I have a Linux PC that is using Samba client to log into a Windows domain and I want to be able to set it up so that the NetWkstaUserEnum NetAPI request can be sent to it from a server in the domain to query the user who is logged in. To that end I have also now installed Samba Server on the Linux PC because it seems that is required to get any response at all the these NetAPI requests. To test it I am sending both the NetWkstaGetInfo and NetWkstaUserEnum requests from the domain administrator account logged into a Windows server 2003 machine. I'm using the code examples at http://msdn.microsoft.com/en-us/library/aa370654(VS.85).aspx and http://msdn.microsoft.com/en-us/library/aa370669(VS.85).aspx compiled into simple test utilities. NetWkstaGetInfo has 3 levels (100, 101 and 102) and I am getting back a valid response when I send it with level 100: >netApiTst.exe 192.168.169.91 0 Sending NetWkstaGetInfo with level 100 to 192.168.169.91 Platform: 500 Name: IAN-LINUX Version: 4.9 Domain: SD80 However, with levels 101 or 102 Samba returns error 124 (invalid level) and to a NetWkstaUserEnum request it returns error 1745 (RPC_S_PROCNUM_OUT_OF_RANGE): >netApiTst.exe 192.168.169.91 1 Sending NetWkstaGetInfo with level 101 to 192.168.169.91 A system error has occurred: 124 (ERROR_INVALID_LEVEL) >netApiTst2.exe 192.168.169.91 Users currently logged on 192.168.169.91: A system error has occurred: 1745 (RPC_S_PROCNUM_OUT_OF_RANGE) Total of 0 entries enumerated I have samba logging turned on with log level set to 3, and it logs successfully authenticating the domain administrator and receiving the NetWksta... command in both cases (I will attach the log). On authenticating the user I do see "get_privileges: No privileges assigned to SID" logged if that may be a clue. This is with Samba 3.2.11 in Fedora Linux 10.
Created attachment 4486 [details] samba config file. Attached my samba smb.conf file from the Linux machine.
Created attachment 4487 [details] Samba log file for a NetWkstaUserEnum request Attached the Samba log file from receiving a NetWkstaUserEnum request.
Created attachment 4488 [details] Samba log file for a NetWkstaGetInfo request with level 100 (succeeded) Attached the Samba log file for a successful NetWkstaGetInfo request with level 100.
Created attachment 4489 [details] Samba log file for a NetWkstaGetInfo request with level 101 (failed) Attached the Samba log file for a NetWkstaGetInfo request with level 101 that failed with error "invalid level".
Created attachment 4490 [details] Packet trace of a failed NetWkstaGetInfo request Attached a WireShark packet trace of a NetWkstaGetInfo request with level 101 sent from the domain server (192.168.168.3) to Samba on the linux machine (192.168.169.91). The NetWkstaGetInfo request is in packet #53, and the response from Samba with error WERR_UNKNOWN_LEVEL in packet #54.
Created attachment 4492 [details] Packet trace of a failed NetWkstaUserEnum request Attached a WireShark packet trace of a NetWkstaUserEnum request sent from the domain server (192.168.168.3) to Samba on the linux machine (192.168.169.91). The NetWkstaEnumUsers request is in packet #37, and the response from Samba is a DCERPC "Fault" message with status nca_op_rng_error in packet #38.
Can you please upload those utilities, so that we can run them against Windows? Thanks, Volker
Created attachment 4496 [details] Test utilities to send the NetAPI commands from a Windows PC I've attached a zip file containing the two test utilities to send the NetAPI commands from a Windows PC. To use them: For NetWkstaGetInfo: netApiTst.exe <ip-addr> <level> (level is 0, 1 or 2) For NetWkstaUserEnum: netApiTst2.exe <ip-addr> The .exes and sources are both included - the latter are the Microsoft code samples with some code added so they can be compiled using gcc.
