Univention Bugzilla – Bug 47314
Cross-domain share access via same user+password doesn't work any more on UCS memberserver
Last modified: 2019-05-29 13:51:24 CEST
Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain.
In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer.
This is change of behavior is problematic especially for customers that use the AD-Connector.
From checking the git log samba-4.6.1..samba-4.7.5 my impression it that https://github.com/samba-team/samba/commit/236b24dfd29 might be the commit that causes the change of behavior.
When fixing this bug, we should also attempt to make this work with the new default "map untrusted to domain = auto", because this option is scheduled for removal in Samba 4.9. After that "auto" will be the hardcoded behavior. We should actually check how a native Microsoft Windows server handles this situation. If they allow share access via "same user/same password" (without a trust setup) then it may be possible to upstream a patch. That would be the ideal solution.
As a workaround the following option can be set on all Samba AD/DCs of the domain:
auth methods = anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain
e.g. via UCR:
ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"
Please note that this may cause unintended changes of behavior. Unfortunately there is only "auth methods" and it affects both, local logon and netlogon. In this case only the netlogon behavior needed adjustment.
I also checked the behavior of a share access to Microsoft Windows memberserver in a native Microsoft AD domain and I could not get it to allow authentication with UCSDOM\user1 . I tried several tweaks to the local security policy regarding NTLM connections. If we could find out the setting that makes Windows accept this, then we could make a proposal for Samba.
I've added a knowledge base article: https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918
a caveat when using a member server as file share:
the setting MUST NOT be applied on the member server or else the authentication will break. only set it on the DC!
The known problematic scenarios:
1. Clients from other Domains, for example in an Active Directory domain in sync using the Active Directory Connector
2. Clients without a Domain, for example Printers, unmanaged Clients or BYOD Clients
Bug affects only shares on a memberserver, but configuration changes are needed on the Domaincontrollers.
Created attachment 9973 [details]
This patch would revert the removal of the option "map untrusted to domain". Re-enabling this option is a local change on the memberserver in contrast to the workaround of Comment 1, which affects all DCs. The patch applies to Samba 4.8. To apply it to Samba 4.10.2 a trivial context adjustment is required for one of the five patch hunks.
The patch from Comment 5 doesn't help, because the option doesn't help any longer, as stated in the original bug description.
Patches attached to Bug 49426 merged for Bug 49479:
r18566 | 97_*auth_methods*.quilt
17e0c70471 | Advisory update for samba.yaml
Summary: With Bug 49479 we plan to backport Samba 4.10 to UCS 4.3. Bug the "auth methods" option has been removed from upstream Samba source code. We re-added the option to Samba 4.10, to allow the workaround mentioned in Comment 1, i.e. setting the following UCR-Variable on Samba/AD 4.10 Domaincontrollers:
ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
OK - yaml
OK - auth methods"="sam winbind sam_ignoredomain"
-> ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
-> /etc/init.d/samba restart
on the UCS master i can logon on a share on my memberserver from an unjoined client (smbclient, win7)
One question though, every samba-tool command prints out this warning
-> samba-tool dbcheck
WARNING: The "auth methods" option is deprecated
+<samba:parameter name="auth methods"
I think that is OK because it is deprecated, just wanted to ask.
r18580 | remove warning message about deprecated option
e54fd00082 | Advisory update
OK - yaml
OK - warning removed