From: Ralph Boehme Date: Mon, 13 May 2019 18:16:47 +0000 (+0200) Subject: s3:auth: explicitly add BUILTIN\Guests to the guest token X-Git-Tag: ldb-2.0.5~457 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a66af4c96accba4ee64eeb1958458b69f3ccec1d;p=thirdparty%2Fsamba.git s3:auth: explicitly add BUILTIN\Guests to the guest token This changes ensures that smbd always adds BUILTIN\Guests to the guest token which is required for guest authentication. Currently the guest token depends on the on-disk configured group mappings. If there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not a member, the final guest token won't contain BUILTIN\Guests. For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2 SESSION_SETUP response, because smbd sets it based on the token containing the BUILTIN\Guests SID S-1-5-32-546. At the same time, the packet is not signed which causes Windows clients and smbclient to reject the unsigned SMB2 SESSION_SETUP response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 Pair-programmed-with: Stefan Metzmacher Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184 --- diff --git a/selftest/knownfail.d/samba3.blackbox.guest b/selftest/knownfail.d/samba3.blackbox.guest deleted file mode 100644 index cbb62d71c87..00000000000 --- a/selftest/knownfail.d/samba3.blackbox.guest +++ /dev/null @@ -1 +0,0 @@ -^samba3.blackbox.guest.*smbclient_guest_auth_without_members diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5a456c1cc53..d0be7e6c576 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1386,6 +1386,21 @@ static NTSTATUS make_new_session_info_guest(TALLOC_CTX *mem_ctx, goto done; } + /* + * It's ugly, but for now it's + * needed to force Builtin_Guests + * here, because memberships of + * Builtin_Guests might be incomplete. + */ + status = add_sid_to_array_unique(session_info->security_token, + &global_sid_Builtin_Guests, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("Failed to force Builtin_Guests to nt token\n"); + goto done; + } + /* annoying, but the Guest really does have a session key, and it is all zeros! */ session_info->session_key = data_blob_talloc_zero(session_info, 16);