Thanks, got it. I see the failure now, those tools query things we don't support yet. You want it to return the same information you get if you issue the "w" command on the command line? Volker
Created attachment 4502 [details] patch Attached find an unfinished patch against master. It needs access checks, only authenticated users should be able to do that. But apart from that, I think it might do what you want. What do you think? Volker
Thanks Volker. That looks like it should give what is needed for NetWkStaUserEnum with level 0. Just one possible thing I can see with it is that Windows returns the user list in chronological order of login time with the most recent login last, so you should probably order it that way to be compatible, if that is not the ordering returned by get_logged_on_userlist() (and if you have the login times or session times available). However, what we really need is for Samba to implement NetWkStaUserEnum with level 1 which includes the name of the Windows domain that the user is logged into or the NetBIOS PC name for users who have not logged into the domain. Apologies for not saying that - when I built the Microsoft sample code I hadn't noticed that it only does level 0 for NetWkStaUserEnum. Where NetWkStaUserEnum with level 0 returns just the user name, with level 1 it needs to return these 4 values for each user: - the user name. - the logon domain (the domain that the user is currently logged into). For Samba, where a user has logged onto the Windows domain (see below) I guess that this would be the workgroup value from smb.conf, or maybe the first component of the realm. For a user who has not logged onto the Windows domain this should be the name of the PC which would be the netbios name from smb.conf. - a list of other domains browsed by the user. Samba can probably return this empty, maybe as a "to do in future" if anyone ever wants it (I don't care about it). - the logon server that authenticated the user. For a user who has logged onto the Windows domain this would be the first component of the "password server" in smb.conf. For a user who has not logged onto the Windows domain it should be the name of the PC itself, i.e. the netbios name from smb.conf. As I understand authentication in a Windows domain, it uses Kerberos and that authenticates a user once and then issues them a ticket that gives them access to resources on the network, and Windows then considers the user to be "logged into the domain". smbclient asks for a user's domain password each time it is run, so does smb server have the information available to know whether a user has gone through the domain authentication? Ideally, once a user has entered their domain password via smbclient or anything else and had it authenticated by the password server, then from then on NetWkstaUserEnum level 1 should return domain rather than PC information for the user.
Created attachment 4503 [details] Updated test utilities to send the NetAPI commands from a Windows PC I've attached an updated version of the test utilities. netApiTst2.exe has an additional argument allowing it to run NetWkStaUserEnum with level 0 or 1.
Here is sample output from running NetWkstaUserEnum with level 1. The PC name is IAN-TESTPC, the domain is sd80.com and the domain server is IANSERVER.sd80.com. In this case I logged into the PC as user ian (in the list as "IAN-TESTPC\ian") logged out and then logged into the domain as the adminstrator ("SD80\Administrator" at the end of the list): >netApiTst2.exe 192.168.169.9 1 Users currently logged on 192.168.169.9: -- SD80\IAN-TESTPC$ (by ) -- SD80\Administrator (by IANSERVER) -- SD80\Administrator (by IANSERVER) -- IAN-TESTPC\ian (by IAN-TESTPC) -- IAN-TESTPC\McAfeeMVSUser (by IAN-TESTPC) -- IAN-TESTPC\McAfeeMVSUser (by IAN-TESTPC) -- SD80\Administrator (by IANSERVER) Total of 7 entries enumerated Note that the list returned by Windows includes old logins and logins by windows services (IAN-TESTPC\McAfeeMVSUser above). That generally causes headaches in using this command since it is typically just used to find out who is currently logged into the PC, so I would not suggest that Samba try to emulate that. However, the ability to differentiate a domain login (a user who has been authenticated by the domain server) from a simple login to the PC is important.
You seem to know how to program in C :-) I will try, but I can't promise anything. In the meantime, I think I've given you enough hints about how to do this. Another important function to look at would be list_sessions(). This lists all connected users. I'm not sure we store the authenticating server there yet, but that should be reasonably easy to add. So, if you feel like it, submit a patch :-) Thanks, Volker
Thanks for the patch Volker. I've now managed to compile with it and test it and it seems to be working OK in general. I had problems with autoconf and ended up making the changes to configure manually, but in doing it I do notice that your patch seems to be missing one thing - I think it needs to add a couple of lines to include/config.h.in for HAVE_GETUTXENT. Also the patch does not work for samba 3.2.4 which is the version that I have (in Fedora 10) because it uses talloc_array_length which is a macro that was added to talloc.h later. I will attach a patch to make that change later so that your patch can be used with samba 3.2 version.
