This changes ensures that smbd always adds BUILTIN\Guests to the guest token
which is required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
SESSION_SETUP response, because smbd sets it based on the token containing the
BUILTIN\Guests SID S-1-5-32-546.
At the same time, the packet is not signed which causes Windows clients and
smbclient to reject the unsigned SMB2 SESSION_SETUP response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184
(cherry picked from commit
a66af4c96accba4ee64eeb1958458b69f3ccec1d)
+++ /dev/null
-^samba3.blackbox.guest.*smbclient_guest_auth_without_members
goto done;
}
+ /*
+ * It's ugly, but for now it's
+ * needed to force Builtin_Guests
+ * here, because memberships of
+ * Builtin_Guests might be incomplete.
+ */
+ status = add_sid_to_array_unique(session_info->security_token,
+ &global_sid_Builtin_Guests,
+ &session_info->security_token->sids,
+ &session_info->security_token->num_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to force Builtin_Guests to nt token\n");
+ goto done;
+ }
+
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
session_info->session_key = data_blob_talloc_zero(session_info, 16);
projects / thirdparty / samba.git / commitdiff
