Web lists-archives.com

Re: [Samba] Autoaccept all authentications to mitigate disabled guest logins in Windows 10 build 1709




OK, didn't know that. Thought the server was just expecting a Hash, not sending one.

Am 07.03.2018 03:55 schrieb Andrew Bartlett <abartlet@xxxxxxxxx>:
On Wed, 2018-03-07 at 02:33 +0000, Daniel Migowski via samba wrote:
> Hai,
>
> Already tried the bad user option. Samba still answers the client
> that guest mode is to be used, but here is the problem. Windows 10
> forbids guest mode now because of Security concerns! I need a way for
> Samba to accept the challenge response answer regardless of the user
> so Windows believes it was authenticated. Any hack no matter how
> dirty is greatly appreciated.

The issue is that the server must respond with a security hash
involving the password the user used.  Hacks can't fake up knowing what
the user set.

Sorry,

Andrew Bartlett

> Greetings,
> Daniel Migowski
>
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle [mailto:belle@xxxxxxxxx]
> Gesendet: Dienstag, 6. März 2018 11:49
> An: Daniel Migowski <dmigowski@xxxxxxxxxxx>
> Betreff: RE: [Samba] Autoaccept all authentications to mitigate disabled guest logins in Windows 10 build 1709
>
> Hai,
>
> Best is to keep this on the list.
> But try as Rowland suggest also the option map to guest =  Bad User
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: Daniel Migowski [mailto:dmigowski@xxxxxxxxxxx]
> > Verzonden: dinsdag 6 maart 2018 11:26
> > Aan: L.P.H. van Belle
> > Onderwerp: AW: [Samba] Autoaccept all authentications to mitigate
> > disabled guest logins in Windows 10 build 1709
> >
> > Hallo,
> >
> > I tried that a few years ago, and that worked... until Microsoft
> > decided to disallow unencrypted guest access to Samba shares in build
> > 1709 a few weeks ago.
> >
> > Now I have to get around that because company guidelines of our
> > customers won't change the new default setting.
> >
> > Regards,
> > Daniel Migowski
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Im Auftrag von
> > L.P.H. van Belle via samba
> > Gesendet: Dienstag, 6. März 2018 11:15
> > An: samba@xxxxxxxxxxxxxxx
> > Betreff: Re: [Samba] Autoaccept all authentications to mitigate
> > disabled guest logins in Windows 10 build 1709
> >
> > Hai,
> >
> > ...   man smb.conf  ....
> > Have you tried that, that should work ;-) .
> >
> > There you should see something like this.
> >
> > [Global]
> > map to guest =  Bad Password
> >
> > [ashare]
> >      path = /home/public/share
> >       read only = yes
> >       guest ok = yes
> >
> >
> > Look it up in the manual to see these settings explained, and dont
> > forget to set the correct rights on the shared path.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Daniel
> > > Migowski via samba
> > > Verzonden: dinsdag 6 maart 2018 10:43
> > > Aan: samba@xxxxxxxxxxxxxxx
> > > Onderwerp: [Samba] Autoaccept all authentications to
> >
> > mitigate disabled
> > > guest logins in Windows 10 build 1709
> > >
> > > Hello,
> > >
> > > guest logins are not allowed anymore in Windows 10 build 1709 by
> > > default. Due to company restrictions I am not allowed to
> >
> > reenable that
> > > in windows group controls.
> > >
> > > I now like to authorize all connections independent of the current
> > > user and password and just allow access so Windows thinks it has an
> > > authenticated connection and allows access.
> > > Is this somehow possible by using strange PAM configuration or by
> > > other dirty tricks without modifying the Samba source code?
> >
> > The server
> > > just provides readonly shares to everyone, so I don't care for any
> > > credentials anyway.
> > >
> > > Regards,
> > > Daniel Migowski
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba





On Wed, 2018-03-07 at 02:33 +0000, Daniel Migowski via samba wrote:
> Hai,
>
> Already tried the bad user option. Samba still answers the client
> that guest mode is to be used, but here is the problem. Windows 10
> forbids guest mode now because of Security concerns! I need a way for
> Samba to accept the challenge response answer regardless of the user
> so Windows believes it was authenticated. Any hack no matter how
> dirty is greatly appreciated.

The issue is that the server must respond with a security hash
involving the password the user used.  Hacks can't fake up knowing what
the user set.

Sorry,

Andrew Bartlett

> Greetings,
> Daniel Migowski
>
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle [mailto:belle@xxxxxxxxx]
> Gesendet: Dienstag, 6. März 2018 11:49
> An: Daniel Migowski <dmigowski@xxxxxxxxxxx>
> Betreff: RE: [Samba] Autoaccept all authentications to mitigate disabled guest logins in Windows 10 build 1709
>
> Hai,
>
> Best is to keep this on the list.
> But try as Rowland suggest also the option map to guest =  Bad User
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: Daniel Migowski [mailto:dmigowski@xxxxxxxxxxx]
> > Verzonden: dinsdag 6 maart 2018 11:26
> > Aan: L.P.H. van Belle
> > Onderwerp: AW: [Samba] Autoaccept all authentications to mitigate
> > disabled guest logins in Windows 10 build 1709
> >
> > Hallo,
> >
> > I tried that a few years ago, and that worked... until Microsoft
> > decided to disallow unencrypted guest access to Samba shares in build
> > 1709 a few weeks ago.
> >
> > Now I have to get around that because company guidelines of our
> > customers won't change the new default setting.
> >
> > Regards,
> > Daniel Migowski
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Im Auftrag von
> > L.P.H. van Belle via samba
> > Gesendet: Dienstag, 6. März 2018 11:15
> > An: samba@xxxxxxxxxxxxxxx
> > Betreff: Re: [Samba] Autoaccept all authentications to mitigate
> > disabled guest logins in Windows 10 build 1709
> >
> > Hai,
> >
> > ...   man smb.conf  ....
> > Have you tried that, that should work ;-) .
> >
> > There you should see something like this.
> >
> > [Global]
> > map to guest =  Bad Password
> >
> > [ashare]
> >      path = /home/public/share
> >       read only = yes
> >       guest ok = yes
> >
> >
> > Look it up in the manual to see these settings explained, and dont
> > forget to set the correct rights on the shared path.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Daniel
> > > Migowski via samba
> > > Verzonden: dinsdag 6 maart 2018 10:43
> > > Aan: samba@xxxxxxxxxxxxxxx
> > > Onderwerp: [Samba] Autoaccept all authentications to
> >
> > mitigate disabled
> > > guest logins in Windows 10 build 1709
> > >
> > > Hello,
> > >
> > > guest logins are not allowed anymore in Windows 10 build 1709 by
> > > default. Due to company restrictions I am not allowed to
> >
> > reenable that
> > > in windows group controls.
> > >
> > > I now like to authorize all connections independent of the current
> > > user and password and just allow access so Windows thinks it has an
> > > authenticated connection and allows access.
> > > Is this somehow possible by using strange PAM configuration or by
> > > other dirty tricks without modifying the Samba source code?
> >
> > The server
> > > just provides readonly shares to everyone, so I don't care for any
> > > credentials anyway.
> > >
> > > Regards,
> > > Daniel Migowski
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba