[Samba] SMB Signing with "map to guest = " options

Andrew Bartlett abartlet at samba.org
Mon Feb 18 08:33:11 UTC 2019 

On Wed, 2019-02-13 at 23:58 -0600, shivappa Sangapur via samba wrote:
> Hi,
> 
> I'm using samba-4.7.x
> I have some confusions over "map to guest=" options with setting SMB
> Signing
> 
> 
> I want to understand why in case of *#2 and #5* it is not opening
> shares of
> my smb-4.7.x shares,
> 

This is probably a case we haven't really consdidered before. 

'map to guest = bad uid' is quite different to the other map to guest
options, because in this case a full authentication against the DC was
done and we have correct session keys. 

The bug is in:

NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, 
				const char *sent_nt_username,
				const char *domain,
				struct auth_serversupplied_info **server_info,
				const struct netr_SamInfo3 *info3)

The problem is this bit:

	nt_status = check_account(tmp_ctx,
				  nt_domain,
				  nt_username,
				  &found_username,
				  &pwd,
				  &username_was_mapped);

	if (!NT_STATUS_IS_OK(nt_status)) {
		/* Handle 'map to guest = Bad Uid */
		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
		    (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
		    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
			DBG_NOTICE("Try to map %s to guest account",
				   nt_username);
			nt_status = make_server_info_guest(tmp_ctx, &result);
			if (NT_STATUS_IS_OK(nt_status)) {
				*server_info = talloc_move(mem_ctx, &result);
			}
		}
		goto out;
	}

It needs to still run this part form the tail of the function, not skip over it with the 'goto out'

	/* ensure we are never given NULL session keys */

	if (all_zero(info3->base.key.key, sizeof(info3->base.key.key))) {
		result->session_key = data_blob_null;
	} else {
		result->session_key = data_blob_talloc(
			result, info3->base.key.key,
			sizeof(info3->base.key.key));
	}

	if (all_zero(info3->base.LMSessKey.key,
		     sizeof(info3->base.LMSessKey.key))) {
		result->lm_session_key = data_blob_null;
	} else {
		result->lm_session_key = data_blob_talloc(
			result, info3->base.LMSessKey.key,
			sizeof(info3->base.LMSessKey.key));
	}

Then it might work.

I realise you were probably not expecting to be preparing patches and
writing tests (the harder part), but these clues should assist if you
do want to try.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list