With the patch I do get 4 instances of user Ian returned to NetWkstaUserEnum (and 4 users reported by NetWkstaGetInfo) although I am only logged in once - but the w command reports the same. It would be good if we could find a way to avoid that and only report the original login - I will investigate a way to do that. The utmpx structure that we get back from getutxent() contains the pid so maybe we can look up the parent of that process and don't include a user if the parent process is the same user. Also I notice the the utmpx structure contains a ut_tv value that we can use to order the users by login time as Windows does.
Created attachment 4524 [details] Updated patch Attached an updated version of Volker's patch. Changes are: 1. Adds code to avoid duplicate names getting returned for the same user. 2. Adds a missing call to endutent() that was causing requests to fail. 3. Ensures users are returned ordered by login time (they are actually getting returned by getutxent() in this order anyway but the documentation for it doesn't appear to specify that so its worth putting this in anyway). 4. Adds missing config.h.in changes into the patch. It does not yet add support for NetWkstaUserEnum level 1 (I'm about to start working on that).
Created attachment 4525 [details] Patch for Samba 3.2.x I've attached an additional patch to allow this to be used with Samba 3.2.x. This simply adds a talloc_array_size define (copied from the 3.4 version) into talloc.h.
Unfortunately this can't go in "as is" because of the dependence on Linux specific features like /proc/<pid>. These need removing or a portable way of doing this needs to be added, or the feature needs to be tested for in the configure script and an alternative used for systems that don't have /proc/<pid>. Jeremy.
Created attachment 4549 [details] Updated patch I've attached an updated patch. Based on a suggestion from Volker, since the NetWkstaUserEnum request simply returns a list of user names, putting in the same name twice is not really useful even if the user really is logged in twice. So now it takes a more simplistic approach, simply not putting duplicate user names into the list. This also addresses Jeremy's concern about portability since that Linux-specific code is now deleted. This also implements limited support for NetWkstaUserEnum level 1 - it returns the information for users who are logged in locally, but does not yet include domain user logins from the local machine (the hard bit!).
If I'm not wrong then the patch still contains the line + snprintf(path, sizeof(path), "/proc/%d", pid); We can't use this in a general Samba patch, as it is very Linux specific. Is there a way around this? Volker
Created attachment 4555 [details] Updated patch Sorry - I removed the call to that function (which I had added in the earlier patch) but forgot to delete the function itself. In this new patch it is now gone.
I've been trying to find a way to get the information needed for setting up a reply to the NetWkstaUserEnum level 1 request. What we need for this is a list of users on the local machine who are logged into the domain, and this is tricky because these are samba client users (using samba client to access hosts on the domain) but it is samba server that fields the NetWkstaUserEnum request. In comment #14 Volker suggested using list_sessions() - I tried that and I get a list of external users connected in to the server plus an entry with the domain administrator's name that I asume originates from the "net bind", but nothing for local client users who have been authenticated in the domain. I thought about possibly having smbclient send a message to smbd, if it is running, to register the session when the user is authenticated, and having the server create a session entry for that. So I tried adding experimental code in function cli_connect to send a message from the client to the server and that worked OK, but only if smbclient is run as root. If run as an unprivileged user the messaging_init() call fails with error ACCESS_DENIED. I could possibly have smbclient log the session info into a file that smbd can read, but that is not really very secure. Anyone got any ideas on a better way to get this "client sessions" information in the samba server?
Created attachment 4564 [details] Updated (and hopefully complete) patch I managed to come up with a way to get domain logins included in the list. Its not exactly slick, but it does work: In addition to local users, domain user sessions returned by list_sessions() are now included if they originate from the local machine. Currently, this means that a user can get themselves included in the list by using smbclient to open a session to a local share: smbclient \\\\localhost\share The password that the user enters is authenticated by the domain's password server so this equates to the user logging into the domain, and they will then be included in the NetWkstaUserEnum list as a domain user so long as they keep that smbclient session open. I've attached a new patch that does this, and with this users who do the above do get included in the list returned by NetWkstaUserEnum as domain logins.
