diff options
| author | Ralph Boehme <slow@samba.org> | 2019-05-13 20:16:47 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-06-21 07:56:17 +0000 |
| commit | 79beb172cc6329f75ae53a309a715ae1fa1b0b50 (patch) | |
| tree | 26fba3a45bc6e1c154e1da6bc6f19fd12f610b9e | |
| parent | 15fa6919b8a52942d3f71620657aefe33cebc216 (diff) | |
| download | samba-79beb172cc6329f75ae53a309a715ae1fa1b0b50.tar.gz | |
s3:auth: explicitly add BUILTIN\Guests to the guest token
This changes ensures that smbd always adds BUILTIN\Guests to the guest token
which is required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
SESSION_SETUP response, because smbd sets it based on the token containing the
BUILTIN\Guests SID S-1-5-32-546.
At the same time, the packet is not signed which causes Windows clients and
smbclient to reject the unsigned SMB2 SESSION_SETUP response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184
(cherry picked from commit a66af4c96accba4ee64eeb1958458b69f3ccec1d)
| -rw-r--r-- | selftest/knownfail.d/samba3.blackbox.guest | 1 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 15 |
2 files changed, 15 insertions, 1 deletions
diff --git a/selftest/knownfail.d/samba3.blackbox.guest b/selftest/knownfail.d/samba3.blackbox.guest deleted file mode 100644 index cbb62d71c87..00000000000 --- a/selftest/knownfail.d/samba3.blackbox.guest +++ /dev/null @@ -1 +0,0 @@ -^samba3.blackbox.guest.*smbclient_guest_auth_without_members diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fce35318b88..a08df0aabe4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1383,6 +1383,21 @@ static NTSTATUS make_new_session_info_guest(TALLOC_CTX *mem_ctx, goto done; } + /* + * It's ugly, but for now it's + * needed to force Builtin_Guests + * here, because memberships of + * Builtin_Guests might be incomplete. + */ + status = add_sid_to_array_unique(session_info->security_token, + &global_sid_Builtin_Guests, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("Failed to force Builtin_Guests to nt token\n"); + goto done; + } + /* annoying, but the Guest really does have a session key, and it is all zeros! */ session_info->session_key = data_blob_talloc_zero(session_info, 16); |