[PATCH 1/2] s3-auth: fix force user for AD user

Andreas Schneider asn at samba.org
Wed Jan 29 09:33:00 MST 2014 

On Wednesday 22 January 2014 10:25:46 Andrew Bartlett wrote:
> I still don't understand/see how it addresses the code paths I was
> concerned about, so I think the way to best address that and to keep
> this working is to add an automated test for them.  That is, one for
> plaintext passwords and then one for the case you are fixing (ktest
> covers the kerberos case that worried me, which assuming this passes a
> make test improves my confidence considerably).  I realise it may be
> hard to fully test given the limitations of the non-root environment,
> but at the very least have it walk over the code paths.

Hi Andrew,

I'm sorry, but I'm not able to trigger the codepath you're concerned about at 
all, even in master!

The reason is that the plaintext password in the user struct is always set to 
NULL passed to pass_check() in source3/auth/auth_unix.c


[2014/01/29 17:28:28.495413, 100, pid=10495, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/pass_check.c:618(pass_check)
  checking user=[asn] pass=[(null)]


[global]
        workgroup = LEVEL1
        security = user
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes


        #log file = /var/log/samba/log.%m
        max log size = 0
        log level = 100
        debug pid = yes

        client plaintext auth = yes
        passwd chat debug = Yes
        auth methods = unix

[test]
        path = /srv/samba/test
        writeable = Yes


I would also argue that 'force user' is a more common used feature of the 
Samba file server than 'auth methods = unix' with plaintext passwords.


> I suggest start by copying the simpleserver environment, and split
> auth_unix into a wrapper of auth_passwd and auth_pam, so you can set
> "auth_methods = auth_passwd" to test plaintext.  (Or successfully
> propose ditching plaintext, but I tried and failed to do this).


Sorry, I don't have time for that. I guess removing plaintext passwords would 
be more appropriate.

The patchset is here:

https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/force_user



Best regards,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list