my security is domain, i would like to map users who fail authentication to be mapped to a guest account so they can access printers. My conf file looks like this: [global] workgroup = LAB2000DOMAIN2 security = DOMAIN client schannel = No map to guest = Bad Password password server = 10.86.32.27 log level = 4 passdb:5 auth:10 winbind:4 log file = /local/local1/errorlog/samba.log max log size = 50 smb ports = 50139 lpq cache time = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups preferred master = No local master = No domain master = No dns proxy = No wins server = 10.86.32.27 idmap uid = 70000-200000 idmap gid = 70000-200000 template homedir = /local/local1/ template shell = /admin-shell winbind cache time = 10 winbind use default domain = Yes printer admin = @cupsAdmin cups options = "raw" force printername = Yes [print$] path = /state/samba/printers write list = @cupsAdmin force user = root force group = root guest ok = Yes [printers] comment = All Printers path = /local/local1/spool/samba guest ok = Yes printable = Yes browseable = No I did see this release note, does this mean there is no way to set up guest printing? The following issues are known changes in behavior between Samba 2.2 and Samba 3.0 that may affect certain installations of Samba. 1) When operating as a member of a Windows domain, Samba 2.2 would map any users authenticated by the remote DC to the 'guest account' if a uid could not be obtained via the getpwnam() call. Samba 3.0 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no current work around to re-establish the 2.2 behavior.
This works fine in 3.0.21b (and most likely earlier releases as well): check_ntlm_password: Authentication for user [jerry] -> [jerry] FAILED with error NT_STATUS_WRONG_PASSWORD attempting to free (and zero) a user_info structure structure was created for jerry Registered username jerry for guest access Why even have domain mode authentication if you want to just allow guest access when ever possible. Why not just have a guest server that requires no authentication altogether?
(In reply to comment #1) > This works fine in 3.0.21b (and most likely earlier > releases as well): > > check_ntlm_password: Authentication for user [jerry] -> > [jerry] FAILED with error NT_STATUS_WRONG_PASSWORD > attempting to free (and zero) a user_info structure > structure was created for jerry > Registered username jerry for guest access > > Why even have domain mode authentication if you want to > just allow guest access when ever possible. Why not just have > a guest server that requires no authentication altogether? > We would like to provide authenticated printing to known users while providing guest printing to unknown users. Login and print management (Samba Printer Queues) would still require authentication as they should.
verified that 'map to guest' does work as expected in 3.0.20b
This is a short explanation of the problem's root-cause smbd daemon has a socket communication with winbindd daemon. smbd sends request to winbindd for user user123 authentication. winbindd queries AD database, fails to find the requested user user123 account, and sends a response back to smbd The debug message is logged winbindd[20042]: NTLM CRAP authentication for user [DOMAIN]\[user123] returned NT_STATUS_NO_SUCH_USER (PAM: 10) nsswitch/winbindd_pam.c enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, struct winbindd_cli_state *state) ..... DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", name_domain, name_user, state->response.data.auth.nt_status_string, state->response.data.auth.pam_error)); ..... The response structure has been created and initialized at this point. The correct values have been assigned. nsswitch/winbindd_nss.h struct winbindd_response { /* Header information */ uint32 length; /* Length of response */ enum winbindd_result result; /* Result code */ /* Fixed length return data */ union { ............ struct auth_reply { uint32 nt_status; fstring nt_status_string; fstring error_string; int pam_error; char user_session_key[16]; char first_8_lm_hash[8]; } auth; ............. } data; /* Variable length return data */ void *extra_data; /* getgrnam, getgrgid, getgrent */ }; The response structure is valid within fork_domain_child() function, where result of authentication is written to opened socket static BOOL fork_domain_child(struct winbindd_child *child) { ........ /* We just send the result code back, the result * structure needs to be fetched via the * winbindd_cache. Hmm. That needs fixing... */ if (write_data(state.sock, (void *)&state.response.result, sizeof(state.response.result)) != sizeof(state.response.result)) { DEBUG(0, ("Could not write result\n")); exit(1); } state.read_buf_len = 0; } } } Please, note winbindd writes response.result structure member, while all other elements of structure are ignored. At the other end, smbd reads the socket nsswitch/wb_common.c int read_reply(struct winbindd_response *response) smbd doesn
Leon, this should already be fixed. And my tests seem to verify that. What version of Samba are you referring to in your code analysis?
(In reply to comment #5) > Leon, this should already be fixed. And my tests seem to verify that. > What version of Samba are you referring to in your code analysis? > Samba 3.0.20
Aarti, I was asking Leon. I know what version you are running. Thanks.
(In reply to comment #7) > Aarti, I was asking Leon. I know what version you are running. Thanks. > Sorry I should have clarified Leon and I work together. Leon is also looking at 3.0.20 I looked at the diff between 3.0.20 and 3.0.21b Looks like in 3.020 we check if the result is OK and only then do cache_store_response. if (state.response.result == WINBINDD_OK) cache_store_response(sys_getpid(), In 3.0.21b we do cache_store_response without checking the result. &state.response); SAFE_FREE(state.request.extra_data); cache_store_response(sys_getpid(), &state.response); Is this the fix?
(In reply to comment #7) > Aarti, I was asking Leon. I know what version you are running. Thanks. > Hi Jerry, Which version of samba has all the fixes related to this problem, Samba 3.0.20b or 3.0.21b?
The fix is in 3.0.21b and following. Can you retry with 3.0.22? Thanks, Volker
closing