[PATCH 1/2] s3-auth: fix force user for AD user

Andreas Schneider asn at samba.org
Thu Jan 30 00:32:38 MST 2014 

On Thursday 30 January 2014 09:40:07 you wrote:
> On Wed, 2014-01-29 at 17:33 +0100, Andreas Schneider wrote:
> > On Wednesday 22 January 2014 10:25:46 Andrew Bartlett wrote:
> > > I still don't understand/see how it addresses the code paths I was
> > > concerned about, so I think the way to best address that and to keep
> > > this working is to add an automated test for them.  That is, one for
> > > plaintext passwords and then one for the case you are fixing (ktest
> > > covers the kerberos case that worried me, which assuming this passes a
> > > make test improves my confidence considerably).  I realise it may be
> > > hard to fully test given the limitations of the non-root environment,
> > > but at the very least have it walk over the code paths.
> > 
> > Hi Andrew,
> > 
> > I'm sorry, but I'm not able to trigger the codepath you're concerned about
> > at all, even in master!
> > 
> > The reason is that the plaintext password in the user struct is always set
> > to NULL passed to pass_check() in source3/auth/auth_unix.c
> > 
> > 
> > [2014/01/29 17:28:28.495413, 100, pid=10495, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/pass_check.c:618(pass_check)
> > 
> >   checking user=[asn] pass=[(null)]
> 
> You would also need 'encrypt passwords = no'.
> 
> > [global]
> > 
> >         workgroup = LEVEL1
> >         security = user
> >         map to guest = Bad User
> >         logon path = \\%L\profiles\.msprofile
> >         logon home = \\%L\%U\.9xprofile
> >         logon drive = P:
> >         usershare allow guests = Yes
> >         
> >         
> >         #log file = /var/log/samba/log.%m
> >         max log size = 0
> >         log level = 100
> >         debug pid = yes
> >         
> >         client plaintext auth = yes
> >         passwd chat debug = Yes
> >         
> >         auth methods = unix
> 
> You shouldn't need that once we set 'encrypt passwords = no'.

asn at samba:~> cat /etc/samba/smb.conf
[global]
        workgroup = LEVEL1
        security = user
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes


        #log file = /var/log/samba/log.%m
        max log size = 0
        log level = 100
        debug pid = yes

        encrypt passwords = No
        client plaintext auth = Yes
        client ntlmv2 auth = No
        passwd chat debug = Yes
        auth methods = unix

[test]
        path = /srv/samba/test
        writeable = Yes


Whatever I set with 'encrypt passwords = No' I get

asn at samba:~> smbclient -I 192.168.100.103 //SAMBA/test -Uasn%secret
Server requested PLAINTEXT password but 'client plaintext auth = no' or 
'client ntlmv2 auth = yes'
session setup failed: NT_STATUS_ACCESS_DENIED



	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list