[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Stefan Metzmacher metze at samba.org
Fri Mar 16 12:35:07 UTC 2018 

Am 16.03.2018 um 13:33 schrieb Stefan Metzmacher via samba-technical:
> Hi Andreas,
> 
>>> In source3 we also have code that implements "map to guest = bad uid"
>>> and maps a kerberos authenticated user to guest.
>>>
>>> Now that we require a running winbindd on a member server,
>>> we should remove the "bad uid" hacks. Would anyone object
>>> to that? It would simplify a lot and might make it possible
>>> to understand all the strange code paths we have to construct
>>> an auth_session_info.
>>>
>>> I guess it is not needed to deprecate it first
>>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>>
>>> Should I prepare patches to remove this ("bad uid")?
>>
>> Yes, please. :-)
> 
> Here're the patches on top.

Sorry, here's the correct patchset...

metze

-------------- next part --------------
From 403fcb51cd3b0eae4b4bd7a20fd515eeed7445ef Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 13:23:29 +0100
Subject: [PATCH 1/5] WHATSNEW: document "A Kerberos PAC is now required to be
 present"

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7bd3792..bcb3452 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,6 +53,15 @@ net ads keytab create no longer tries to generate SPN(s) from existing
 entries in a keytab file. If it is required to add Windows SPN(s) then
 'net ads setspn add' should be used instead.
 
+A Kerberos PAC is now required to be present
+--------------------------------------------
+
+As all implementations of an active directory domain controller
+(all versions of Windows and Samba) provide a PAC in a Kerberos service
+ticket, we no longer need a fallback to construct a user token
+based on just the Kerberos principal name.
+
+
 REMOVED FEATURES
 ================
 
-- 
1.9.1


From b26b0f02e96e2026eb35b89681f715a7dd82b3e8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:35:45 +0100
Subject: [PATCH 2/5] s3:auth: remove support for 'map to guest = bad uid' as
 we always require winbindd

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_util.c | 11 -----------
 source3/auth/user_krb5.c | 27 +++++----------------------
 2 files changed, 5 insertions(+), 33 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 3b951e7..06e17d4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2068,17 +2068,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 				  &username_was_mapped);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		/* Handle 'map to guest = Bad Uid */
-		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
-		    (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
-		    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
-			DBG_NOTICE("Try to map %s to guest account",
-				   nt_username);
-			nt_status = make_server_info_guest(tmp_ctx, &result);
-			if (NT_STATUS_IS_OK(nt_status)) {
-				*server_info = talloc_move(mem_ctx, &result);
-			}
-		}
 		goto out;
 	}
 
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 8998f9c..cb09e65 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -129,6 +129,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	*mapped_to_guest = false;
 
 	pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+	if (!pw) {
+		DBG_NOTICE("Username %s is invalid on this system\n",
+			   fuser);
+		return NT_STATUS_LOGON_FAILURE;
+	}
 	if (pw) {
 		if (!unixuser) {
 			return NT_STATUS_NO_MEMORY;
@@ -143,28 +148,6 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 			return status;
 		}
 	}
-	if (!pw) {
-
-		/* this was originally the behavior of Samba 2.2, if a user
-		   did not have a local uid but has been authenticated, then
-		   map them to a guest account */
-
-		if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
-			*mapped_to_guest = true;
-			fuser = talloc_strdup(mem_ctx, lp_guest_account());
-			if (!fuser) {
-				return NT_STATUS_NO_MEMORY;
-			}
-			pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
-		}
-
-		/* extra sanity check that the guest account is valid */
-		if (!pw) {
-			DBG_NOTICE("Username %s is invalid on this system\n",
-				  fuser);
-			return NT_STATUS_LOGON_FAILURE;
-		}
-	}
 
 	if (!unixuser) {
 		return NT_STATUS_NO_MEMORY;
-- 
1.9.1


From a59d0de844e059599157f590824c9cad71c669cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:36:40 +0100
Subject: [PATCH 3/5] lib/param: no longer allow 'map to guest = Bad Uid'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 lib/param/loadparm.h    | 1 -
 lib/param/param_table.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index b5d79b9..b75e29d 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -165,7 +165,6 @@ struct file_lists {
 #define NEVER_MAP_TO_GUEST 		0
 #define MAP_TO_GUEST_ON_BAD_USER 	1
 #define MAP_TO_GUEST_ON_BAD_PASSWORD 	2
-#define MAP_TO_GUEST_ON_BAD_UID 	3
 
 /*
  * This should be under the HAVE_KRB5 flag but since they're used
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index f9d3b55..7d89b8e 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -187,7 +187,6 @@ static const struct enum_list enum_map_to_guest[] = {
 	{NEVER_MAP_TO_GUEST, "Never"},
 	{MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
 	{MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
-        {MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
 	{-1, NULL}
 };
 
-- 
1.9.1


From ccb769ed89a2d52a7b5258b1d315b059e44abed2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:37:09 +0100
Subject: [PATCH 4/5] docs-xml: remove 'map to guest = Bad Uid'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/maptoguest.xml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml
index c98086a..d5a4a8e 100644
--- a/docs-xml/smbdotconf/security/maptoguest.xml
+++ b/docs-xml/smbdotconf/security/maptoguest.xml
@@ -37,16 +37,6 @@
 	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
 	    guest</parameter> parameter this way :-).</para>
 	</listitem>
-	<listitem>
-	    <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
-	    in some type of domain mode security (security = {domain|ads}) and means that
-	    user logins which are successfully authenticated but which have no valid Unix
-	    user account (and smbd is unable to create one) should be mapped to the defined
-	    guest account. This was the default behavior of Samba 2.x releases.  Note that 
-	    if a member server is running winbindd,  this option should never be required
-	    because the nss_winbind library will export the Windows domain users and groups
-	    to the underlying OS via the Name Service Switch interface.</para>
-	</listitem>
     </itemizedlist>
 
     <para>Note that this parameter is needed to set up "Guest" 
-- 
1.9.1


From 2f076e8a6c403116e3bbb2ce2c230ff495835c9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 13:24:00 +0100
Subject: [PATCH 5/5] WHATSNEW: document "map to guest = Bad Uid" removal

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bcb3452..57ea3cc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -61,6 +61,15 @@ As all implementations of an active directory domain controller
 ticket, we no longer need a fallback to construct a user token
 based on just the Kerberos principal name.
 
+"map to guest = Bad Uid" removed
+-----------------------------------------------------------------
+
+As a running winbindd is required/available (since 4.8) for setups
+where users might be authenticated on a remote domain controller
+(via NTLMSSP or Kerberos) we no longer need the behavior of
+"map to guest = Bad Uid", so it is no longer possible to
+configure this.
+
 
 REMOVED FEATURES
 ================
@@ -72,7 +81,8 @@ smb.conf changes
 
   Parameter Name                     Description             Default
   --------------                     -----------             -------
-
+  map to guest                       Removed Value
+                                     "Bad Uid"
 
 KNOWN ISSUES
 ============
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/a54a5607/signature.sig>

More information about the samba-technical mailing list