[PATCH 1/2] s3-auth: fix force user for AD user
Andrew Bartlett
abartlet at samba.org
Tue Jan 21 14:25:46 MST 2014
On Tue, 2014-01-21 at 17:09 +0100, Andreas Schneider wrote:
> On Friday 17 January 2014 14:14:26 Andreas Schneider wrote:
> > On Thursday 16 January 2014 21:31:11 Andrew Bartlett wrote:
> > > On Tue, 2014-01-14 at 16:21 +0100, Andreas Schneider wrote:
> > > > On Monday 06 January 2014 11:37:19 you wrote:
> > > > > On Tue, 2013-12-17 at 21:59 +0100, Andreas Schneider wrote:
> > > > > > On Wednesday 18 December 2013 09:52:20 Andrew Bartlett wrote:
> > > > > > > On Tue, 2013-12-17 at 16:20 +0100, Andreas Schneider wrote:
> > > > > > > > On Saturday 14 December 2013 07:37:52 Andrew Bartlett wrote:
> > > > > > > > > > Günther and I are working on it. Here is our WIP branch:
> > > > > > > > > >
> > > > > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/hea
> > > > > > > > > > ds
> > > > > > > > > > /for
> > > > > > > > > > ce_u
> > > > > > > > > > ser
> > > > > > > > >
> > > > > > > > > This looks like a much better approach!
> > > > > > > >
> > > > > > > > Hi Andrew,
> > > > > > > >
> > > > > > > > here is the proposed patchset:
> > > > > > > >
> > > > > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/f
> > > > > > > > or
> > > > > > > > ce_u
> > > > > > > > ser
> > > > > > > >
> > > > > > > > I will run 'make test' but this should work. Could you please
> > > > > > > > take
> > > > > > > > another
> > > > > > > > look?
> > > > > > >
> > > > > > > The main issue I see is that this new (great!) codepath is called
> > > > > > > for
> > > > > > > users from /etc/passwd, not just users from winbind forced in via
> > > > > > > force
> > > > > > > user. See the callers in auth_unix.c and user_krb5.c.
> > > > > >
> > > > > > Yes, that's correct. We follwed all codepath and checked what is
> > > > > > happening
> > > > > > and why. In user_krb5.c it is called if the information can't be
> > > > > > found
> > > > > > in
> > > > > > the PAC. So it can be a local user or the information could be
> > > > > > retrieved
> > > > > > from winbind.
> > > > > >
> > > > > > And auth_unix.c is for a unix user. I've tested that and it works if
> > > > > > I
> > > > > > use
> > > > > > a local user for 'force user'.
> > > > > >
> > > > > > That's also why me renamed the function cause we just have a passwd
> > > > > > struct
> > > > > > we convert ...
> > > > >
> > > > > Have you tested with a local user and plaintext passwords?
> > > >
> > > > I don't know what you mean with the, smbpasswd plaintext password have
> > > > been
> > > > removed since quite some time.
> > >
> > > I mean 'encrypt passwords = no'. Despite my best efforts, this remains
> > > a supported configuration.
> > >
> > > > > We really
> > > > > should have a test environment for that, and for krb5 but without
> > > > > winbind (mapping to local user). I'm not at all convinced the patch
> > > > > is
> > > > > correct for those cases, but I can be persuaded.
> > > >
> > > > Setps done to reproduce this:
> > > >
> > > > Setup AD Server
> > > > Create a user bob1 on AD
> > > >
> > > > ----
> > > >
> > > > Setup a Linux Client with the following smb.conf:
> > > >
> > > > [global]
> > > >
> > > > workgroup = LEVEL1
> > > > realm = LEVEL1.DISCWORLD.SITE
> > > > security = ads
> > > > map to guest = Bad User
> > > > logon path = \\%L\profiles\.msprofile
> > > > logon home = \\%L\%U\.9xprofile
> > > > logon drive = P:
> > > > usershare allow guests = Yes
> > > >
> > > > #log file = /var/log/samba/log.%m
> > > > max log size = 0
> > > > log level = 10
> > > > debug pid = yes
> > > >
> > > > kerberos method = system keytab
> > > >
> > > > [test]
> > > >
> > > > path = /srv/samba/test
> > > > writeable = yes
> > > > valid users = bob1
> > > >
> > > > Create a local user bob1
> > > > Join the machine to AD
> > > > Start smbd
> > > >
> > > > as a user do:
> > > > kinit bob1 at LEVEL1.DISCWORLD.SITE
> > > >
> > > > asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> > > > Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> > > > smb: \>
> > >
> > > I'm asking that you set up and test:
> > >
> > > Setup AD Server
> > > Create a user bob1 on AD
> > > Create a user bob1 locally
> > > Do not run winbind
> > >
> > > Setup a Linux Client with the following smb.conf:
> > > [global]
> > >
> > > workgroup = LEVEL1
> > > realm = LEVEL1.DISCWORLD.SITE
> > > security = ads
> > >
> > > [test]
> > >
> > > path = /srv/samba/test
> > > writeable = yes
> > >
> > > kinit bob1 at LEVEL1.DISCWORLD.SITE
> > >
> > > Do you successfully get:
> > >
> > > asn at samba:~> smbclient -k -U bob1 //SAMBA/test
> > > Domain=[LEVEL1] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-0b079a4]
> > > smb: \>
> > >
> > > Thanks,
> >
> > Is there anything else I should test?
> >
>
> I need this in RHEL7 if you have no other concerns or things I should test, I
> will push it on Thursday.
I still don't understand/see how it addresses the code paths I was
concerned about, so I think the way to best address that and to keep
this working is to add an automated test for them. That is, one for
plaintext passwords and then one for the case you are fixing (ktest
covers the kerberos case that worried me, which assuming this passes a
make test improves my confidence considerably). I realise it may be
hard to fully test given the limitations of the non-root environment,
but at the very least have it walk over the code paths.
I suggest start by copying the simpleserver environment, and split
auth_unix into a wrapper of auth_passwd and auth_pam, so you can set
"auth_methods = auth_passwd" to test plaintext. (Or successfully
propose ditching plaintext, but I tried and failed to do this).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list