From 5604f16d805a73dd35a69c162966d081a1ebdb84 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Thu, 15 Mar 2018 17:40:07 +0100

Subject: [PATCH 01/21] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST

 bit for anonymous

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f)

(cherry picked from commit 23d1850c1c632984052ac923ab365501dd1c0195)

---

 source3/torture/proto.h     |  1 +

 source3/torture/test_smb2.c | 42 +++++++++++++++++++++++++++++++++++++

 source3/torture/torture.c   |  1 +

 3 files changed, 44 insertions(+)

diff --git a/source3/torture/proto.h b/source3/torture/proto.h

index 4c3e5401ce0..6f12ff7c2b9 100644

--- a/source3/torture/proto.h

+++ b/source3/torture/proto.h

@@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy);

 bool run_nttrans_fsctl(int dummy);

 bool run_smb2_basic(int dummy);

 bool run_smb2_negprot(int dummy);

+bool run_smb2_anonymous(int dummy);

 bool run_smb2_session_reconnect(int dummy);

 bool run_smb2_tcon_dependence(int dummy);

 bool run_smb2_multi_channel(int dummy);

diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c

index 297c3abca9f..897d034f6a9 100644

--- a/source3/torture/test_smb2.c

+++ b/source3/torture/test_smb2.c

@@ -24,6 +24,7 @@

 #include "../libcli/smb/smbXcli_base.h"

 #include "libcli/security/security.h"

 #include "libsmb/proto.h"

+#include "auth/credentials/credentials.h"

 #include "auth/gensec/gensec.h"

 #include "auth_generic.h"

 #include "../librpc/ndr/libndr.h"

@@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy)

 	return true;

 }

+bool run_smb2_anonymous(int dummy)

+{

+	struct cli_state *cli = NULL;

+	NTSTATUS status;

+	struct cli_credentials *anon_creds = NULL;

+	bool guest = false;

+

+	printf("Starting SMB2-ANONYMOUS\n");

+

+	if (!torture_init_connection(&cli)) {

+		return false;

+	}

+

+	status = smbXcli_negprot(cli->conn, cli->timeout,

+				 PROTOCOL_SMB2_02, PROTOCOL_LATEST);

+	if (!NT_STATUS_IS_OK(status)) {

+		printf("smbXcli_negprot returned %s\n", nt_errstr(status));

+		return false;

+	}

+

+	anon_creds = cli_credentials_init_anon(talloc_tos());

+	if (anon_creds == NULL) {

+		printf("cli_credentials_init_anon failed\n");

+		return false;

+	}

+

+	status = cli_session_setup_creds(cli, anon_creds);

+	if (!NT_STATUS_IS_OK(status)) {

+		printf("cli_session_setup returned %s\n", nt_errstr(status));

+		return false;

+	}

+

+	guest = smbXcli_session_is_guest(cli->smb2.session);

+	if (guest) {

+		printf("anonymous session should not have guest authentication\n");

+		return false;

+	}

+

+	return true;

+}

+

 bool run_smb2_session_reconnect(int dummy)

 {

 	struct cli_state *cli1;

diff --git a/source3/torture/torture.c b/source3/torture/torture.c

index 31e2bcc3497..e3834432ccb 100644

--- a/source3/torture/torture.c

+++ b/source3/torture/torture.c

@@ -11644,6 +11644,7 @@ static struct {

 	{ "NOTIFY-ONLINE", run_notify_online },

 	{ "SMB2-BASIC", run_smb2_basic },

 	{ "SMB2-NEGPROT", run_smb2_negprot },

+	{ "SMB2-ANONYMOUS", run_smb2_anonymous },

 	{ "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect },

 	{ "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence },

 	{ "SMB2-MULTI-CHANNEL", run_smb2_multi_channel },

-- 

2.17.0

From 6dfd59a8a8862b0954f8bd87b3816062f00fea0f Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Thu, 15 Mar 2018 18:04:21 +0100

Subject: [PATCH 02/21] s3:selftest: run SMB2-ANONYMOUS

This fails against a non AD DC smbd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2)

(cherry picked from commit e39a5bd12e1704926c9d8141d8ef75a093670892)

