Support Samba 4.9

Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.

Add a default mapping of the nobody group to BUILTIN\Guests.

BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.

For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.

This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.

Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/updates/90-post_upgrade_plugins.update

@@ -19,6 +19,7 @@ plugin: update_fix_duplicate_cacrt_in_ldap
 plugin: update_upload_cacrt
 # update_ra_cert_store has to be executed after update_ca_renewal_master
 plugin: update_ra_cert_store
+plugin: update_mapping_Guests_to_nobody
 
 # last
 # DNS version 1

ipaserver/install/adtrustinstance.py

@@ -111,6 +111,15 @@ def make_netbios_name(s):
     return ''.join([c for c in s.split('.')[0].upper() \
                     if c in ALLOWED_NETBIOS_CHARS])[:15]
 
+
+def map_Guests_to_nobody():
+    env = {'LC_ALL': 'C'}
+    args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546',
+            'unixgroup=nobody', 'type=builtin']
+
+    logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
+    ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
+
 class ADTRUSTInstance(service.Service):
 
     ATTR_SID = "ipaNTSecurityIdentifier"
@@ -523,6 +532,9 @@ class ADTRUSTInstance(service.Service):
             tmp_conf.flush()
             ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
 
+    def __map_Guests_to_nobody(self):
+        map_Guests_to_nobody()
+
     def __setup_group_membership(self):
         # Add the CIFS and host principals to the 'adtrust agents' group
         # as 389-ds only operates with GroupOfNames, we have to use
@@ -825,6 +837,8 @@ class ADTRUSTInstance(service.Service):
                   self.__create_samba_domain_object)
         self.step("creating samba config registry", self.__write_smb_registry)
         self.step("writing samba config file", self.__write_smb_conf)
+        self.step("map BUILTIN\\Guests to nobody group",
+                  self.__map_Guests_to_nobody)
         self.step("adding cifs Kerberos principal",
                   self.request_service_keytab)
         self.step("adding cifs and host Kerberos principals to the adtrust agents group", \

ipaserver/install/plugins/adtrust.py

@@ -23,7 +23,8 @@ from ipalib import Registry, errors
 from ipalib import Updater
 from ipapython.dn import DN
 from ipaserver.install import sysupgrade
-from ipaserver.install.adtrustinstance import ADTRUSTInstance
+from ipaserver.install.adtrustinstance import (
+    ADTRUSTInstance, map_Guests_to_nobody)
 
 logger = logging.getLogger(__name__)
 
@@ -382,3 +383,20 @@ class update_tdo_gidnumber(Updater):
             return False, ()
 
         return False, ()
+
+
+@register()
+class update_mapping_Guests_to_nobody(Updater):
+    """
+    Map BUILTIN\\Guests group to nobody
+
+    Samba 4.9 became more strict on availability of builtin Guests group
+    """
+    def execute(self, **options):
+        # First, see if trusts are enabled on the server
+        if not self.api.Command.adtrust_is_enabled()['result']:
+            logger.debug('AD Trusts are not enabled on this server')
+            return False, []
+
+        map_Guests_to_nobody()
+        return False, []