Bug 47314 - Cross-domain share access via same user+password doesn't work any more on UCS memberserver
Cross-domain share access via same user+password doesn't work any more on UCS...
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-4-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
Blocks: 49426 49479
  Show dependency treegraph
Reported: 2018-07-05 16:00 CEST by Arvid Requate
Modified: 2020-01-10 11:20 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018062721000456, 2018042421000812, 2018090721000498, 2018100321000501
Bug group (optional):
Max CVSS v3 score:

s3-auth-add-map-untrusted-to-domain-handling.patch (5.86 KB, patch)
2019-04-15 19:43 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-07-05 16:00:13 CEST
Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain.

In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer.

This is change of behavior is problematic especially for customers that use the AD-Connector.

From checking the git log samba-4.6.1..samba-4.7.5 my impression it that https://github.com/samba-team/samba/commit/236b24dfd29 might be the commit that causes the change of behavior.

When fixing this bug, we should also attempt to make this work with the new default "map untrusted to domain = auto", because this option is scheduled for removal in Samba 4.9. After that "auto" will be the hardcoded behavior. We should actually check how a native Microsoft Windows server handles this situation. If they allow share access via "same user/same password" (without a trust setup) then it may be possible to upstream a patch. That would be the ideal solution.
Comment 1 Arvid Requate univentionstaff 2018-07-09 18:38:48 CEST
As a workaround the following option can be set on all Samba AD/DCs of the domain:

 auth methods = anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain

e.g. via UCR:

ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"

Please note that this may cause unintended changes of behavior. Unfortunately there is only "auth methods" and it affects both, local logon and netlogon. In this case only the netlogon behavior needed adjustment.

I also checked the behavior of a share access to Microsoft Windows memberserver in a native Microsoft AD domain and I could not get it to allow authentication with UCSDOM\user1 . I tried several tweaks to the local security policy regarding NTLM connections. If we could find out the setting that makes Windows accept this, then we could make a proposal for Samba.
Comment 3 Olivier Magloire 2018-10-04 09:25:15 CEST
a caveat when using a member server as file share:

the setting MUST NOT be applied on the member server or else the authentication will break. only set it on the DC!
Comment 4 Ingo Steuwer univentionstaff 2019-03-28 21:02:15 CET

The known problematic scenarios:

1. Clients from other Domains, for example in an Active Directory domain in sync using the Active Directory Connector

2. Clients without a Domain, for example Printers, unmanaged Clients or BYOD Clients

Bug affects only shares on a memberserver, but configuration changes are needed on the Domaincontrollers.
Comment 5 Arvid Requate univentionstaff 2019-04-15 19:43:39 CEST
Created attachment 9973 [details]

This patch would revert the removal of the option "map untrusted to domain". Re-enabling this option is a local change on the memberserver in contrast to the workaround of Comment 1, which affects all DCs. The patch applies to Samba 4.8. To apply it to Samba 4.10.2 a trivial context adjustment is required for one of the five patch hunks.
Comment 6 Arvid Requate univentionstaff 2019-05-07 18:52:23 CEST
The patch from Comment 5 doesn't help, because the option doesn't help any longer, as stated in the original bug description.
Comment 7 Arvid Requate univentionstaff 2019-05-15 18:40:50 CEST
Patches attached to Bug 49426 merged for Bug 49479:

r18566 | 97_*auth_methods*.quilt

17e0c70471 | Advisory update for samba.yaml

Summary: With Bug 49479 we plan to backport Samba 4.10 to UCS 4.3. Bug the "auth methods" option has been removed from upstream Samba source code. We re-added the option to Samba 4.10, to allow the workaround mentioned in Comment 1, i.e. setting the following UCR-Variable on Samba/AD 4.10 Domaincontrollers:

ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
Comment 8 Felix Botner univentionstaff 2019-05-17 12:50:30 CEST
OK - yaml
OK - auth methods"="sam winbind sam_ignoredomain"


-> ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
-> /etc/init.d/samba restart

on the UCS master i can logon on a share on my memberserver from an unjoined client (smbclient, win7)

One question though, every samba-tool command prints out this warning

-> samba-tool dbcheck
WARNING: The "auth methods" option is deprecated


+<samba:parameter name="auth methods"
+                 context="G"
+                 type="cmdlist"
+                 deprecated="1"

I think that is OK because it is deprecated, just wanted to ask.
Comment 9 Arvid Requate univentionstaff 2019-05-20 15:18:10 CEST
r18580 | remove warning message about deprecated option

e54fd00082 | Advisory update
Comment 10 Felix Botner univentionstaff 2019-05-22 17:54:41 CEST
OK - yaml
OK - warning removed
Comment 11 Arvid Requate univentionstaff 2019-05-29 13:51:24 CEST