---

 selftest/knownfail.d/anonymous-guest | 1 +

 source3/selftest/tests.py            | 1 +

 2 files changed, 2 insertions(+)

 create mode 100644 selftest/knownfail.d/anonymous-guest

diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest

new file mode 100644

index 00000000000..a134cece3d5

--- /dev/null

+++ b/selftest/knownfail.d/anonymous-guest

@@ -0,0 +1 @@

+^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py

index 56b94c436ce..c0522b3ed6f 100755

--- a/source3/selftest/tests.py

+++ b/source3/selftest/tests.py

@@ -75,6 +75,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7"

         "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST",

         "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT",

         "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE",

+        "SMB2-ANONYMOUS",

         "CLEANUP1",

         "CLEANUP2",

         "CLEANUP4",

-- 

2.17.0

From 40b619182e63df1cbc8e47c79a0ac0f83debce69 Mon Sep 17 00:00:00 2001

From: Ralph Boehme <slow@samba.org>

Date: Wed, 14 Mar 2018 11:44:49 +0100

Subject: [PATCH 03/21] libcli/security: only announce a session as GUEST if

 'Builtin\Guests' is there without 'Authenticated User'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3)

(cherry picked from commit ff7a8e416b53e073a6d16fb122cdeba8b53c6e53)

---

 libcli/security/session.c | 18 +++++++++++-------

 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/libcli/security/session.c b/libcli/security/session.c

index 0fbb87d584e..f17e884c847 100644

--- a/libcli/security/session.c

+++ b/libcli/security/session.c

@@ -26,6 +26,9 @@

 enum security_user_level security_session_user_level(struct auth_session_info *session_info,

 						     const struct dom_sid *domain_sid)

 {

+	bool authenticated = false;

+	bool guest = false;

+

 	if (!session_info) {

 		return SECURITY_ANONYMOUS;

 	}

@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s

 		return SECURITY_ANONYMOUS;

 	}

-	if (security_token_has_builtin_guests(session_info->security_token)) {

-		return SECURITY_GUEST;

+	authenticated = security_token_has_nt_authenticated_users(session_info->security_token);

+	guest = security_token_has_builtin_guests(session_info->security_token);

+	if (!authenticated) {

+		if (guest) {

+			return SECURITY_GUEST;

+		}

+		return SECURITY_ANONYMOUS;

 	}

 	if (security_token_has_builtin_administrators(session_info->security_token)) {

@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s

 		return SECURITY_DOMAIN_CONTROLLER;

 	}

-	if (security_token_has_nt_authenticated_users(session_info->security_token)) {

-		return SECURITY_USER;

-	}

-

-	return SECURITY_ANONYMOUS;

+	return SECURITY_USER;

 }

-- 

2.17.0

From b2e7990934503c86c17751a8c4f7d5f40b32aed7 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Thu, 1 Mar 2018 18:05:28 +0100

Subject: [PATCH 04/21] s3:auth: remove unused auth_serversupplied_info->system

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9)

(cherry picked from commit b991dca37a425cc252752e5a306df80077814aaf)

---

 source3/auth/auth_util.c | 1 -

 source3/include/auth.h   | 1 -

 2 files changed, 2 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c

index 1021f2a6fef..4ae9dad2dd6 100644

--- a/source3/auth/auth_util.c

+++ b/source3/auth/auth_util.c

@@ -1045,7 +1045,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO

 	SMB_ASSERT(src->unix_info);

 	dst->guest = true;

-	dst->system = false;

 	/* This element must be provided to convert back to an

 	 * auth_serversupplied_info.  This needs to be from the

diff --git a/source3/include/auth.h b/source3/include/auth.h

index b7223c15036..d3055373964 100644

--- a/source3/include/auth.h

+++ b/source3/include/auth.h

@@ -30,7 +30,6 @@ struct extra_auth_info {

 struct auth_serversupplied_info {

 	bool guest;

-	bool system;

 	struct security_unix_token utok;

-- 

2.17.0

From 092a1ddebdcd399676820edafb33afe535522ee4 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Fri, 2 Mar 2018 16:37:58 +0100

Subject: [PATCH 05/21] s3:auth: add the "Unix Groups" sid for the primary gid

The primary gid might not be in the gid array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405)

