CVE-2020-25717: s3:auth: we should not try to autocreate the guest account

We should avoid autocreation of users as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 8998f9c8f8ae8e6138c567b060e86c8c06aec0c3..074e8c7eb7111a2a40a979d1f817eb4b9d70cc58 100644 (file)
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                        if (!fuser) {
                                return NT_STATUS_NO_MEMORY;
                        }
-                       pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+                       pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false);
                }
 
                /* extra sanity check that the guest account is valid */