[PATCH 1/2] s3-auth: fix force user for AD user

Andreas Schneider asn at samba.org
Tue Jan 21 09:09:41 MST 2014 

On Friday 17 January 2014 14:14:26 Andreas Schneider wrote:
> On Thursday 16 January 2014 21:31:11 Andrew Bartlett wrote:
> > On Tue, 2014-01-14 at 16:21 +0100, Andreas Schneider wrote:
> > > On Monday 06 January 2014 11:37:19 you wrote:
> > > > On Tue, 2013-12-17 at 21:59 +0100, Andreas Schneider wrote:
> > > > > On Wednesday 18 December 2013 09:52:20 Andrew Bartlett wrote:
> > > > > > On Tue, 2013-12-17 at 16:20 +0100, Andreas Schneider wrote:
> > > > > > > On Saturday 14 December 2013 07:37:52 Andrew Bartlett wrote:
> > > > > > > > > Günther and I are working on it. Here is our WIP branch:
> > > > > > > > > 
> > > > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/hea
> > > > > > > > > ds
> > > > > > > > > /for
> > > > > > > > > ce_u
> > > > > > > > > ser
> > > > > > > > 
> > > > > > > > This looks like a much better approach!
> > > > > > > 
> > > > > > > Hi Andrew,
> > > > > > > 
> > > > > > > here is the proposed patchset:
> > > > > > > 
> > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/f
> > > > > > > or
> > > > > > > ce_u
> > > > > > > ser
> > > > > > > 
> > > > > > > I will run 'make test' but this should work. Could you please
> > > > > > > take
> > > > > > > another
> > > > > > > look?
> > > > > > 
> > > > > > The main issue I see is that this new (great!) codepath is called
> > > > > > for
> > > > > > users from /etc/passwd, not just users from winbind forced in via
> > > > > > force
> > > > > > user.  See the callers in auth_unix.c and user_krb5.c.
> > > > > 
> > > > > Yes, that's correct. We follwed all codepath and checked what is
> > > > > happening
> > > > > and why. In user_krb5.c it is called if the information can't be
> > > > > found
> > > > > in
> > > > > the PAC. So it can be a local user or the information could be
> > > > > retrieved
> > > > > from winbind.
> > > > > 
> > > > > And auth_unix.c is for a unix user. I've tested that and it works if
> > > > > I
> > > > > use
> > > > > a local user for 'force user'.
> > > > > 
> > > > > That's also why me renamed the function cause we just have a passwd
> > > > > struct
> > > > > we convert ...
> > > > 
> > > > Have you tested with a local user and plaintext passwords?
> > > 
> > > I don't know what you mean with the, smbpasswd plaintext password have
> > > been
> > > removed since quite some time.
> > 
> > I mean 'encrypt passwords = no'.  Despite my best efforts, this remains
> > a supported configuration.
> > 
> > > > We really
> > > > should have a test environment for that, and for krb5 but without
> > > > winbind (mapping to local user).  I'm not at all convinced the patch
> > > > is
> > > > correct for those cases, but I can be persuaded.
> > > 
> > > Setps done to reproduce this:
> > > 
> > > Setup AD Server
> > > Create a user bob1 on AD
> > > 
> > > ----
> > > 
> > > Setup a Linux Client with the following smb.conf:
> > > 
> > > [global]
> > > 
> > >         workgroup = LEVEL1
> > >         realm = LEVEL1.DISCWORLD.SITE
> > >         security = ads
> > >         map to guest = Bad User
> > >         logon path = \\%L\profiles\.msprofile
> > >         logon home = \\%L\%U\.9xprofile
> > >         logon drive = P:
> > >         usershare allow guests = Yes
> > >         
> > >         #log file = /var/log/samba/log.%m
> > >         max log size = 0
> > >         log level = 10
> > >         debug pid = yes
> > >         
> > >         kerberos method = system keytab
> > > 
> > > [test]
> > > 
> > >         path = /srv/samba/test
> > >         writeable = yes
> > >         valid users = bob1
> > > 
> > > Create a local user bob1
> > > Join the machine to AD
> > > Start smbd
> > > 
> > > as a user do:
> > > kinit bob1 at LEVEL1.DISCWORLD.SITE
> > > 
> > > asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> > > Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> > > smb: \>
> > 
> > I'm asking that you set up and test:
> > 
> > Setup AD Server
> > Create a user bob1 on AD
> > Create a user bob1 locally
> > Do not run winbind
> > 
> > Setup a Linux Client with the following smb.conf:
> >  [global]
> >  
> >          workgroup = LEVEL1
> >          realm = LEVEL1.DISCWORLD.SITE
> >          security = ads
> > 
> > [test]
> > 
> >          path = /srv/samba/test
> >          writeable = yes
> > 
> > kinit bob1 at LEVEL1.DISCWORLD.SITE
> > 
> > Do you successfully get:
> > 
> > asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> > Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> > smb: \>
> > 
> > Thanks,
> 
> Is there anything else I should test?
> 

I need this in RHEL7 if you have no other concerns or things I should test, I 
will push it on Thursday.


Thanks!


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list