(cherry picked from commit 1258f287420642698c456f6bb17bf4547a921964)

---

 source3/auth/auth_util.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c

index 4ae9dad2dd6..2aa40388d14 100644

--- a/source3/auth/auth_util.c

+++ b/source3/auth/auth_util.c

@@ -660,7 +660,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,

 	 */

 	uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);

+	add_sid_to_array_unique(session_info->security_token, &tmp_sid,

+				&session_info->security_token->sids,

+				&session_info->security_token->num_sids);

+	gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid);

 	add_sid_to_array_unique(session_info->security_token, &tmp_sid,

 				&session_info->security_token->sids,

 				&session_info->security_token->num_sids);

-- 

2.17.0

From c7b23189a548a0d684e04ef78e0fa7c3e3456316 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 6 Mar 2018 17:14:34 +0100

Subject: [PATCH 06/21] s3:auth: move add_local_groups() out of

 finalize_local_nt_token()

finalize_local_nt_token() will be used in another place,

were we don't want to add local groups in a following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8)

(cherry picked from commit 85097b155447257d9c4a66cd43ac432a27b52529)

---

 source3/auth/token_util.c | 22 +++++++++++++++-------

 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c

index 03c4b646007..e5a12db1ba3 100644

--- a/source3/auth/token_util.c

+++ b/source3/auth/token_util.c

@@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,

 	return NT_STATUS_OK;

 }

+static NTSTATUS add_local_groups(struct security_token *result,

+				 bool is_guest);

 static NTSTATUS finalize_local_nt_token(struct security_token *result,

 					bool is_guest);

@@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,

 		}

 	}

+	status = add_local_groups(usrtok, is_guest);

+	if (!NT_STATUS_IS_OK(status)) {

+		DEBUG(3, ("Failed to add local groups\n"));

+		TALLOC_FREE(usrtok);

+		return status;

+	}

+

 	status = finalize_local_nt_token(usrtok, is_guest);

 	if (!NT_STATUS_IS_OK(status)) {

 		DEBUG(3, ("Failed to finalize nt token\n"));

@@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,

 		}

 	}

+	status = add_local_groups(result, is_guest);

+	if (!NT_STATUS_IS_OK(status)) {

+		TALLOC_FREE(result);

+		return NULL;

+	}

+

 	status = finalize_local_nt_token(result, is_guest);

 	if (!NT_STATUS_IS_OK(status)) {

 		TALLOC_FREE(result);

@@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 	NTSTATUS status;

 	struct acct_info *info;

-	/* Add any local groups. */

-

-	status = add_local_groups(result, is_guest);

-	if (!NT_STATUS_IS_OK(status)) {

-		return status;

-	}

-

 	/* Add in BUILTIN sids */

 	status = add_sid_to_array(result, &global_sid_World,

-- 

2.17.0

From b914f0e37eb05eb656d37cb317f1b3d556325edd Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 13 Mar 2018 21:35:48 +0100

Subject: [PATCH 07/21] s3:passdb: handle dom_sid=NULL in

 create_builtin_{users,administrators}()

We should not crash if we're called with NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102)

(cherry picked from commit c1f61c0816441be2061b3fd23db04dc60dcc64f7)

---

 source3/passdb/pdb_util.c | 10 ++++++----

 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c

index bf7b2b8abd1..309eb893f8a 100644

--- a/source3/passdb/pdb_util.c

+++ b/source3/passdb/pdb_util.c

@@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid)

 	}

 	/* add domain users */

-	if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))

-		&& sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))

+	if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&

+	    (dom_sid != NULL) &&

+	    sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))

 	{

 		status = add_sid_to_builtin(&global_sid_Builtin_Users,

 					    &dom_users);

@@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid)

 	}

 	/* add domain admins */

-	if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))

-		&& sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))

+	if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&

+	    (dom_sid != NULL) &&

+	    sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))

 	{

 		status = add_sid_to_builtin(&global_sid_Builtin_Administrators,

 					    &dom_admins);

-- 

2.17.0

From db7aa26880d37b0966cbf99100457ba31d3a0e9b Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 13 Mar 2018 21:38:27 +0100

Subject: [PATCH 08/21] s3:auth: only call secrets_fetch_domain_sid() once in

 finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)

