[PATCH 1/2] s3-auth: fix force user for AD user
Andreas Schneider
asn at samba.org
Tue Feb 4 01:59:22 MST 2014
On Thursday 30 January 2014 22:33:20 Andrew Bartlett wrote:
> On Thu, 2014-01-30 at 10:29 +0100, Andreas Schneider wrote:
> > On Thursday 30 January 2014 22:22:48 Andrew Bartlett wrote:
> > > On Thu, 2014-01-30 at 08:32 +0100, Andreas Schneider wrote:
> > > > On Thursday 30 January 2014 09:40:07 you wrote:
> > > > > On Wed, 2014-01-29 at 17:33 +0100, Andreas Schneider wrote:
> > > > > > On Wednesday 22 January 2014 10:25:46 Andrew Bartlett wrote:
> > > > > > > I still don't understand/see how it addresses the code paths I
> > > > > > > was
> > > > > > > concerned about, so I think the way to best address that and to
> > > > > > > keep
> > > > > > > this working is to add an automated test for them. That is, one
> > > > > > > for
> > > > > > > plaintext passwords and then one for the case you are fixing
> > > > > > > (ktest
> > > > > > > covers the kerberos case that worried me, which assuming this
> > > > > > > passes
> > > > > > > a
> > > > > > > make test improves my confidence considerably). I realise it
> > > > > > > may be
> > > > > > > hard to fully test given the limitations of the non-root
> > > > > > > environment,
> > > > > > > but at the very least have it walk over the code paths.
> > > > > >
> > > > > > Hi Andrew,
> > > > > >
> > > > > > I'm sorry, but I'm not able to trigger the codepath you're
> > > > > > concerned
> > > > > > about
> > > > > > at all, even in master!
> > > > > >
> > > > > > The reason is that the plaintext password in the user struct is
> > > > > > always
> > > > > > set
> > > > > > to NULL passed to pass_check() in source3/auth/auth_unix.c
> > > > > >
> > > > > >
> > > > > > [2014/01/29 17:28:28.495413, 100, pid=10495, effective(0, 0),
> > > > > > real(0,
> > > > > > 0),
> > > > > > class=auth] ../source3/auth/pass_check.c:618(pass_check)
> > > > > >
> > > > > > checking user=[asn] pass=[(null)]
> > > > >
> > > > > You would also need 'encrypt passwords = no'.
> > > > >
> > > > > > [global]
> > > > > >
> > > > > > workgroup = LEVEL1
> > > > > > security = user
> > > > > > map to guest = Bad User
> > > > > > logon path = \\%L\profiles\.msprofile
> > > > > > logon home = \\%L\%U\.9xprofile
> > > > > > logon drive = P:
> > > > > > usershare allow guests = Yes
> > > > > >
> > > > > >
> > > > > > #log file = /var/log/samba/log.%m
> > > > > > max log size = 0
> > > > > > log level = 100
> > > > > > debug pid = yes
> > > > > >
> > > > > > client plaintext auth = yes
> > > > > > passwd chat debug = Yes
> > > > > >
> > > > > > auth methods = unix
> > > > >
> > > > > You shouldn't need that once we set 'encrypt passwords = no'.
> > > >
> > > > asn at samba:~> cat /etc/samba/smb.conf
> > > > [global]
> > > >
> > > > workgroup = LEVEL1
> > > > security = user
> > > > map to guest = Bad User
> > > > logon path = \\%L\profiles\.msprofile
> > > > logon home = \\%L\%U\.9xprofile
> > > > logon drive = P:
> > > > usershare allow guests = Yes
> > > >
> > > >
> > > > #log file = /var/log/samba/log.%m
> > > > max log size = 0
> > > > log level = 100
> > > > debug pid = yes
> > > >
> > > > encrypt passwords = No
> > > > client plaintext auth = Yes
> > > > client ntlmv2 auth = No
> > > > passwd chat debug = Yes
> > > > auth methods = unix
> > > >
> > > > [test]
> > > >
> > > > path = /srv/samba/test
> > > > writeable = Yes
> > > >
> > > > Whatever I set with 'encrypt passwords = No' I get
> > > >
> > > > asn at samba:~> smbclient -I 192.168.100.103 //SAMBA/test -Uasn%secret
> > > > Server requested PLAINTEXT password but 'client plaintext auth = no'
> > > > or
> > > > 'client ntlmv2 auth = yes'
> > > > session setup failed: NT_STATUS_ACCESS_DENIED
> > >
> > > I guess that's what happens when we don't have any tests for this...
> >
> > Untested code is broken code ;)
>
> Yeah, exactly.
>
> > I can't create a testcase for it cause I'm busy with getting the first
> > cwrap release out.
>
> No worries. I realise it is a large (growing) task.
>
> > I also have have socket_wrapper bugs which need to be fixed and
> > metze is waiting for new features for dcerpc.
> >
> > Thanks for reviewing the changes.
>
> Thanks for you patience.
Can I push the patchset with your review or could you do it?
Thanks,
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list