winbindd queries AD database, fails to find the requested user user123 account,
and sends a response back to smbd

The debug message is logged
winbindd[20042]: NTLM CRAP authentication for user [DOMAIN]\[user123] returned NT_STATUS_NO_SUCH_USER (PAM: 10)
nsswitch/winbindd_pam.c

enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
                                            struct winbindd_cli_state *state)
.....
        DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
              ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
               name_domain,
               name_user,
               state->response.data.auth.nt_status_string,
               state->response.data.auth.pam_error));
.....

The response structure has been created and initialized at this point.
The correct values have been assigned.

nsswitch/winbindd_nss.h
struct winbindd_response {

        /* Header information */

        uint32 length;                        /* Length of response */
        enum winbindd_result result;          /* Result code */

        /* Fixed length return data */

        union {
............
                struct auth_reply {
                        uint32 nt_status;
                        fstring nt_status_string;
                        fstring error_string;
                        int pam_error;
                        char user_session_key[16];
                        char first_8_lm_hash[8];
                } auth;
.............
        } data;

        /* Variable length return data */

        void *extra_data;               /* getgrnam, getgrgid, getgrent */
};



The response structure is valid within fork_domain_child() function, 
where result of authentication is written to opened socket 

static BOOL fork_domain_child(struct winbindd_child *child)
{
........
                        /* We just send the result code back, the result
                         * structure needs to be fetched via the
                         * winbindd_cache. Hmm. That needs fixing... */
                        if (write_data(state.sock,
                                       (void *)&state.response.result,
                                       sizeof(state.response.result)) !=
                            sizeof(state.response.result)) {
                                DEBUG(0, ("Could not write result\n"));
                                exit(1);
                        }
                        state.read_buf_len = 0;
                }
        }
}

Please, note winbindd writes response.result structure member, 
while all other elements of structure are ignored.

At the other end, smbd reads the socket
nsswitch/wb_common.c
int read_reply(struct winbindd_response *response)

smbd doesn
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-02-17 13:13:30 UTC
Leon, this should already be fixed.  And my tests seem to verify that.
What version of Samba are you referring to in your code analysis?
Comment 6 Aarti Varshney 2006-02-17 13:48:42 UTC
(In reply to comment #5)
> Leon, this should already be fixed.  And my tests seem to verify that.
> What version of Samba are you referring to in your code analysis?
> 

Samba 3.0.20
Comment 7 Gerald (Jerry) Carter (dead mail address) 2006-02-17 13:55:36 UTC
Aarti,  I was asking Leon.  I know what version you are running.  Thanks.
Comment 8 Aarti Varshney 2006-02-17 14:02:22 UTC
(In reply to comment #7)
> Aarti,  I was asking Leon.  I know what version you are running.  Thanks.
> 

Sorry I should have clarified Leon and I work together.
Leon is also looking at 3.0.20

I looked at the diff between 3.0.20 and 3.0.21b
Looks like in 3.020 we check if the result is OK and only then do cache_store_response.
			if (state.response.result == WINBINDD_OK)
				cache_store_response(sys_getpid(),
			

In 3.0.21b we do cache_store_response without checking the result.			     &state.response);
		SAFE_FREE(state.request.extra_data);

		cache_store_response(sys_getpid(), &state.response);

Is this the fix?
Comment 9 Aarti Varshney 2006-02-20 10:22:36 UTC
(In reply to comment #7)
> Aarti,  I was asking Leon.  I know what version you are running.  Thanks.
> 

Hi Jerry,

Which version of samba has all the fixes related to this problem, Samba 3.0.20b or 3.0.21b?
Comment 10 Volker Lendecke 2006-04-11 11:07:30 UTC
The fix is in 3.0.21b and following. Can you retry with 3.0.22?

Thanks,

Volker
Comment 11 Gerald (Jerry) Carter (dead mail address) 2006-07-05 13:20:22 UTC
closing