(cherry picked from commit e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b)

---

 source3/auth/token_util.c | 35 +++++++++++++++++++----------------

 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c

index e5a12db1ba3..f3d24cdac2f 100644

--- a/source3/auth/token_util.c

+++ b/source3/auth/token_util.c

@@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,

 	if ( IS_DC ) {

 		sid_copy( &domadm, get_global_sam_sid() );

 	} else {

+		if (dom_sid == NULL) {

+			return NT_STATUS_INVALID_PARAMETER_MIX;

+		}

 		sid_copy(&domadm, dom_sid);

 	}

 	sid_append_rid( &domadm, DOMAIN_RID_ADMINS );

@@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result,

 static NTSTATUS finalize_local_nt_token(struct security_token *result,

 					bool is_guest)

 {

-	struct dom_sid dom_sid;

+	struct dom_sid _dom_sid = { 0, };

+	struct dom_sid *domain_sid = NULL;

 	NTSTATUS status;

 	struct acct_info *info;

+	bool ok;

 	/* Add in BUILTIN sids */

@@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 		}

 	}

+	become_root();

+	ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);

+	if (ok) {

+		domain_sid = &_dom_sid;

+	} else {

+		DEBUG(3, ("Failed to fetch domain sid for %s\n",

+			  lp_workgroup()));

+	}

+	unbecome_root();

+

 	info = talloc_zero(talloc_tos(), struct acct_info);

 	if (info == NULL) {

 		DEBUG(0, ("talloc failed!\n"));

@@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 	if (!NT_STATUS_IS_OK(status)) {

 		become_root();

-		if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {

-			status = NT_STATUS_OK;

-			DEBUG(3, ("Failed to fetch domain sid for %s\n",

-				  lp_workgroup()));

-		} else {

-			status = create_builtin_administrators(&dom_sid);

-		}

+		status = create_builtin_administrators(domain_sid);

 		unbecome_root();

 		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {

 			/* Add BUILTIN\Administrators directly to token. */

-			status = add_builtin_administrators(result, &dom_sid);

+			status = add_builtin_administrators(result, domain_sid);

 			if ( !NT_STATUS_IS_OK(status) ) {

 				DEBUG(3, ("Failed to check for local "

 					  "Administrators membership (%s)\n",

@@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 	if (!NT_STATUS_IS_OK(status)) {

 		become_root();

-		if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {

-			status = NT_STATUS_OK;

-			DEBUG(3, ("Failed to fetch domain sid for %s\n",

-				  lp_workgroup()));

-		} else {

-			status = create_builtin_users(&dom_sid);

-		}

+		status = create_builtin_users(domain_sid);

 		unbecome_root();

 		if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&

-- 

2.17.0

From 9c86a3d2a0783fae2ec2883907ec877f9edd1dac Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 6 Mar 2018 23:26:28 +0100

Subject: [PATCH 09/21] s3:auth: add add_builtin_guests() handling to

 finalize_local_nt_token()

We should add Builtin_Guests depending on the current token

not based on 'is_guest'. Even authenticated users can be member

a guest related group and therefore get Builtin_Guests.

Sadly we still need to use 'is_guest' within create_local_nt_token()

as we only have S-1-22-* SIDs there and still need to

add Builtin_Guests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7)

(cherry picked from commit 7687d26f8bb6aa57672c70f95bee3f67b9957107)

---

 source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++---

 1 file changed, 114 insertions(+), 8 deletions(-)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c

index f3d24cdac2f..30f2f8d346b 100644

--- a/source3/auth/token_util.c

+++ b/source3/auth/token_util.c

@@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,

 	return NT_STATUS_OK;

 }

+static NTSTATUS add_builtin_guests(struct security_token *token,

+				   const struct dom_sid *dom_sid)

+{

+	struct dom_sid tmp_sid;

+	NTSTATUS status;

+

+	/*

+	 * First check the local GUEST account.

+	 */

+	sid_copy(&tmp_sid, get_global_sam_sid());

+	sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST);

+

+	if (nt_token_check_sid(&tmp_sid, token)) {

+		status = add_sid_to_array_unique(token,

+					&global_sid_Builtin_Guests,

+					&token->sids, &token->num_sids);

+		if (!NT_STATUS_IS_OK(status)) {

+			return status;

+		}

+

+		return NT_STATUS_OK;

+	}

+

+	/*

+	 * First check the local GUESTS group.

