9862 – Samba "map to guest = Bad uid" doesn't work

Bug 9862 - Samba "map to guest = Bad uid" doesn't work

Summary: Samba "map to guest = Bad uid" doesn't work

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.1.0
Hardware:	x86 Linux

Importance:	P2 major (vote)
Target Milestone:	4.3
Assignee:	Andreas Schneider
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-05-07 05:39 UTC by Meena
Modified:	2017-07-16 21:31 UTC (History)
CC List:	4 users (show)

See Also:	4524

Attachments
patch for 4.3 (5.95 KB, patch) 2015-08-24 08:01 UTC, Andreas Schneider	asn: review? (gd) metze: review+	Details
patch for 4.2 (5.97 KB, patch) 2015-08-24 08:02 UTC, Andreas Schneider	no flags	Details
patch for 4.1 (5.97 KB, patch) 2015-08-24 08:03 UTC, Andreas Schneider	no flags	Details
patch for 4.2 (5.95 KB, patch) 2015-08-24 13:38 UTC, Andreas Schneider	metze: review+	Details
patch for 4.1 (5.95 KB, patch) 2015-08-24 13:38 UTC, Andreas Schneider	metze: review-	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Meena 2013-05-07 05:39:43 UTC

Hello,

We are upgrading samba package from 3.5.16 to 3.6.13 version.
security=ADS fails with the below error
"Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying access."

AD join is working on the command prompt but when we try to acces samba share we are getting authentication error and hence not able to access the file share.
We are not using winbind but we are getting winbind authentication error.

Please find the log snippet below,

[2013/05/04 17:20:32.638829,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user SAMBA\ldapuser1
[2013/05/04 17:20:32.639043,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is SAMBA\ldapuser1
[2013/05/04 17:20:32.639459,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is SAMBA\ldapuser1
[2013/05/04 17:20:32.639862,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is SAMBA\LDAPUSER1
[2013/05/04 17:20:32.640140,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in SAMBA\ldapuser1
[2013/05/04 17:20:32.640325,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [SAMBA\ldapuser1]!
[2013/05/04 17:20:32.640494,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user ldapuser1
[2013/05/04 17:20:32.640639,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is ldapuser1
[2013/05/04 17:20:32.640962,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is LDAPUSER1
[2013/05/04 17:20:32.641253,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in ldapuser1
[2013/05/04 17:20:32.641443,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [ldapuser1]!
[2013/05/04 17:20:32.641649,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user ldapuser1
[2013/05/04 17:20:32.641819,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is ldapuser1
[2013/05/04 17:20:32.642101,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is LDAPUSER1
[2013/05/04 17:20:32.642392,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in ldapuser1
[2013/05/04 17:20:32.642577,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [ldapuser1]!
[2013/05/04 17:20:32.642741,  3] auth/auth_util.c:1126(check_account)
  Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying access.
[2013/05/04 17:20:32.642996, 11] lib/events.c:445(s3_event_debug)
  s3_event: Added timed event \"\tevent_req_timedout\"\: 212e69d8
[2013/05/04 17:20:32.643188, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu)
  smb_signing_sign_pdu: sent SMB signature of
[2013/05/04 17:20:32.643339, 10] ../lib/util/util.c:415(dump_data)
  [0000] 00 00 00 00 00 00 00 00                            ........ 
[2013/05/04 17:20:32.643783, 11] lib/events.c:445(s3_event_debug)
  s3_event: Schedule immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8
[2013/05/04 17:20:32.644005, 11] lib/events.c:445(s3_event_debug)
  s3_event: Run immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8
[2013/05/04 17:20:32.644690, 11] lib/events.c:445(s3_event_debug)
  s3_event: Destroying timer event 212e69d8 \"\tevent_req_timedout\"\
[2013/05/04 17:20:32.644987, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu)
  smb_signing_sign_pdu: sent SMB signature of
[2013/05/04 17:20:32.645157, 10] ../lib/util/util.c:415(dump_data)
  [0000] 00 00 00 00 00 00 00 00                            ........ 
[2013/05/04 17:20:32.646021,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [ldapuser1] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/05/04 17:20:32.646418,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [ldapuser1] -> [ldapuser1] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/05/04 17:20:32.646711,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2013/05/04 17:20:32.646964,  5] lib/util.c:336(show_msg)
[2013/05/04 17:20:32.647083,  5] lib/util.c:346(show_msg)

The below conf file is being used for the same. Could you please let me know if any other conf options should be set for 3.6.x versions.

[global]
workgroup=SAMBA
server string=SMB Server
netbios name=SMB07464240
realm=SAMBA.LOCAL
log level=255
log file=pran.log.0.txt
max log size=10000
max smbd processes=100
security=ADS
password server=SAMBA.LOCAL
wins support=no
default devmode=no
client NTLMv2 auth=No
multicast dns register=yes
username map cache time=0
dns proxy=no
wins server=0.0.0.0, 0.0.0.0
name resolve order=lmhosts host wins bcast purev6
DeviceAuthTimeout=60
map to guest=bad uid
guest account=root
load printers=yes
printcap name=/etc/printcap
encrypt passwords=yes
deadtime=60
server signing=auto
client signing=auto
dos charset=CP932
SRAM Logging=no
hostAnnouncementSSL=1

In the older version of samba 3.5.16 we call passdb functions during authentication for domain access but for 3.6.13 version it is trying to do winbind auth. Could you please let me know if i am missing some conf option in the smb.conf file.

Comment 1 Meena 2013-05-24 06:33:44 UTC

Hello,

We are now able to migrate from 3.5.16 to 3.6.15 version successfully. 
In order to fix "Security=ADS" Fileshare access issue we had made the following changes,
1.Modified "samba-3.6.15/source3/libads/kerberos.c" with "allow_weak_crypto = true".
2. Modified "samba-3.6.15/source3/auth/auth_util.c" with the below code to validate "map to guest = bad uid" option in make_server_info_info3()function.
/////////////////////////////////////////////////////////////////////////
	nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
				     &found_username, &pwd,
				     &username_was_mapped);

	if (!NT_STATUS_IS_OK(nt_status)) 
	{
//Start : Added to fix ADS issue
	  if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) 
	{
							                    make_server_info_guest(NULL, server_info);													   return NT_STATUS_OK;
	}
//End:
		return nt_status;
	}
///////////////////////////////////////////////////////////////////////

3. Added "max protocol=SMB2" in the smb.conf file.

The second fix was taken from the samba 3.5.16 version which we are using now currently.
Could you please let us know why this part of code to validate "map to guest=bad uid" was not present in 3.6.15 version and does it have any impact if we use the same?

Also please confirm if the fixes w.r.t "allow_weak_crypto" and "SMB2" protocol usage are OK? 

Please provide us your opinion on the same at the earliest.


(In reply to comment #0)
> Hello,
> We are upgrading samba package from 3.5.16 to 3.6.13 version.
> security=ADS fails with the below error
> "Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying
> access."
> AD join is working on the command prompt but when we try to acces samba share
> we are getting authentication error and hence not able to access the file
> share.
> We are not using winbind but we are getting winbind authentication error.
> Please find the log snippet below,
> [2013/05/04 17:20:32.638829,  5] lib/username.c:171(Get_Pwnam_alloc)
>   Finding user SAMBA\ldapuser1
> [2013/05/04 17:20:32.639043,  5] lib/username.c:116(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is SAMBA\ldapuser1
> [2013/05/04 17:20:32.639459,  5] lib/username.c:124(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as given is SAMBA\ldapuser1
> [2013/05/04 17:20:32.639862,  5] lib/username.c:134(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as uppercase is SAMBA\LDAPUSER1
> [2013/05/04 17:20:32.640140,  5] lib/username.c:143(Get_Pwnam_internals)
>   Checking combinations of 0 uppercase letters in SAMBA\ldapuser1
> [2013/05/04 17:20:32.640325,  5] lib/username.c:149(Get_Pwnam_internals)
>   Get_Pwnam_internals didn't find user [SAMBA\ldapuser1]!
> [2013/05/04 17:20:32.640494,  5] lib/username.c:171(Get_Pwnam_alloc)
>   Finding user ldapuser1
> [2013/05/04 17:20:32.640639,  5] lib/username.c:116(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is ldapuser1
> [2013/05/04 17:20:32.640962,  5] lib/username.c:134(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as uppercase is LDAPUSER1
> [2013/05/04 17:20:32.641253,  5] lib/username.c:143(Get_Pwnam_internals)
>   Checking combinations of 0 uppercase letters in ldapuser1
> [2013/05/04 17:20:32.641443,  5] lib/username.c:149(Get_Pwnam_internals)
>   Get_Pwnam_internals didn't find user [ldapuser1]!
> [2013/05/04 17:20:32.641649,  5] lib/username.c:171(Get_Pwnam_alloc)
>   Finding user ldapuser1
> [2013/05/04 17:20:32.641819,  5] lib/username.c:116(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is ldapuser1
> [2013/05/04 17:20:32.642101,  5] lib/username.c:134(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as uppercase is LDAPUSER1
> [2013/05/04 17:20:32.642392,  5] lib/username.c:143(Get_Pwnam_internals)
>   Checking combinations of 0 uppercase letters in ldapuser1
> [2013/05/04 17:20:32.642577,  5] lib/username.c:149(Get_Pwnam_internals)
>   Get_Pwnam_internals didn't find user [ldapuser1]!
> [2013/05/04 17:20:32.642741,  3] auth/auth_util.c:1126(check_account)
>   Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying
> access.
> [2013/05/04 17:20:32.642996, 11] lib/events.c:445(s3_event_debug)
>   s3_event: Added timed event \"\tevent_req_timedout\"\: 212e69d8
> [2013/05/04 17:20:32.643188, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu)
>   smb_signing_sign_pdu: sent SMB signature of
> [2013/05/04 17:20:32.643339, 10] ../lib/util/util.c:415(dump_data)
>   [0000] 00 00 00 00 00 00 00 00                            ........ 
> [2013/05/04 17:20:32.643783, 11] lib/events.c:445(s3_event_debug)
>   s3_event: Schedule immediate event \"\tevent_queue_immediate_trigger\"\:
> 212e57c8
> [2013/05/04 17:20:32.644005, 11] lib/events.c:445(s3_event_debug)
>   s3_event: Run immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8
> [2013/05/04 17:20:32.644690, 11] lib/events.c:445(s3_event_debug)
>   s3_event: Destroying timer event 212e69d8 \"\tevent_req_timedout\"\
> [2013/05/04 17:20:32.644987, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu)
>   smb_signing_sign_pdu: sent SMB signature of
> [2013/05/04 17:20:32.645157, 10] ../lib/util/util.c:415(dump_data)
>   [0000] 00 00 00 00 00 00 00 00                            ........ 
> [2013/05/04 17:20:32.646021,  5] auth/auth.c:271(check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [ldapuser1] FAILED with
> error NT_STATUS_NO_SUCH_USER
> [2013/05/04 17:20:32.646418,  2] auth/auth.c:319(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [ldapuser1] -> [ldapuser1]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2013/05/04 17:20:32.646711,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2013/05/04 17:20:32.646964,  5] lib/util.c:336(show_msg)
> [2013/05/04 17:20:32.647083,  5] lib/util.c:346(show_msg)
> The below conf file is being used for the same. Could you please let me know if
> any other conf options should be set for 3.6.x versions.
> [global]
> workgroup=SAMBA
> server string=SMB Server
> netbios name=SMB07464240
> realm=SAMBA.LOCAL
> log level=255
> log file=pran.log.0.txt
> max log size=10000
> max smbd processes=100
> security=ADS
> password server=SAMBA.LOCAL
> wins support=no
> default devmode=no
> client NTLMv2 auth=No
> multicast dns register=yes
> username map cache time=0
> dns proxy=no
> wins server=0.0.0.0, 0.0.0.0
> name resolve order=lmhosts host wins bcast purev6
> DeviceAuthTimeout=60
> map to guest=bad uid
> guest account=root
> load printers=yes
> printcap name=/etc/printcap
> encrypt passwords=yes
> deadtime=60
> server signing=auto
> client signing=auto
> dos charset=CP932
> SRAM Logging=no
> hostAnnouncementSSL=1
> In the older version of samba 3.5.16 we call passdb functions during
> authentication for domain access but for 3.6.13 version it is trying to do
> winbind auth. Could you please let me know if i am missing some conf option in
> the smb.conf file.

