Bug 9746 - guest ok + force user + force group doesn't work
Summary: guest ok + force user + force group doesn't work
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Config Files (show other bugs)
Version: 3.6.13
Hardware: x86 Linux
: P5 regression
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 9859 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-03-27 21:56 UTC by taomail
Modified: 2013-05-09 18:06 UTC (History)
1 user (show)

See Also:


Attachments
smb.conf security=share version (364 bytes, application/octet-stream)
2013-03-27 21:56 UTC, taomail
no flags Details
Zipped log files and smb.conf (208.79 KB, application/zip)
2013-04-03 19:06 UTC, taomail
no flags Details
git-am fix for 3.6.next (1.21 KB, patch)
2013-04-03 19:42 UTC, Jeremy Allison
no flags Details
git-am fix for master and 4.0.next (1.60 KB, patch)
2013-04-03 20:42 UTC, Jeremy Allison
no flags Details
proposed, but unsted patch to fix this in a different way (2.72 KB, patch)
2013-04-03 22:53 UTC, Andrew Bartlett
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description taomail 2013-03-27 21:56:44 UTC
Created attachment 8692 [details]
smb.conf security=share version

As explained in this thread https://bbs.archlinux.org/viewtopic.php?id=160161  since the new version 3.6.13, the smb.conf directives

force user
force group

no longer works. i.e. it is not possible anymore to have a share point, open it (logging) as a guest (ex. nobody) without password and then make some file operations inside it as a specific user/group.
This happens in both share and user security mode and, in both cases, the same smb.conf file works fine with the previous version (3.6.12).

Attached is the smb.conf (security=share version)
Comment 1 Volker Lendecke 2013-03-28 13:19:14 UTC
The only change that I see that might affect this bug is the fix that went in with https://bugzilla.samba.org/show_bug.cgi?id=9039. Can you try reverting the patch in there and see if it helps?
Comment 2 taomail 2013-03-28 14:27:44 UTC
(In reply to comment #1)
> The only change that I see that might affect this bug is the fix that went in
> with https://bugzilla.samba.org/show_bug.cgi?id=9039. Can you try reverting the
> patch in there and see if it helps?

I'm just a user, not a developer. I don't know how to compile the software, I just installed the package provided by arch package system. If you give me instruction on how to revert the patch and compile again, I can give it a try.
Anyway if you need some log informations, I can provide you the log files (doing the same things from windows) of both versions 3.6.12 and 3.6.13.
Please let me know.
Comment 3 Valery 2013-04-01 22:27:26 UTC
Hi!

Ive got the same problem with 3.6.13 at my freebsd-8.2R-amd64.

I did downgrade at 3.6.12 and samba works just fine again.
Comment 4 Karolin Seeger 2013-04-02 19:21:37 UTC
Jeremy, can you have a look at this one (or re-assign), please?
Thanks!
Comment 5 Jeremy Allison 2013-04-02 19:45:01 UTC
Can't reproduce this on my v3-6-test setup.

I'm using an smb.conf of:

[global]
   workgroup = WORKGROUP
   security = share
   log file = /usr/local/samba3.6/var/log.%m
   max log size = 0
   panic action = /bin/sleep 999999
   map hidden = no
   map system = no
   map archive = no
   map readonly = no
   store dos attributes = yes
   ea support = yes

[tmp]
        path = /tmp
        read only = no
        force user = gdm
        force group = gdm
        guest ok = yes

I connected from a Windows 2012 client as a normal user, and files get created correctly with owner gdm, group gdm.

I need a debug level 10 log from the users machine showing the problem.
Comment 6 taomail 2013-04-03 19:06:44 UTC
Created attachment 8720 [details]
Zipped log files and smb.conf
Comment 7 taomail 2013-04-03 19:08:04 UTC
Arch linux server
Windows 7 client

Same smb.conf (attached)
Windows 7 user: Francesco with no password

Brief test explanation:


Using Samba 3.6.13
Accessing test_home...access denied
Log file: smb3613_test_home-accessdenied.log

Accessing test_tmp...ok
Creating new file...file created as nobody (not as francesco)
Log file: smb3613_test_tmp-accessok-fileasnobody.log

Using Samba 3.6.12
Accessing test_home...access ok
Log file: smb3612_test_home-ok.log

Accessing test_tmp...ok
Creating new file...file created as francesco (ok)
Log file: smb3612_test_tmp-accessok-fileasfrancesco.log
Comment 8 Jeremy Allison 2013-04-03 19:13:38 UTC
There is no user francesco in the Samba password database.

