Univention Bugzilla – Bug 49426
[4.4] Cross-domain share access via same user+password doesn't work any more on UCS memberserver
Last modified: 2019-05-29 13:24:23 CEST
Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain. Bug 47314 found this for UCS 4.3 / Samba 4.7, but now, with UCS 4.4 / Samba 4.10 the workaround from Bug 47314 Comment 1 doesn't apply any more, because Samba has also removed the "auth methods" Option (see https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#smb.conf_changes ). +++ This bug was initially created as a clone of Bug #47314 +++ Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain. In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer. This is change of behavior is problematic especially for customers that use the AD-Connector.
Created attachment 10011 [details] re-add-option-auth-methods.tgz The attached tar ball contains three patch files that revert the three commits in the Samba code base which removed the "auth methods" option. With that option, the workaround from Bug 47314 Comment 1 can be used again on Doamin Controllers. The important part is to add sam_ignoredomain back to the methods. This worked in my test: ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain" I've tested this in samba/4.3-0-0-ucs/2:4.10.1-1-errata4.3-private as part of an experiment to backport Samba 4.10 to UCS 4.3.
> Will the patch be included in UCS 4.4? Yes, as indicated by title and version tag.
Two customers requested the backport. For at least one there is no workaround knwon as they already upgrade to UCS 4.4.
r18581 | Add "auth methods" option back to samba 4.10 fb586d9af5 | Advisory
OK - patches OK - ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain" OK - yaml
<http://errata.software-univention.de/ucs/4.4/117.html>