Comment 2 Ray Van Dolson 2014-10-15 14:27:46 UTC

Running into an issue where map to guest = Bad Uid doesn't work as expected w/ SECURITY = (DOMAIN|ADS).  Logs show it complaining about a failed getpwnam() call, which seems to me to be exactly what should trigger the map to guest logic.

This is Samba 3.6.23 on RHEL5.

Wondering if similar to your issue.

Comment 3 Andreas Schneider 2015-08-24 08:01:45 UTC

Created attachment 11356 [details]
patch for 4.3

Comment 4 Andreas Schneider 2015-08-24 08:02:48 UTC

Created attachment 11357 [details]
patch for 4.2

Comment 5 Andreas Schneider 2015-08-24 08:03:20 UTC

Created attachment 11358 [details]
patch for 4.1

Comment 6 Andreas Schneider 2015-08-24 13:38:01 UTC

Created attachment 11360 [details]
patch for 4.2

Comment 7 Andreas Schneider 2015-08-24 13:38:22 UTC

Created attachment 11361 [details]
patch for 4.1

Comment 8 Stefan Metzmacher 2015-08-31 08:05:00 UTC

Pushed to autobuild-v4-{1,2,3}-test

Comment 9 Stefan Metzmacher 2015-08-31 10:31:30 UTC

The v4-1-test backport failed 3 times reliable with:

[238/1661 in 14m55s] samba3.blackbox.smbclient_machine_auth.plain (member:local)
UNEXPECTED(failure): samba3.blackbox.smbclient_machine_auth.plain (member:local).smbclient //LOCALMEMBER3/tmp(member:local)
REASON: _StringException: _StringException: session setup failed: NT_STATUS_CONNECTION_DISCONNECTED

FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)

Comment 10 Stefan Metzmacher 2015-08-31 11:46:19 UTC

Pushed to v4-{2,3}-test

Comment 11 Andrew Bartlett 2016-08-01 19:23:05 UTC

Fixed in Samba 4.2 with 281bd2fb84fed3965d1201050d7b6cc7338c5fdb from 34965d4d98d172e848e2b96fad8a9e0b99288ba7 in master