Univention Bugzilla – Bug 55515
Broken Samba/AD function if "auth methods" is set
Last modified: 2023-02-16 11:58:02 CET
In a customer environment the sysvol share of the Samba 4 / AD DC was no longer accessible if auth methods was set. If the auth methods setting is removed, the cross domain share access doesn't work anymore: https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918 Steps to reproduce: root@primary501:~# univention-app info UCS: 5.0-2 errata515 Installed: samba4=4.16 self-service=5.0 self-service-backend=5.0 4.4/riot=1.9.6 4.4/synapse=1.48.0 Upgradable: root@primary501:~# ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" Create samba/global/options/auth methods Multifile: /etc/samba/smb.conf Script: /etc/univention/templates/scripts/samba.local.config.py root@primary501:~# /etc/init.d/samba restart [ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service. [ ok ] Stopping smbd (via systemctl): smbd.service. [ ok ] Stopping nmbd (via systemctl): nmbd.service. [ ok ] Starting nmbd (via systemctl): nmbd.service. [ ok ] Starting smbd (via systemctl): smbd.service. [ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service. root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls tree connect failed: NT_STATUS_ACCESS_DENIED root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:32 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41683004 blocks available root@primary501:~# ucr unset samba/global/options/"auth methods" Unsetting samba/global/options/auth methods Multifile: /etc/samba/smb.conf Script: /etc/univention/templates/scripts/samba.local.config.py root@primary501:~# /etc/init.d/samba restart [ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service. [ ok ] Stopping smbd (via systemctl): smbd.service. [ ok ] Stopping nmbd (via systemctl): nmbd.service. [ ok ] Starting nmbd (via systemctl): nmbd.service. [ ok ] Starting smbd (via systemctl): smbd.service. [ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service. root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:59 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41682936 blocks available root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:59 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41682936 blocks available root@primary501:~#
It breaks with the upgrade from UCS 5.0-1 to UCS 5.0-2: - samba 2:4.13.13-1A~5.0.0.202205041854 → OK - samba 2:4.16.2-1A~5.0.0.202206271026 → fail
r19748 | Slim patch down to fix regression 54abd3fd19 | Advisory update Package: samba Version: 2:4.16.8-1A~5.0.0.202302131032 Branch: ucs_5.0-0 Scope: errata5.0-3
OK: Patch OK: Cross domain auth works again if "auth methods" is set OK: Sysvol share is accessible if "auth methods" is set OK: Package build OK YAML Verified
<https://errata.software-univention.de/#/?erratum=5.0x574>