From your access denied log:

  check_ntlm_password: sam authentication for user [francesco] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/04/03 19:58:29.169240,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [francesco] -> [francesco] FAILED with error NT_STATUS_NO_SUCH_USER
Comment 9 Jeremy Allison 2013-04-03 19:14:10 UTC
Try adding a user francesco using smbpasswd -a francesco
Comment 10 taomail 2013-04-03 19:26:14 UTC
Why I have to add francesco to samba user while I'm in security=share mode accessing through guest mode (guest ok)?
Why it worked fine until 3.6.12 version?
The issue still remains about the force user which is not applied.

Please, check the other logs (from 3.6.12) for comparison.
Comment 11 Jeremy Allison 2013-04-03 19:42:48 UTC
Created attachment 8721 [details]
git-am fix for 3.6.next

Ok, now I understand what you're actually trying to do I've reproduced it and this patch fixes it.

The issue is that if you login as "guest", the guest boolean flag gets attached to your user token. When you're connecting to a share with 'force user' this  flag overrides the creation of the token for the specific share with force user set, ensuring you only ever have guest access.

We should only set the guest flag under a 'force user' share if the username being mapped to is the same as the guest user.

I'll attach a similar patch for master/4.0.x shortly.

Jeremy.
Comment 12 Jeremy Allison 2013-04-03 20:42:18 UTC
Created attachment 8722 [details]
git-am fix for master and 4.0.next
Comment 13 Jeremy Allison 2013-04-03 22:32:16 UTC
Comment on attachment 8722 [details]
git-am fix for master and 4.0.next

Fix not needed on 4.0.x/master. 'guest' bit isn't used to create the token inside make_session_info_from_username() call.
Comment 14 Andrew Bartlett 2013-04-03 22:53:57 UTC
Created attachment 8723 [details]
proposed, but unsted patch to fix this in a different way

This is how I would like to see this fixed, assuming it works.
Comment 15 Jeremy Allison 2013-04-03 23:04:15 UTC
Just to capture the IRC discussion Andrew and I have been having - the issue is that changing the 'is_guest' flag changes what SID is added to the users token in finalize_local_nt_token(). If is_guest is true then global_sid_Builtin_Guests is added, if is_guest is false then global_sid_Authenticated_Users is added.

So separating out the use_guest_token from is_guest allows the correct SID to be used.

Jeremy.
Comment 16 Jeremy Allison 2013-04-03 23:14:37 UTC
(In reply to comment #14)
> Created attachment 8723 [details]
> proposed, but unsted patch to fix this in a different way
> 
> This is how I would like to see this fixed, assuming it works.

I just tested Andrew's fix and it also fixes the problem.
Comment 17 Jeremy Allison 2013-04-03 23:15:51 UTC
Comment on attachment 8721 [details]
git-am fix for 3.6.next

Marking as obsolete - Andrews fix is preferred here.

Jeremy.
Comment 18 Andrew Bartlett 2013-04-03 23:28:26 UTC
Comment on attachment 8723 [details]
proposed, but unsted patch to fix this in a different way

Jeremy is testing this patch.
Comment 19 Jeremy Allison 2013-04-03 23:43:06 UTC
Comment on attachment 8723 [details]
proposed, but unsted patch to fix this in a different way

Tested this fix on both the reported problem, and on the reproducer for bug #9637 - Renaming directories as guest user in security share mode doesn't work.

Jeremy.
Comment 20 Jeremy Allison 2013-04-03 23:43:34 UTC
Re-assigning to Karolin for inclusion in 3.6.next.

Cheers,

Jeremy.
Comment 21 taomail 2013-04-04 09:41:00 UTC
for the record:

I had the same problem (work with 3.6.12 but not with 3.6.13) using

[global]
security = user
map to guest = Bad User
username map = /etc/samba/smbusers

instead of security=share
(with no users configured in smbusers)

maybe the patch covers also this case...?
Comment 22 Jeremy Allison 2013-04-04 19:49:33 UTC
Yes, the patch will cover all cases where a user is logged in as guest accessing a 'force user' share.

Jeremy.
Comment 23 Karolin Seeger 2013-04-30 06:51:53 UTC
Pushed to v3-6-test.
Will be included in 3.6.15.
Closing out bug report.

Thanks!
Comment 24 Arkadiusz Miskiewicz 2013-05-09 18:06:22 UTC
*** Bug 9859 has been marked as a duplicate of this bug. ***