[Samba] map to guest = Bad Uid not working consistently

Rowland Penny rowlandpenny241155 at gmail.com
Wed Oct 7 07:44:55 UTC 2015 

On 07/10/15 07:28, Ray Van Dolson wrote:
> Hi everyone;
>
> Running Samba 3.6.23 (RHEL5 stock latest version) with the following
> config:
>
> [global]
>          workgroup = DOMAIN
>          client signing = yes
>          client use spnego = yes
>          kerberos method = secrets and keytab
>          log file = /var/log/samba/samba.log
>          #log level = 0 auth:10 winbind:10 passdb:10
>          log level = 10
>          password server = *
>          realm = DOMAIN.COM
>          security = ads
>
>          map to guest = Bad Uid
>          winbind use default domain = yes
>
> Joined to Active Directory and winbind running.
>
> Goals are:
>
> - Users who authenticate against the domain and have a local named
>    account are mapped to that named account's UID.

Do you have users in /etc/passwd and AD with the same name

Rowland

> - Users who authenticate against the domain but do *not* have a local
>    named account are mapped to the guest user ('nobody').
>
> This works perfectly with Kerberos logins.
>
> However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
> does *not* work.  It appears to me as though the login succeeds (test account's
> name is 'boxadmin'):
>
>    log.wb-DOMAIN:  NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0)
>    samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin
>
> However, because getpwnam() calls fail, authentication is denied:
>
>    samba.log:  Finding user boxadmin
>    samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
>    samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
>    samba.log:  Checking combinations of 0 uppercase letters in boxadmin
>    samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
>    samba.log:  Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access.
>    samba.log:  check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
>    samba.log:  check_ntlm_password:  Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
>
> So for some reason, the map to guest = Bad Uid directive isn't getting
> used in this scenario.
>
> Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
> from Sernet.
>
> (Oddly enough, in searching around for this found my own reference to
> the issue from back in 2014[1]).
>
> Ray
>
> [1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2
>

More information about the samba mailing list