Univention Bugzilla – Bug 54200
No access to home share on member servers
Last modified: 2022-01-12 16:45:03 CET
After upgrading from 4.4 errata 1001 to errata 1111, access to home shares is impossible if they are created on member servers. Home shares on Main and Backup DC are working correctly. After granting access to the group Domain Users, access works. Every other share only accessible for a specific user cannot be accessed with this user if the share exists on a member server. Users can connect to their home shares via Windows regardless of their location. The above problem only affects Linux clients. I tried to connect with Linux clients and Univention Servers, that belong to another domain. I created a new testing domain consisting of Main and Backup DC and a member server and could reproduce this problem. https://help.univention.com/t/after-update-partially-no-access-to-home-shares/18943
Just to be thourough: Testing consisted of connecting with smbclient, which always worked. smbclient -U testdom1/user1 //10.40.1.60/user1 On DC servers the ls command lists all files. On member servers missing access rights cause an error message: NT_STATUS_ACCESS_DENIED listing \*
Workaround: echo -e "[global]\n\twinbind use default domain = yes" >> /etc/samba/local.conf ucr commit /etc/samba/smb.conf
IIRC this only affects NTLM based authentication. In my tests with smbclient acceess worked when using the FQDN, because smbclient seems to use Kerberos internally in that case. Anyway, the workaround should help. There is an updated upstream patch that will make this unnecessary. We'll probably pick that up during the next occasion.
I applied this workaround to all necessary file servers and access to the shares is working now. Thank you.
I removed the old 98_CVE-2020-25717-add-local-nt-token-from-nss.quilt and instead applied the newer upstream patch that fixes this issue without needing extra configuration in the smb.conf. https://gitlab.com/samba-team/samba/-/merge_requests/2253 This also fixes the problem when accessing homeshares via NTLM that is described in this bug. http://jenkins.knut.univention.de:8080/job/UCS-5.0/job/UCS-5.0-1/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=member/testReport/ The test we added that reproduced this problem was successful. --------------------------------- 556a10ef37 Bug #54200: yaml c1a2105d06 Bug #54200: Revert username map script for nss_ldap Package: univention-samba Version: 14.0.5-4A~5.0.0.202201102049 Branch: ucs_5.0-0 Scope: errata5.0-1 r19496 Bug #54200: Updated patch for the homeshare access on memberservers Package: samba Version: 2:4.13.13-1A~5.0.0.202201101954 Branch: ucs_5.0-0 Scope: errata5.0-1
OK: All 46share_access_permissions tests succeed OK: Patch OK: Remove usermapping script from univention-samba package and its entry from smb.conf OK: Yaml Verified
<https://errata.software-univention.de/#/?erratum=5.0x186> <https://errata.software-univention.de/#/?erratum=5.0x187>