[Samba] SMB Signing with "map to guest = " options

Andrew Bartlett abartlet at samba.org
Mon Feb 18 08:33:11 UTC 2019

On Wed, 2019-02-13 at 23:58 -0600, shivappa Sangapur via samba wrote:
> Hi,
> I'm using samba-4.7.x
> I have some confusions over "map to guest=" options with setting SMB
> Signing
> I want to understand why in case of *#2 and #5* it is not opening
> shares of
> my smb-4.7.x shares,

This is probably a case we haven't really consdidered before. 

'map to guest = bad uid' is quite different to the other map to guest
options, because in this case a full authentication against the DC was
done and we have correct session keys. 

The bug is in:

NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, 
				const char *sent_nt_username,
				const char *domain,
				struct auth_serversupplied_info **server_info,
				const struct netr_SamInfo3 *info3)

The problem is this bit:

	nt_status = check_account(tmp_ctx,

	if (!NT_STATUS_IS_OK(nt_status)) {
		/* Handle 'map to guest = Bad Uid */
		    (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
		    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
			DBG_NOTICE("Try to map %s to guest account",
			nt_status = make_server_info_guest(tmp_ctx, &result);
			if (NT_STATUS_IS_OK(nt_status)) {
				*server_info = talloc_move(mem_ctx, &result);
		goto out;

It needs to still run this part form the tail of the function, not skip over it with the 'goto out'

	/* ensure we are never given NULL session keys */

	if (all_zero(info3->base.key.key, sizeof(info3->base.key.key))) {
		result->session_key = data_blob_null;
	} else {
		result->session_key = data_blob_talloc(
			result, info3->base.key.key,

	if (all_zero(info3->base.LMSessKey.key,
		     sizeof(info3->base.LMSessKey.key))) {
		result->lm_session_key = data_blob_null;
	} else {
		result->lm_session_key = data_blob_talloc(
			result, info3->base.LMSessKey.key,

Then it might work.

I realise you were probably not expecting to be preparing patches and
writing tests (the harder part), but these clues should assist if you
do want to try.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list