Two comments: First, in Samba the if (len == 0) len = strlen(pwd_server); style if-statement is not used. We always do if (len == 0) { len = strlen(pwd_server); } because the first form is much harder to walk with a debugger. Same for the while loops etc. Second, the sorting you do, can't you do that with the standard C qsort routine? That is hopefully much faster with hundreds or thousands of users. Volker
Created attachment 4569 [details] Updated patch I've uploaded another rev of the patch to address Volker's comment on if statement coding style and changed to use qsort. This version also sorts the list of domain users which is something that I'd previously overlooked doing.
This looks a nice enhancement to me. What access control checks should we apply here ? Should we restrict this to non-guest logged on users ? Jeremy.
Yes, authenticated users looks right. Volker
I've changed the status to Fixed. Not knowing the Samba group procedures, does anything more need to be done now to get this change included in to future Samba releases?
If it's not checked in yet, it's no good idea to set it to fixed. We still need to add the access checks for authenticated users. Volker
Could you expand on what you mean by access checks for authenticated users please? Do you mean only allowing these NetAPI commands to come from authenticated users or only including information on authenticated users in the replies? If you mean the former, then according to the MS documentation Windows normally allows access for these as follows: NetWkstaGetInfo level 100: allowed from anyone including anonymous (aka guests I guess). NetWkstaGetInfo level 101: allowed from authenticated users. NetWkstaGetInfo level 102: allowed only from administrators. NetWkstaUserEnum: allowed only from administrators.
That is what needs implementing. Do you want to give it a try? For example the check for authenticated users would look like nt_token_check_sid(&global_sid_Authenticated_Users, p->server_info->ptok) and so on... Thanks, Volker
Created attachment 4906 [details] Updated patch with access checks Uploaded a new patch which adds access checks: NetWkstaGetInfo level 100 is allowed from anyone (no access checks). NetWkstaGetInfo level 101 is allowed from any logged in user (must have the sid of the Authenticated Users group). NetWkstaGetInfo level 102 is allowed from a domain admin (must have the sid of the Administrators group). NetWkstaEnumUsers with any level is allowed from a domain admin (must have the sid of the Administrators group). I believe that this change should now be ready to be committed.
Created attachment 4963 [details] Unified patch for Samba 3.2 and 3.3 versions It turns out that my patch, which I developed using Samba 3.2.15, fails with Samba 3.4. Therefore I'm about to work on a new one for the latter, but first I've attached a final unified patch for Samba 3.2 versions. Note this includes the previously separate patch for Samba 3.2.x. This patch also includes some changes to the code from Volker.
Created attachment 4967 [details] Patch for Samba 3.4 versions Attached a version of the patch that works for Samba 3.4 versions (tested with 3.4.2).
This looks really close. Just a question, have you tested with no "password server" line in your smb.conf, and I think the string calls might need looking at for I19N issues. If I grab this it'll be for 3.5.0, not 3.4.x though as it's too big a change for that branch. Cheers though - nice work ! Jeremy.
Created attachment 4989 [details] Patch for Samba 3.4 versions I had added handling for lp_passwordserver() returning NULL and with that I tested having no "password server" set in smb.conf. However, that code is in the latest patch that I submitted for Samba 3.2 but it seems that it got missed from the patch that I uploaded for Samba 3.4. I've attached a new patch for Samba 3.4 with that code included.
Created attachment 4997 [details] Patch for Samba 3.0 versions I wanted to test this on a machine running Centos 5.3 which turned out to have samba 3.0.33. So I ported the changes over, which required back-porting some additional changes from 3.2 to make NetWkstaEnumUsers work. For completeness, I've attached the patch to make this work in Samba 3.0 too.
Created attachment 5002 [details] Patch for latest Samba from git In regard to Jeremy's "I think the string calls might need looking at for I19N issues" in comment #36: The library string function calls that I've added all operate on the netbios name and password server name from smb.conf, remote machine names returned from list_sessions() and local or domain user names returned from getutxent(). I don't see any obvious i18n issues with any of these. Attached the new patch for the latest version from git.
Pushed to master and v3-5-test. Thanks a lot! I think because 3.5 will be released pretty soon, it's not too hard that we don't put it into 3.4, I hope that is okay. I've also added some tiny simplifications. Volker