[PATCH 1/2] s3-auth: fix force user for AD user
Andrew Bartlett
abartlet at samba.org
Thu Jan 16 01:31:11 MST 2014
On Tue, 2014-01-14 at 16:21 +0100, Andreas Schneider wrote:
> On Monday 06 January 2014 11:37:19 you wrote:
> > On Tue, 2013-12-17 at 21:59 +0100, Andreas Schneider wrote:
> > > On Wednesday 18 December 2013 09:52:20 Andrew Bartlett wrote:
> > > > On Tue, 2013-12-17 at 16:20 +0100, Andreas Schneider wrote:
> > > > > On Saturday 14 December 2013 07:37:52 Andrew Bartlett wrote:
> > > > > > > Günther and I are working on it. Here is our WIP branch:
> > > > > > >
> > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/for
> > > > > > > ce_u
> > > > > > > ser
> > > > > >
> > > > > > This looks like a much better approach!
> > > > >
> > > > > Hi Andrew,
> > > > >
> > > > > here is the proposed patchset:
> > > > >
> > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/force_u
> > > > > ser
> > > > >
> > > > > I will run 'make test' but this should work. Could you please take
> > > > > another
> > > > > look?
> > > >
> > > > The main issue I see is that this new (great!) codepath is called for
> > > > users from /etc/passwd, not just users from winbind forced in via force
> > > > user. See the callers in auth_unix.c and user_krb5.c.
> > >
> > > Yes, that's correct. We follwed all codepath and checked what is happening
> > > and why. In user_krb5.c it is called if the information can't be found in
> > > the PAC. So it can be a local user or the information could be retrieved
> > > from winbind.
> > >
> > > And auth_unix.c is for a unix user. I've tested that and it works if I use
> > > a local user for 'force user'.
> > >
> > > That's also why me renamed the function cause we just have a passwd struct
> > > we convert ...
> >
> > Have you tested with a local user and plaintext passwords?
>
> I don't know what you mean with the, smbpasswd plaintext password have been
> removed since quite some time.
I mean 'encrypt passwords = no'. Despite my best efforts, this remains
a supported configuration.
> > We really
> > should have a test environment for that, and for krb5 but without
> > winbind (mapping to local user). I'm not at all convinced the patch is
> > correct for those cases, but I can be persuaded.
>
> Setps done to reproduce this:
>
> Setup AD Server
> Create a user bob1 on AD
>
> ----
>
> Setup a Linux Client with the following smb.conf:
>
> [global]
> workgroup = LEVEL1
> realm = LEVEL1.DISCWORLD.SITE
> security = ads
> map to guest = Bad User
> logon path = \\%L\profiles\.msprofile
> logon home = \\%L\%U\.9xprofile
> logon drive = P:
> usershare allow guests = Yes
>
> #log file = /var/log/samba/log.%m
> max log size = 0
> log level = 10
> debug pid = yes
>
> kerberos method = system keytab
>
> [test]
> path = /srv/samba/test
> writeable = yes
> valid users = bob1
>
> Create a local user bob1
> Join the machine to AD
> Start smbd
>
> as a user do:
> kinit bob1 at LEVEL1.DISCWORLD.SITE
>
> asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> smb: \>
I'm asking that you set up and test:
Setup AD Server
Create a user bob1 on AD
Create a user bob1 locally
Do not run winbind
Setup a Linux Client with the following smb.conf:
[global]
workgroup = LEVEL1
realm = LEVEL1.DISCWORLD.SITE
security = ads
[test]
path = /srv/samba/test
writeable = yes
kinit bob1 at LEVEL1.DISCWORLD.SITE
Do you successfully get:
asn at samba:~> smbclient -k -U bob1 //SAMBA/test
Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
smb: \>
Thanks,
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list