+	 */

+	sid_copy(&tmp_sid, get_global_sam_sid());

+	sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);

+

+	if (nt_token_check_sid(&tmp_sid, token)) {

+		status = add_sid_to_array_unique(token,

+					&global_sid_Builtin_Guests,

+					&token->sids, &token->num_sids);

+		if (!NT_STATUS_IS_OK(status)) {

+			return status;

+		}

+

+		return NT_STATUS_OK;

+	}

+

+	if (lp_server_role() != ROLE_DOMAIN_MEMBER) {

+		return NT_STATUS_OK;

+	}

+

+	if (dom_sid == NULL) {

+		return NT_STATUS_INVALID_PARAMETER_MIX;

+	}

+

+	/*

+	 * First check the domain GUESTS group.

+	 */

+	sid_copy(&tmp_sid, dom_sid);

+	sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);

+

+	if (nt_token_check_sid(&tmp_sid, token)) {

+		status = add_sid_to_array_unique(token,

+					&global_sid_Builtin_Guests,

+					&token->sids, &token->num_sids);

+		if (!NT_STATUS_IS_OK(status)) {

+			return status;

+		}

+

+		return NT_STATUS_OK;

+	}

+

+	return NT_STATUS_OK;

+}

+

 static NTSTATUS add_local_groups(struct security_token *result,

 				 bool is_guest);

 static NTSTATUS finalize_local_nt_token(struct security_token *result,

@@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,

 		return NULL;

 	}

+	if (is_guest) {

+		/*

+		 * It's ugly, but for now it's

+		 * needed to add Builtin_Guests

+		 * here, the "local" token only

+		 * consist of S-1-22-* SIDs

+		 * and finalize_local_nt_token()

+		 * doesn't have the chance to

+		 * to detect it need to

+		 * add Builtin_Guests via

+		 * add_builtin_guests().

+		 */

+		status = add_sid_to_array_unique(result,

+						 &global_sid_Builtin_Guests,

+						 &result->sids,

+						 &result->num_sids);

+		if (!NT_STATUS_IS_OK(status)) {

+			DEBUG(3, ("Failed to add SID to nt token\n"));

+			TALLOC_FREE(result);

+			return NULL;

+		}

+	}

+

 	return result;

 }

@@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 		return status;

 	}

-	if (is_guest) {

-		status = add_sid_to_array(result, &global_sid_Builtin_Guests,

-					  &result->sids,

-					  &result->num_sids);

-		if (!NT_STATUS_IS_OK(status)) {

-			return status;

-		}

-	} else {

+	if (!is_guest) {

 		status = add_sid_to_array(result,

 					  &global_sid_Authenticated_Users,

 					  &result->sids,

@@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,

 		}

 	}

+	/*

+	 * Add BUILTIN\Guests directly to token.

+	 * But only if the token already indicates

+	 * real guest access by:

+	 * - local GUEST account

+	 * - local GUESTS group

+	 * - domain GUESTS group

+	 *

+	 * Even if a user was authenticated, it

+	 * can be member of a guest related group.

+	 */

+	status = add_builtin_guests(result, domain_sid);

+	if (!NT_STATUS_IS_OK(status)) {

+		DEBUG(3, ("Failed to check for local "

+			  "Guests membership (%s)\n",

+			  nt_errstr(status)));

+		/*

+		 * This is a hard error.

+		 */

+		return status;

+	}

+

 	TALLOC_FREE(info);

 	/* Deal with local groups */

-- 

2.17.0

From 02ec86b90cc7c293d3086d59a0d349a967375665 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 6 Mar 2018 23:36:03 +0100

Subject: [PATCH 10/21] s3:auth: don't try to expand system or anonymous tokens

 in finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6)

(cherry picked from commit ecee9453a6ef611763d11e88e2ecf212f065a86c)

---

 source3/auth/token_util.c | 24 ++++++++++++++++++++++++

 1 file changed, 24 insertions(+)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c

index 30f2f8d346b..6ebfa54126b 100644