[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Stefan Metzmacher
metze at samba.org
Fri Mar 16 12:35:07 UTC 2018
Am 16.03.2018 um 13:33 schrieb Stefan Metzmacher via samba-technical:
> Hi Andreas,
>
>>> In source3 we also have code that implements "map to guest = bad uid"
>>> and maps a kerberos authenticated user to guest.
>>>
>>> Now that we require a running winbindd on a member server,
>>> we should remove the "bad uid" hacks. Would anyone object
>>> to that? It would simplify a lot and might make it possible
>>> to understand all the strange code paths we have to construct
>>> an auth_session_info.
>>>
>>> I guess it is not needed to deprecate it first
>>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>>
>>> Should I prepare patches to remove this ("bad uid")?
>>
>> Yes, please. :-)
>
> Here're the patches on top.
Sorry, here's the correct patchset...
metze
-------------- next part --------------
From 403fcb51cd3b0eae4b4bd7a20fd515eeed7445ef Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 13:23:29 +0100
Subject: [PATCH 1/5] WHATSNEW: document "A Kerberos PAC is now required to be
present"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7bd3792..bcb3452 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,6 +53,15 @@ net ads keytab create no longer tries to generate SPN(s) from existing
entries in a keytab file. If it is required to add Windows SPN(s) then
'net ads setspn add' should be used instead.
+A Kerberos PAC is now required to be present
+--------------------------------------------
+
+As all implementations of an active directory domain controller
+(all versions of Windows and Samba) provide a PAC in a Kerberos service
+ticket, we no longer need a fallback to construct a user token
+based on just the Kerberos principal name.
+
+
REMOVED FEATURES
================
--
1.9.1
From b26b0f02e96e2026eb35b89681f715a7dd82b3e8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:35:45 +0100
Subject: [PATCH 2/5] s3:auth: remove support for 'map to guest = bad uid' as
we always require winbindd
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 11 -----------
source3/auth/user_krb5.c | 27 +++++----------------------
2 files changed, 5 insertions(+), 33 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 3b951e7..06e17d4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2068,17 +2068,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
&username_was_mapped);
if (!NT_STATUS_IS_OK(nt_status)) {
- /* Handle 'map to guest = Bad Uid */
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
- (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
- lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
- DBG_NOTICE("Try to map %s to guest account",
- nt_username);
- nt_status = make_server_info_guest(tmp_ctx, &result);
- if (NT_STATUS_IS_OK(nt_status)) {
- *server_info = talloc_move(mem_ctx, &result);
- }
- }
goto out;
}
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 8998f9c..cb09e65 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -129,6 +129,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ if (!pw) {
+ DBG_NOTICE("Username %s is invalid on this system\n",
+ fuser);
+ return NT_STATUS_LOGON_FAILURE;
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
@@ -143,28 +148,6 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
return status;
}
}
- if (!pw) {
-
- /* this was originally the behavior of Samba 2.2, if a user
- did not have a local uid but has been authenticated, then
- map them to a guest account */
-
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
- *mapped_to_guest = true;
- fuser = talloc_strdup(mem_ctx, lp_guest_account());
- if (!fuser) {
- return NT_STATUS_NO_MEMORY;
- }
- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
- }
-
- /* extra sanity check that the guest account is valid */
- if (!pw) {
- DBG_NOTICE("Username %s is invalid on this system\n",
- fuser);
- return NT_STATUS_LOGON_FAILURE;
- }
- }
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
--
1.9.1
From a59d0de844e059599157f590824c9cad71c669cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:36:40 +0100
Subject: [PATCH 3/5] lib/param: no longer allow 'map to guest = Bad Uid'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
lib/param/loadparm.h | 1 -
lib/param/param_table.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index b5d79b9..b75e29d 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -165,7 +165,6 @@ struct file_lists {
#define NEVER_MAP_TO_GUEST 0
#define MAP_TO_GUEST_ON_BAD_USER 1
#define MAP_TO_GUEST_ON_BAD_PASSWORD 2
-#define MAP_TO_GUEST_ON_BAD_UID 3
/*
* This should be under the HAVE_KRB5 flag but since they're used
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index f9d3b55..7d89b8e 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -187,7 +187,6 @@ static const struct enum_list enum_map_to_guest[] = {
{NEVER_MAP_TO_GUEST, "Never"},
{MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
{MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
- {MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
{-1, NULL}
};
--
1.9.1
From ccb769ed89a2d52a7b5258b1d315b059e44abed2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 12:37:09 +0100
Subject: [PATCH 4/5] docs-xml: remove 'map to guest = Bad Uid'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/maptoguest.xml | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml
index c98086a..d5a4a8e 100644
--- a/docs-xml/smbdotconf/security/maptoguest.xml
+++ b/docs-xml/smbdotconf/security/maptoguest.xml
@@ -37,16 +37,6 @@
<emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to
guest</parameter> parameter this way :-).</para>
</listitem>
- <listitem>
- <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured
- in some type of domain mode security (security = {domain|ads}) and means that
- user logins which are successfully authenticated but which have no valid Unix
- user account (and smbd is unable to create one) should be mapped to the defined
- guest account. This was the default behavior of Samba 2.x releases. Note that
- if a member server is running winbindd, this option should never be required
- because the nss_winbind library will export the Windows domain users and groups
- to the underlying OS via the Name Service Switch interface.</para>
- </listitem>
</itemizedlist>
<para>Note that this parameter is needed to set up "Guest"
--
1.9.1
From 2f076e8a6c403116e3bbb2ce2c230ff495835c9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 13:24:00 +0100
Subject: [PATCH 5/5] WHATSNEW: document "map to guest = Bad Uid" removal
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bcb3452..57ea3cc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -61,6 +61,15 @@ As all implementations of an active directory domain controller
ticket, we no longer need a fallback to construct a user token
based on just the Kerberos principal name.
+"map to guest = Bad Uid" removed
+-----------------------------------------------------------------
+
+As a running winbindd is required/available (since 4.8) for setups
+where users might be authenticated on a remote domain controller
+(via NTLMSSP or Kerberos) we no longer need the behavior of
+"map to guest = Bad Uid", so it is no longer possible to
+configure this.
+
REMOVED FEATURES
================
@@ -72,7 +81,8 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
-
+ map to guest Removed Value
+ "Bad Uid"
KNOWN ISSUES
============
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/a54a5607/signature.sig>
More information about the samba-technical
mailing list