Bug 49426 - [4.4] Cross-domain share access via same user+password doesn't work any more on UCS memberserver
[4.4] Cross-domain share access via same user+password doesn't work any more ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Arvid Requate
Felix Botner
https://wiki.samba.org/index.php/Samb...
:
Depends on: 47314
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-07 17:23 CEST by Arvid Requate
Modified: 2019-05-29 13:24 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019051021000513, 2019051521000344
Bug group (optional):
Max CVSS v3 score:


Attachments
re-add-option-auth-methods.tgz (10.00 KB, application/x-compressed-tar)
2019-05-08 15:09 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-05-07 17:23:49 CEST
Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain. Bug 47314 found this for UCS 4.3 / Samba 4.7, but now, with UCS 4.4 / Samba 4.10 the workaround from Bug 47314 Comment 1 doesn't apply any more, because Samba has also removed the "auth methods" Option (see https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#smb.conf_changes ).


+++ This bug was initially created as a clone of Bug #47314 +++

Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain.

In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer.

This is change of behavior is problematic especially for customers that use the AD-Connector.
Comment 1 Arvid Requate univentionstaff 2019-05-08 15:09:06 CEST
Created attachment 10011 [details]
re-add-option-auth-methods.tgz

The attached tar ball contains three patch files that revert the three commits in the Samba code base which removed the "auth methods" option. 

With that option, the workaround from Bug 47314 Comment 1 can be used again on Doamin Controllers. The important part is to add sam_ignoredomain back to the methods. This worked in my test:

ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"

I've tested this in samba/4.3-0-0-ucs/2:4.10.1-1-errata4.3-private as part of an experiment to backport Samba 4.10 to UCS 4.3.
Comment 3 Arvid Requate univentionstaff 2019-05-15 12:52:59 CEST
> Will the patch be included in UCS 4.4?

Yes, as indicated by title and version tag.
Comment 4 Christian Völker univentionstaff 2019-05-15 15:42:36 CEST
Two customers requested the backport. For at least one there is no workaround knwon as they already upgrade to UCS 4.4.
Comment 5 Arvid Requate univentionstaff 2019-05-21 18:18:29 CEST
r18581 | Add "auth methods" option back to samba 4.10

fb586d9af5 | Advisory
Comment 6 Felix Botner univentionstaff 2019-05-23 17:30:23 CEST
OK - patches
OK - ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
OK - yaml
Comment 7 Arvid Requate univentionstaff 2019-05-29 13:24:23 CEST
<http://errata.software-univention.de/ucs/4.4/117.html>