[Samba] SMB Signing with "map to guest = " options
Andrew Bartlett
abartlet at samba.org
Mon Feb 18 08:33:11 UTC 2019
On Wed, 2019-02-13 at 23:58 -0600, shivappa Sangapur via samba wrote:
> Hi,
>
> I'm using samba-4.7.x
> I have some confusions over "map to guest=" options with setting SMB
> Signing
>
>
> I want to understand why in case of *#2 and #5* it is not opening
> shares of
> my smb-4.7.x shares,
>
This is probably a case we haven't really consdidered before.
'map to guest = bad uid' is quite different to the other map to guest
options, because in this case a full authentication against the DC was
done and we have correct session keys.
The bug is in:
NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
const struct netr_SamInfo3 *info3)
The problem is this bit:
nt_status = check_account(tmp_ctx,
nt_domain,
nt_username,
&found_username,
&pwd,
&username_was_mapped);
if (!NT_STATUS_IS_OK(nt_status)) {
/* Handle 'map to guest = Bad Uid */
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
(lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
DBG_NOTICE("Try to map %s to guest account",
nt_username);
nt_status = make_server_info_guest(tmp_ctx, &result);
if (NT_STATUS_IS_OK(nt_status)) {
*server_info = talloc_move(mem_ctx, &result);
}
}
goto out;
}
It needs to still run this part form the tail of the function, not skip over it with the 'goto out'
/* ensure we are never given NULL session keys */
if (all_zero(info3->base.key.key, sizeof(info3->base.key.key))) {
result->session_key = data_blob_null;
} else {
result->session_key = data_blob_talloc(
result, info3->base.key.key,
sizeof(info3->base.key.key));
}
if (all_zero(info3->base.LMSessKey.key,
sizeof(info3->base.LMSessKey.key))) {
result->lm_session_key = data_blob_null;
} else {
result->lm_session_key = data_blob_talloc(
result, info3->base.LMSessKey.key,
sizeof(info3->base.LMSessKey.key));
}
Then it might work.
I realise you were probably not expecting to be preparing patches and
writing tests (the harder part), but these clues should assist if you
do want to try.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list