allow-guest-auth-for-local-account [plain text]
<rdar://problem/5340507> SMB/PFS : Guest connection fails
The problem here is that smbfs does guest as -Uguest%. This means
that it's not the same an anonymous (no creds at all), which is
assumed by the builtin guest auth module. Additionally, we can
sometime have a real system account called "guest", which messes
up the "map to guest" configuration.
The solution is to check whether the account is the well-known guest
account and allow it if it is (even if it's a real system account).
Index: samba/source/auth/auth_builtin.c
===================================================================
--- samba/source/auth/auth_builtin.c.orig
+++ samba/source/auth/auth_builtin.c
@@ -41,9 +41,29 @@ static NTSTATUS check_guest_security(con
/* mark this as 'not for me' */
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- if (!(user_info->internal_username
- && *user_info->internal_username)) {
+ if (!(user_info->internal_username && *user_info->internal_username)) {
+ /* An unmapped user counts as guest. */
nt_status = make_server_info_guest(server_info);
+ } else {
+ /* Any user whose SAM account maps to the well-known guest
+ * account also counts as guest.
+ */
+ struct samu *sampass = samu_new(mem_ctx);
+
+ if (sampass == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (pdb_getsampwnam(sampass, user_info->internal_username)) {
+ uint32 rid = 0;
+
+ sid_peek_rid(pdb_get_user_sid(sampass), &rid);
+ if (rid == DOMAIN_USER_RID_GUEST) {
+ nt_status = make_server_info_guest(server_info);
+ }
+ }
+
+ TALLOC_FREE(sampass);
}
return nt_status;