[Samba] map to guest = Bad Uid not working consistently

Ray Van Dolson rvandolson at esri.com
Wed Oct 7 06:28:34 UTC 2015 

Hi everyone;

Running Samba 3.6.23 (RHEL5 stock latest version) with the following
config:

[global]
        workgroup = DOMAIN
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/samba.log
        #log level = 0 auth:10 winbind:10 passdb:10
        log level = 10
        password server = *
        realm = DOMAIN.COM
        security = ads

        map to guest = Bad Uid
        winbind use default domain = yes

Joined to Active Directory and winbind running.

Goals are:

- Users who authenticate against the domain and have a local named
  account are mapped to that named account's UID.
- Users who authenticate against the domain but do *not* have a local
  named account are mapped to the guest user ('nobody').

This works perfectly with Kerberos logins.

However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
does *not* work.  It appears to me as though the login succeeds (test account's
name is 'boxadmin'):

  log.wb-DOMAIN:  NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0)
  samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin

However, because getpwnam() calls fail, authentication is denied:

  samba.log:  Finding user boxadmin
  samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
  samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
  samba.log:  Checking combinations of 0 uppercase letters in boxadmin
  samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
  samba.log:  Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access.
  samba.log:  check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
  samba.log:  check_ntlm_password:  Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER

So for some reason, the map to guest = Bad Uid directive isn't getting
used in this scenario.

Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
from Sernet.

(Oddly enough, in searching around for this found my own reference to
the issue from back in 2014[1]).

Ray

[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2

More information about the samba mailing list