|
 |
86baa9 |
From 9650b233bdbda82bcbb447a3fc94523655cabc39 Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
Date: Fri, 21 Sep 2018 10:57:23 +0300
|
|
|
86baa9 |
Subject: [PATCH] Support Samba 4.9
|
|
|
86baa9 |
|
|
|
86baa9 |
Samba 4.9 became a bit more strict about creating a local NT token and a
|
|
|
86baa9 |
failure to resolve or create BUILTIN\Guests group will cause a rejection
|
|
|
86baa9 |
of the connection for a successfully authenticated one.
|
|
|
86baa9 |
|
|
|
86baa9 |
Add a default mapping of the nobody group to BUILTIN\Guests.
|
|
|
86baa9 |
|
|
|
86baa9 |
BUILTIN\Guests is a special group SID that is added to the NT token for
|
|
|
86baa9 |
authenticated users.
|
|
|
86baa9 |
|
|
|
86baa9 |
For real guests there is 'guest account' option in smb.conf which
|
|
|
86baa9 |
defaults to 'nobody' user.
|
|
|
86baa9 |
|
|
|
86baa9 |
This was implicit behavior before as 'guest account = nobody' by
|
|
|
86baa9 |
default would pick up 'nobody' group as well.
|
|
|
86baa9 |
|
|
|
86baa9 |
Fixes: https://pagure.io/freeipa/issue/7705
|
|
|
86baa9 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
86baa9 |
(cherry picked from commit 703497532abe4189835d0a02b32f9919c889bc1c)
|
|
|
86baa9 |
|
|
|
86baa9 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
86baa9 |
---
|
|
|
86baa9 |
.../updates/90-post_upgrade_plugins.update | 1 +
|
|
|
86baa9 |
ipaserver/install/adtrustinstance.py | 14 +++++++++++++
|
|
|
86baa9 |
ipaserver/install/plugins/adtrust.py | 20 ++++++++++++++++++-
|
|
|
86baa9 |
3 files changed, 34 insertions(+), 1 deletion(-)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
|
|
86baa9 |
index bbc3e29422fc0f139c2ca68a7033863e4c25f8cf..4e9378d9b567842e1cc9a8eeae819a931810895d 100644
|
|
|
86baa9 |
--- a/install/updates/90-post_upgrade_plugins.update
|
|
|
86baa9 |
+++ b/install/updates/90-post_upgrade_plugins.update
|
|
|
86baa9 |
@@ -19,6 +19,7 @@ plugin: update_fix_duplicate_cacrt_in_ldap
|
|
|
86baa9 |
plugin: update_upload_cacrt
|
|
|
86baa9 |
# update_ra_cert_store has to be executed after update_ca_renewal_master
|
|
|
86baa9 |
plugin: update_ra_cert_store
|
|
|
86baa9 |
+plugin: update_mapping_Guests_to_nobody
|
|
|
86baa9 |
|
|
|
86baa9 |
# last
|
|
|
86baa9 |
# DNS version 1
|
|
|
86baa9 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
index e787fccb9482809b180012ed8e7be2e5a6494f93..d6b8f5cfa66c0cfbc6d47906703fc09c3e961a53 100644
|
|
|
86baa9 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
86baa9 |
@@ -120,6 +120,15 @@ def make_netbios_name(s):
|
|
|
86baa9 |
return ''.join([c for c in s.split('.')[0].upper() \
|
|
|
86baa9 |
if c in ALLOWED_NETBIOS_CHARS])[:15]
|
|
|
86baa9 |
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+def map_Guests_to_nobody():
|
|
|
86baa9 |
+ env = {'LC_ALL': 'C'}
|
|
|
86baa9 |
+ args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546',
|
|
|
86baa9 |
+ 'unixgroup=nobody', 'type=builtin']
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+ logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
|
|
|
86baa9 |
+ ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
|
|
|
86baa9 |
+
|
|
|
86baa9 |
class ADTRUSTInstance(service.Service):
|
|
|
86baa9 |
|
|
|
86baa9 |
ATTR_SID = "ipaNTSecurityIdentifier"
|
|
|
86baa9 |
@@ -532,6 +541,9 @@ class ADTRUSTInstance(service.Service):
|
|
|
86baa9 |
tmp_conf.flush()
|
|
|
86baa9 |
ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
|
|
|
86baa9 |
|
|
|
86baa9 |
+ def __map_Guests_to_nobody(self):
|
|
|
86baa9 |
+ map_Guests_to_nobody()
|
|
|
86baa9 |
+
|
|
|
86baa9 |
def __setup_group_membership(self):
|
|
|
86baa9 |
# Add the CIFS and host principals to the 'adtrust agents' group
|
|
|
86baa9 |
# as 389-ds only operates with GroupOfNames, we have to use
|
|
|
86baa9 |
@@ -833,6 +845,8 @@ class ADTRUSTInstance(service.Service):
|
|
|
86baa9 |
self.__create_samba_domain_object)
|
|
|
86baa9 |
self.step("creating samba config registry", self.__write_smb_registry)
|
|
|
86baa9 |
self.step("writing samba config file", self.__write_smb_conf)
|
|
|
86baa9 |
+ self.step("map BUILTIN\\Guests to nobody group",
|
|
|
86baa9 |
+ self.__map_Guests_to_nobody)
|
|
|
86baa9 |
self.step("adding cifs Kerberos principal",
|
|
|
86baa9 |
self.request_service_keytab)
|
|
|
86baa9 |
self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
|
|
|
86baa9 |
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
|
|
86baa9 |
index bec5a09c1c129b1129f31e3df59a2fa87aac0691..1f50bef891770c53a9086c7aa36d0ee1f088fbe6 100644
|
|
|
86baa9 |
--- a/ipaserver/install/plugins/adtrust.py
|
|
|
86baa9 |
+++ b/ipaserver/install/plugins/adtrust.py
|
|
|
86baa9 |
@@ -23,7 +23,8 @@ from ipalib import Registry, errors
|
|
|
86baa9 |
from ipalib import Updater
|
|
|
86baa9 |
from ipapython.dn import DN
|
|
|
86baa9 |
from ipaserver.install import sysupgrade
|
|
|
86baa9 |
-from ipaserver.install.adtrustinstance import ADTRUSTInstance
|
|
|
86baa9 |
+from ipaserver.install.adtrustinstance import (
|
|
|
86baa9 |
+ ADTRUSTInstance, map_Guests_to_nobody)
|
|
|
86baa9 |
|
|
|
86baa9 |
logger = logging.getLogger(__name__)
|
|
|
86baa9 |
|
|
|
86baa9 |
@@ -382,3 +383,20 @@ class update_tdo_gidnumber(Updater):
|
|
|
86baa9 |
return False, ()
|
|
|
86baa9 |
|
|
|
86baa9 |
return False, ()
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+@register()
|
|
|
86baa9 |
+class update_mapping_Guests_to_nobody(Updater):
|
|
|
86baa9 |
+ """
|
|
|
86baa9 |
+ Map BUILTIN\\Guests group to nobody
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+ Samba 4.9 became more strict on availability of builtin Guests group
|
|
|
86baa9 |
+ """
|
|
|
86baa9 |
+ def execute(self, **options):
|
|
|
86baa9 |
+ # First, see if trusts are enabled on the server
|
|
|
86baa9 |
+ if not self.api.Command.adtrust_is_enabled()['result']:
|
|
|
86baa9 |
+ logger.debug('AD Trusts are not enabled on this server')
|
|
|
86baa9 |
+ return False, []
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+ map_Guests_to_nobody()
|
|
|
86baa9 |
+ return False, []
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|