[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Stefan Metzmacher metze at samba.org
Fri Mar 16 12:33:36 UTC 2018 

Hi Andreas,

>> In source3 we also have code that implements "map to guest = bad uid"
>> and maps a kerberos authenticated user to guest.
>>
>> Now that we require a running winbindd on a member server,
>> we should remove the "bad uid" hacks. Would anyone object
>> to that? It would simplify a lot and might make it possible
>> to understand all the strange code paths we have to construct
>> an auth_session_info.
>>
>> I guess it is not needed to deprecate it first
>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>
>> Should I prepare patches to remove this ("bad uid")?
> 
> Yes, please. :-)

Here're the patches on top.

metze

-------------- next part --------------
From a59d0de844e059599157f590824c9cad71c669cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:36:40 +0100
Subject: [PATCH 1/5] lib/param: no longer allow 'map to guest = Bad Uid'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 lib/param/loadparm.h    | 1 -
 lib/param/param_table.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index b5d79b9..b75e29d 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -165,7 +165,6 @@ struct file_lists {
 #define NEVER_MAP_TO_GUEST 		0
 #define MAP_TO_GUEST_ON_BAD_USER 	1
 #define MAP_TO_GUEST_ON_BAD_PASSWORD 	2
-#define MAP_TO_GUEST_ON_BAD_UID 	3
 
 /*
  * This should be under the HAVE_KRB5 flag but since they're used
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index f9d3b55..7d89b8e 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -187,7 +187,6 @@ static const struct enum_list enum_map_to_guest[] = {
 	{NEVER_MAP_TO_GUEST, "Never"},
 	{MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
 	{MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
-        {MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
 	{-1, NULL}
 };
 
-- 
1.9.1


From ccb769ed89a2d52a7b5258b1d315b059e44abed2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:37:09 +0100
Subject: [PATCH 2/5] docs-xml: remove 'map to guest = Bad Uid'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/maptoguest.xml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml
index c98086a..d5a4a8e 100644
--- a/docs-xml/smbdotconf/security/maptoguest.xml
+++ b/docs-xml/smbdotconf/security/maptoguest.xml
@@ -37,16 +37,6 @@
 	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
 	    guest</parameter> parameter this way :-).</para>
 	</listitem>
-	<listitem>
-	    <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
-	    in some type of domain mode security (security = {domain|ads}) and means that
-	    user logins which are successfully authenticated but which have no valid Unix
-	    user account (and smbd is unable to create one) should be mapped to the defined
-	    guest account. This was the default behavior of Samba 2.x releases.  Note that 
-	    if a member server is running winbindd,  this option should never be required
-	    because the nss_winbind library will export the Windows domain users and groups
-	    to the underlying OS via the Name Service Switch interface.</para>
-	</listitem>
     </itemizedlist>
 
     <para>Note that this parameter is needed to set up "Guest" 
-- 
1.9.1


From 2f076e8a6c403116e3bbb2ce2c230ff495835c9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 13:24:00 +0100
Subject: [PATCH 3/5] WHATSNEW: document "map to guest = Bad Uid" removal

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bcb3452..57ea3cc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -61,6 +61,15 @@ As all implementations of an active directory domain controller
 ticket, we no longer need a fallback to construct a user token
 based on just the Kerberos principal name.
 
+"map to guest = Bad Uid" removed
+-----------------------------------------------------------------
+
+As a running winbindd is required/available (since 4.8) for setups
+where users might be authenticated on a remote domain controller
+(via NTLMSSP or Kerberos) we no longer need the behavior of
+"map to guest = Bad Uid", so it is no longer possible to
+configure this.
+
 
 REMOVED FEATURES
 ================
@@ -72,7 +81,8 @@ smb.conf changes
 
   Parameter Name                     Description             Default
   --------------                     -----------             -------
-
+  map to guest                       Removed Value
+                                     "Bad Uid"
 
 KNOWN ISSUES
 ============
-- 
1.9.1


From 74ad212f3fb0d1a82e32dca49fda0b2f876e2af6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 13 Dec 2017 23:46:57 +0100
Subject: [PATCH 4/5] HACK!!!! _FAIL_IMMEDIATELY=1

---
 script/autobuild.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/script/autobuild.py b/script/autobuild.py
index ebe49bb..9387d1d 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -76,7 +76,7 @@ tasks = {
     # We have 'test' before 'install' because, 'test' should work without 'install'
     "samba" : [ ("configure", "./configure.developer --with-selftest-prefix=./bin/ab" + samba_configure_params, "text/plain"),
                 ("make", "make -j", "text/plain"),
-                ("test", "make test FAIL_IMMEDIATELY=1", "text/plain"),
+                ("test", "make test _FAIL_IMMEDIATELY=1", "text/plain"),
                 ("install", "make install", "text/plain"),
                 ("check-clean-tree", "script/clean-source-tree.sh", "text/plain"),
                 ("clean", "make clean", "text/plain") ],
-- 
1.9.1


From 411c44f5b99ff45fe627be37e5e9ff77e4fd615e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 9 Jan 2018 23:42:29 +0100
Subject: [PATCH 5/5] HACK drsuapi less debug

---
 source4/rpc_server/drsuapi/drsutil.c      | 2 +-
 source4/rpc_server/drsuapi/getncchanges.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 53bcb16..16e57e9 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -170,7 +170,7 @@ static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
 	if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
 		DEBUG(3,("%s refused for security token on %s\n",
 			 ext_right, ldb_dn_get_linearized(dn)));
-		security_token_debug(2, 0, token);
+		security_token_debug(0, 3, token);
 		return WERR_DS_DRA_ACCESS_DENIED;
 	} else if (ret != LDB_SUCCESS) {
 		DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index b48e9c72..2290b96 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2911,7 +2911,7 @@ allowed:
 	if (getnc_state) {
 		struct ldb_dn *new_dn = drs_ObjectIdentifier_to_dn(getnc_state, sam_ctx, ncRoot);
 		if (ldb_dn_compare(new_dn, getnc_state->ncRoot_dn) != 0) {
-			DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication on different DN %s %s (last_dn %s)\n",
+			DEBUG(5,(__location__ ": DsGetNCChanges 2nd replication on different DN %s %s (last_dn %s)\n",
 				 ldb_dn_get_linearized(new_dn),
 				 ldb_dn_get_linearized(getnc_state->ncRoot_dn),
 				 ldb_dn_get_linearized(getnc_state->last_dn)));
@@ -2924,7 +2924,7 @@ allowed:
 		ret = drsuapi_DsReplicaHighWaterMark_cmp(&getnc_state->last_hwm,
 							 &req10->highwatermark);
 		if (ret != 0) {
-			DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication "
+			DEBUG(5,(__location__ ": DsGetNCChanges 2nd replication "
 				 "on DN %s %s highwatermark (last_dn %s)\n",
 				 ldb_dn_get_linearized(getnc_state->ncRoot_dn),
 				 (ret > 0) ? "older" : "newer",
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/79efba10/signature.sig>

More information about the samba-technical mailing list