Web lists-archives.com

Re: [Samba] Autoaccept all authentications to mitigate disabled guest logins in Windows 10 build 1709




On Wed, 2018-03-07 at 02:33 +0000, Daniel Migowski via samba wrote:
> Hai,
> 
> Already tried the bad user option. Samba still answers the client
> that guest mode is to be used, but here is the problem. Windows 10
> forbids guest mode now because of Security concerns! I need a way for
> Samba to accept the challenge response answer regardless of the user
> so Windows believes it was authenticated. Any hack no matter how
> dirty is greatly appreciated.

The issue is that the server must respond with a security hash
involving the password the user used.  Hacks can't fake up knowing what
the user set.

Sorry,

Andrew Bartlett

> Greetings,
> Daniel Migowski
> 
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle [mailto:belle@xxxxxxxxx] 
> Gesendet: Dienstag, 6. März 2018 11:49
> An: Daniel Migowski <dmigowski@xxxxxxxxxxx>
> Betreff: RE: [Samba] Autoaccept all authentications to mitigate disabled guest logins in Windows 10 build 1709
> 
> Hai, 
> 
> Best is to keep this on the list. 
> But try as Rowland suggest also the option map to guest =  Bad User
> 
> 
> Greetz, 
> 
> Louis
> 
> > -----Oorspronkelijk bericht-----
> > Van: Daniel Migowski [mailto:dmigowski@xxxxxxxxxxx]
> > Verzonden: dinsdag 6 maart 2018 11:26
> > Aan: L.P.H. van Belle
> > Onderwerp: AW: [Samba] Autoaccept all authentications to mitigate 
> > disabled guest logins in Windows 10 build 1709
> > 
> > Hallo,
> > 
> > I tried that a few years ago, and that worked... until Microsoft 
> > decided to disallow unencrypted guest access to Samba shares in build 
> > 1709 a few weeks ago.
> > 
> > Now I have to get around that because company guidelines of our 
> > customers won't change the new default setting.
> > 
> > Regards,
> > Daniel Migowski
> > 
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Im Auftrag von 
> > L.P.H. van Belle via samba
> > Gesendet: Dienstag, 6. März 2018 11:15
> > An: samba@xxxxxxxxxxxxxxx
> > Betreff: Re: [Samba] Autoaccept all authentications to mitigate 
> > disabled guest logins in Windows 10 build 1709
> > 
> > Hai,
> > 
> > ...   man smb.conf  ....
> > Have you tried that, that should work ;-) . 
> > 
> > There you should see something like this. 
> > 
> > [Global]
> > map to guest =  Bad Password
> > 
> > [ashare]
> > 	path = /home/public/share
> >       read only = yes
> >       guest ok = yes
> > 
> > 
> > Look it up in the manual to see these settings explained, and dont 
> > forget to set the correct rights on the shared path.
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Daniel 
> > > Migowski via samba
> > > Verzonden: dinsdag 6 maart 2018 10:43
> > > Aan: samba@xxxxxxxxxxxxxxx
> > > Onderwerp: [Samba] Autoaccept all authentications to
> > 
> > mitigate disabled
> > > guest logins in Windows 10 build 1709
> > > 
> > > Hello,
> > > 
> > > guest logins are not allowed anymore in Windows 10 build 1709 by 
> > > default. Due to company restrictions I am not allowed to
> > 
> > reenable that
> > > in windows group controls.
> > > 
> > > I now like to authorize all connections independent of the current 
> > > user and password and just allow access so Windows thinks it has an 
> > > authenticated connection and allows access.
> > > Is this somehow possible by using strange PAM configuration or by 
> > > other dirty tricks without modifying the Samba source code?
> > 
> > The server
> > > just provides readonly shares to everyone, so I don't care for any 
> > > credentials anyway.
> > > 
> > > Regards,
> > > Daniel Migowski
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> > > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> 
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba