Bug 49426

Summary: [4.4] Cross-domain share access via same user+password doesn't work any more on UCS memberserver
Product: UCS Reporter: Arvid Requate <requate>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: gohmann, heidelberger, michelsmidt, olivier.magloire, steuwer, stoeckigt, voelker
Version: UCS 4.4   
Target Milestone: UCS 4.4-0-errata   
Hardware: Other   
OS: Linux   
URL: https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Yes Flags outvoted (downgraded) after PO Review:
Ticket number: 2019051021000513, 2019051521000344 Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 47314    
Bug Blocks:    
Attachments: re-add-option-auth-methods.tgz

Description Arvid Requate univentionstaff 2019-05-07 17:23:49 CEST 
Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain. Bug 47314 found this for UCS 4.3 / Samba 4.7, but now, with UCS 4.4 / Samba 4.10 the workaround from Bug 47314 Comment 1 doesn't apply any more, because Samba has also removed the "auth methods" Option (see https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#smb.conf_changes ).


+++ This bug was initially created as a clone of Bug #47314 +++

Cross-domain Samba share access via same user+password doesn't work any more on UCS memberservers which are joined into a UCS Samba/AD domain.

In Samba versions before 4.7, it was possible to make this work by setting "map untrusted to domain = yes" on the UCS memberserver. With 4.7 this doesn't seem to be enough any longer.

This is change of behavior is problematic especially for customers that use the AD-Connector.
Comment 1 Arvid Requate univentionstaff 2019-05-08 15:09:06 CEST 
Created attachment 10011 [details]
re-add-option-auth-methods.tgz

The attached tar ball contains three patch files that revert the three commits in the Samba code base which removed the "auth methods" option. 

With that option, the workaround from Bug 47314 Comment 1 can be used again on Doamin Controllers. The important part is to add sam_ignoredomain back to the methods. This worked in my test:

ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"

I've tested this in samba/4.3-0-0-ucs/2:4.10.1-1-errata4.3-private as part of an experiment to backport Samba 4.10 to UCS 4.3.
Comment 3 Arvid Requate univentionstaff 2019-05-15 12:52:59 CEST 
> Will the patch be included in UCS 4.4?

Yes, as indicated by title and version tag.
Comment 4 Christian Völker univentionstaff 2019-05-15 15:42:36 CEST 
Two customers requested the backport. For at least one there is no workaround knwon as they already upgrade to UCS 4.4.
Comment 5 Arvid Requate univentionstaff 2019-05-21 18:18:29 CEST 
r18581 | Add "auth methods" option back to samba 4.10

fb586d9af5 | Advisory
Comment 6 Felix Botner univentionstaff 2019-05-23 17:30:23 CEST 
OK - patches
OK - ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
OK - yaml
Comment 7 Arvid Requate univentionstaff 2019-05-29 13:24:23 CEST 
<http://errata.software-univention.de/ucs/4.4/117.html>