Univention Bugzilla – Full Text Bug Listing |
Summary: | Cross-domain share access via same user+password doesn't work any more on UCS memberserver | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, heidelberger, olivier.magloire, scheinig, steuwer, voelker |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=47392 https://forge.univention.org/bugzilla/show_bug.cgi?id=49394 https://forge.univention.org/bugzilla/show_bug.cgi?id=50705 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.229 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018062721000456, 2018042421000812, 2018090721000498, 2018100321000501 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 49426, 49479, 55515, 55516 | ||
Attachments: | s3-auth-add-map-untrusted-to-domain-handling.patch |
Description
Arvid Requate
2018-07-05 16:00:13 CEST
As a workaround the following option can be set on all Samba AD/DCs of the domain: auth methods = anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain e.g. via UCR: ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" Please note that this may cause unintended changes of behavior. Unfortunately there is only "auth methods" and it affects both, local logon and netlogon. In this case only the netlogon behavior needed adjustment. I also checked the behavior of a share access to Microsoft Windows memberserver in a native Microsoft AD domain and I could not get it to allow authentication with UCSDOM\user1 . I tried several tweaks to the local security policy regarding NTLM connections. If we could find out the setting that makes Windows accept this, then we could make a proposal for Samba. I've added a knowledge base article: https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918 a caveat when using a member server as file share: the setting MUST NOT be applied on the member server or else the authentication will break. only set it on the DC! Summary: The known problematic scenarios: 1. Clients from other Domains, for example in an Active Directory domain in sync using the Active Directory Connector 2. Clients without a Domain, for example Printers, unmanaged Clients or BYOD Clients Bug affects only shares on a memberserver, but configuration changes are needed on the Domaincontrollers. Created attachment 9973 [details] s3-auth-add-map-untrusted-to-domain-handling.patch This patch would revert the removal of the option "map untrusted to domain". Re-enabling this option is a local change on the memberserver in contrast to the workaround of Comment 1, which affects all DCs. The patch applies to Samba 4.8. To apply it to Samba 4.10.2 a trivial context adjustment is required for one of the five patch hunks. The patch from Comment 5 doesn't help, because the option doesn't help any longer, as stated in the original bug description. Patches attached to Bug 49426 merged for Bug 49479: r18566 | 97_*auth_methods*.quilt 17e0c70471 | Advisory update for samba.yaml Summary: With Bug 49479 we plan to backport Samba 4.10 to UCS 4.3. Bug the "auth methods" option has been removed from upstream Samba source code. We re-added the option to Samba 4.10, to allow the workaround mentioned in Comment 1, i.e. setting the following UCR-Variable on Samba/AD 4.10 Domaincontrollers: ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain" OK - yaml OK - auth methods"="sam winbind sam_ignoredomain" with -> ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain" -> /etc/init.d/samba restart on the UCS master i can logon on a share on my memberserver from an unjoined client (smbclient, win7) One question though, every samba-tool command prints out this warning -> samba-tool dbcheck WARNING: The "auth methods" option is deprecated because 97_add_option_auth_methods.quilt: +<samba:parameter name="auth methods" + context="G" + type="cmdlist" + deprecated="1" I think that is OK because it is deprecated, just wanted to ask. r18580 | remove warning message about deprecated option e54fd00082 | Advisory update OK - yaml OK - warning removed |