[Samba] map to guest = Bad Uid not working consistently
Ray Van Dolson
rvandolson at esri.com
Wed Oct 7 06:28:34 UTC 2015
Hi everyone;
Running Samba 3.6.23 (RHEL5 stock latest version) with the following
config:
[global]
workgroup = DOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/samba.log
#log level = 0 auth:10 winbind:10 passdb:10
log level = 10
password server = *
realm = DOMAIN.COM
security = ads
map to guest = Bad Uid
winbind use default domain = yes
Joined to Active Directory and winbind running.
Goals are:
- Users who authenticate against the domain and have a local named
account are mapped to that named account's UID.
- Users who authenticate against the domain but do *not* have a local
named account are mapped to the guest user ('nobody').
This works perfectly with Kerberos logins.
However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
does *not* work. It appears to me as though the login succeeds (test account's
name is 'boxadmin'):
log.wb-DOMAIN: NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0)
samba.log: [13652]: pam auth crap domain: [DOMAIN] user: boxadmin
However, because getpwnam() calls fail, authentication is denied:
samba.log: Finding user boxadmin
samba.log: Trying _Get_Pwnam(), username as lowercase is boxadmin
samba.log: Trying _Get_Pwnam(), username as uppercase is BOXADMIN
samba.log: Checking combinations of 0 uppercase letters in boxadmin
samba.log: Get_Pwnam_internals didn't find user [boxadmin]!
samba.log: Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access.
samba.log: check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
samba.log: check_ntlm_password: Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
So for some reason, the map to guest = Bad Uid directive isn't getting
used in this scenario.
Feels like a bug? Will see if I can reproduce w/ a newer Samba package
from Sernet.
(Oddly enough, in searching around for this found my own reference to
the issue from back in 2014[1]).
Ray
[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2
More information about the samba
mailing list