[PATCH 1/2] s3-auth: fix force user for AD user

Andreas Schneider asn at samba.org
Thu Jan 16 05:27:14 MST 2014 

On Thursday 16 January 2014 21:31:11 Andrew Bartlett wrote:
> On Tue, 2014-01-14 at 16:21 +0100, Andreas Schneider wrote:
> > On Monday 06 January 2014 11:37:19 you wrote:
> > > On Tue, 2013-12-17 at 21:59 +0100, Andreas Schneider wrote:
> > > > On Wednesday 18 December 2013 09:52:20 Andrew Bartlett wrote:
> > > > > On Tue, 2013-12-17 at 16:20 +0100, Andreas Schneider wrote:
> > > > > > On Saturday 14 December 2013 07:37:52 Andrew Bartlett wrote:
> > > > > > > > Günther and I are working on it. Here is our WIP branch:
> > > > > > > > 
> > > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads
> > > > > > > > /for
> > > > > > > > ce_u
> > > > > > > > ser
> > > > > > > 
> > > > > > > This looks like a much better approach!
> > > > > > 
> > > > > > Hi Andrew,
> > > > > > 
> > > > > > here is the proposed patchset:
> > > > > > 
> > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/for
> > > > > > ce_u
> > > > > > ser
> > > > > > 
> > > > > > I will run 'make test' but this should work. Could you please take
> > > > > > another
> > > > > > look?
> > > > > 
> > > > > The main issue I see is that this new (great!) codepath is called
> > > > > for
> > > > > users from /etc/passwd, not just users from winbind forced in via
> > > > > force
> > > > > user.  See the callers in auth_unix.c and user_krb5.c.
> > > > 
> > > > Yes, that's correct. We follwed all codepath and checked what is
> > > > happening
> > > > and why. In user_krb5.c it is called if the information can't be found
> > > > in
> > > > the PAC. So it can be a local user or the information could be
> > > > retrieved
> > > > from winbind.
> > > > 
> > > > And auth_unix.c is for a unix user. I've tested that and it works if I
> > > > use
> > > > a local user for 'force user'.
> > > > 
> > > > That's also why me renamed the function cause we just have a passwd
> > > > struct
> > > > we convert ...
> > > 
> > > Have you tested with a local user and plaintext passwords?
> > 
> > I don't know what you mean with the, smbpasswd plaintext password have
> > been
> > removed since quite some time.
> 
> I mean 'encrypt passwords = no'.  Despite my best efforts, this remains
> a supported configuration.
> 
> > > We really
> > > should have a test environment for that, and for krb5 but without
> > > winbind (mapping to local user).  I'm not at all convinced the patch is
> > > correct for those cases, but I can be persuaded.
> > 
> > Setps done to reproduce this:
> > 
> > Setup AD Server
> > Create a user bob1 on AD
> > 
> > ----
> > 
> > Setup a Linux Client with the following smb.conf:
> > 
> > [global]
> > 
> >         workgroup = LEVEL1
> >         realm = LEVEL1.DISCWORLD.SITE
> >         security = ads
> >         map to guest = Bad User
> >         logon path = \\%L\profiles\.msprofile
> >         logon home = \\%L\%U\.9xprofile
> >         logon drive = P:
> >         usershare allow guests = Yes
> >         
> >         #log file = /var/log/samba/log.%m
> >         max log size = 0
> >         log level = 10
> >         debug pid = yes
> >         
> >         kerberos method = system keytab
> > 
> > [test]
> > 
> >         path = /srv/samba/test
> >         writeable = yes
> >         valid users = bob1
> > 
> > Create a local user bob1
> > Join the machine to AD
> > Start smbd
> > 
> > as a user do:
> > kinit bob1 at LEVEL1.DISCWORLD.SITE
> > 
> > asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> > Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> > smb: \>
> 
> I'm asking that you set up and test:
> 
> Setup AD Server
> Create a user bob1 on AD
> Create a user bob1 locally
> Do not run winbind
> 
> Setup a Linux Client with the following smb.conf:
> 
>  [global]
>          workgroup = LEVEL1
>          realm = LEVEL1.DISCWORLD.SITE
>          security = ads
> 
> [test]
>          path = /srv/samba/test
>          writeable = yes
> 
> kinit bob1 at LEVEL1.DISCWORLD.SITE
> 
> Do you successfully get:
> 
> asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> smb: \>
> 
> Thanks,

It also works, if I use

kerberos method = system keytab

and after joining remove the secrets.tdb



	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list