Univention Bugzilla – Bug 47392
Test cross-domain share access via same user+password against UCS Samba memberserver
Last modified: 2020-04-18 13:59:51 CEST
We should have a test case that checks cross-domain share access via same user+password against a UCS Samba Memberserver This currently doesn't work against a UCS 4.3 Samba Memberserver: ============================================================================= root@member13:~# smbclient //member13/user1 -c quit -UFOO\\user1%univention \ && echo ok tree connect failed: NT_STATUS_ACCESS_DENIED ============================================================================= But it still works against Samba/AD DCs: ============================================================================= root@member13:~# smbclient //master10/user1 -c quit -UFOO\\user1%univention \ && echo ok ok ============================================================================= We should ensure that we don't have another regression here. +++ This bug was initially created as a clone of Bug #47314 +++ Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain. In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer. This is change of behavior is problematic especially for customers that use the AD-Connector.
So we should actually implement two checks: 1. The workaround of setting "auth methods" still works (Test should run on a memberserver, set the UCR variable on the master, e.g. via UDM policy, trigger a samba restart on the master, e.g. via UMC and finally check home share access) 2. Access works on Samba/AD DCs without the "auth methods" adjustment.
I'd like to increase the priority of this. The lack of tests for this scenario caused severe problems for a customer again when they upgraded to Samba 4.10 on UCS 4.3 with the former workaround for bug 47314.
> The lack of tests for this scenario This bug is just about checking that share access still works. What you probably want is that, now that we known that the manually set values for "auth methods" need to be adjusted during update to Samba 4.10, we should do this during update. I'll create a new bug for that.
The main issue here is documented as Bug 50705. As this is an extension of our test environments for me it is a "Feature Request".