Bug 47392 – Test cross-domain share access via same user+password against UCS Samba memberserver

Bug 47392 - Test cross-domain share access via same user+password against UCS Samba memberserver


Summary:	Test cross-domain share access via same user+password against UCS Samba membe...

Status:	NEW

Product:	UCS Test
Classification:	Unclassified
Component:	Samba
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-07-24 16:11 CEST by Arvid Requate
Modified:	2020-04-18 13:59 CEST (History)
CC List:	4 users (show)

See Also:	47314 49663 50705
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:	0.229
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018062721000456
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2018-07-24 16:11:39 CEST

We should have a test case that checks cross-domain share access via same user+password against a UCS Samba Memberserver


This currently doesn't work against a UCS 4.3 Samba Memberserver:
=============================================================================
root@member13:~# smbclient //member13/user1 -c quit -UFOO\\user1%univention \
                 && echo ok
tree connect failed: NT_STATUS_ACCESS_DENIED
=============================================================================

But it still works against Samba/AD DCs:

=============================================================================
root@member13:~# smbclient //master10/user1 -c quit -UFOO\\user1%univention \
                 && echo ok
ok
=============================================================================

We should ensure that we don't have another regression here.


+++ This bug was initially created as a clone of Bug #47314 +++

Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain.

In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer.

This is change of behavior is problematic especially for customers that use the AD-Connector.

Comment 1 Arvid Requate

2018-07-24 16:20:18 CEST

So we should actually implement two checks:

1. The workaround of setting "auth methods" still works
   (Test should run on a memberserver, set the UCR variable on the master, e.g.
    via UDM policy, trigger a samba restart on the master, e.g. via UMC and
    finally check home share access)

2. Access works on Samba/AD DCs without the "auth methods" adjustment.

Comment 2 Valentin Heidelberger

2019-06-14 10:12:45 CEST

I'd like to increase the priority of this.

The lack of tests for this scenario caused severe problems for a customer again when they upgraded to Samba 4.10 on UCS 4.3 with the former workaround for bug 47314.

Comment 3 Arvid Requate

2019-06-17 11:01:16 CEST

> The lack of tests for this scenario

This bug is just about checking that share access still works. What you probably want is that, now that we known that the manually set values for "auth methods" need to be adjusted during update to Samba 4.10, we should do this during update. I'll create a new bug for that.

Comment 4 Ingo Steuwer

2020-04-17 14:07:42 CEST

The main issue here is documented as Bug 50705. As this is an extension of our test environments for me it is a "Feature Request".