[Samba] map to guest = Bad Uid not working consistently

Ray Van Dolson rvandolson at esri.com
Wed Oct 7 14:57:16 UTC 2015 

On Wed, Oct 07, 2015 at 08:44:55AM +0100, Rowland Penny wrote:
> On 07/10/15 07:28, Ray Van Dolson wrote:
> >Hi everyone;
> >
> >Running Samba 3.6.23 (RHEL5 stock latest version) with the following
> >config:
> >
> >[global]
> >         workgroup = DOMAIN
> >         client signing = yes
> >         client use spnego = yes
> >         kerberos method = secrets and keytab
> >         log file = /var/log/samba/samba.log
> >         #log level = 0 auth:10 winbind:10 passdb:10
> >         log level = 10
> >         password server = *
> >         realm = DOMAIN.COM
> >         security = ads
> >
> >         map to guest = Bad Uid
> >         winbind use default domain = yes
> >
> >Joined to Active Directory and winbind running.
> >
> >Goals are:
> >
> >- Users who authenticate against the domain and have a local named
> >   account are mapped to that named account's UID.
> 
> Do you have users in /etc/passwd and AD with the same name
> 

Yes -- well, sort of.  In NIS.

Ray

> Rowland
> 
> >- Users who authenticate against the domain but do *not* have a local
> >   named account are mapped to the guest user ('nobody').
> >
> >This works perfectly with Kerberos logins.
> >
> >However, with non-Kerberos logins (presumably NTLM or NTLMv2?), this
> >does *not* work.  It appears to me as though the login succeeds (test account's
> >name is 'boxadmin'):
> >
> >   log.wb-DOMAIN:  NTLM CRAP authentication for user [DOMAIN]\[boxadmin] returned NT_STATUS_OK (PAM: 0)
> >   samba.log:  [13652]: pam auth crap domain: [DOMAIN] user: boxadmin
> >
> >However, because getpwnam() calls fail, authentication is denied:
> >
> >   samba.log:  Finding user boxadmin
> >   samba.log:  Trying _Get_Pwnam(), username as lowercase is boxadmin
> >   samba.log:  Trying _Get_Pwnam(), username as uppercase is BOXADMIN
> >   samba.log:  Checking combinations of 0 uppercase letters in boxadmin
> >   samba.log:  Get_Pwnam_internals didn't find user [boxadmin]!
> >   samba.log:  Failed to find authenticated user DOMAIN\boxadmin via getpwnam(), denying access.
> >   samba.log:  check_ntlm_password: winbind authentication for user [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
> >   samba.log:  check_ntlm_password:  Authentication for user [boxadmin] -> [boxadmin] FAILED with error NT_STATUS_NO_SUCH_USER
> >
> >So for some reason, the map to guest = Bad Uid directive isn't getting
> >used in this scenario.
> >
> >Feels like a bug?  Will see if I can reproduce w/ a newer Samba package
> >from Sernet.
> >
> >(Oddly enough, in searching around for this found my own reference to
> >the issue from back in 2014[1]).
> >
> >Ray
> >
> >[1] https://bugzilla.samba.org/show_bug.cgi?id=9862#c2

More information about the samba mailing list