Bug 55516

Summary: Pre-Update check: Broken Samba/AD function if "auth methods" is set
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: Update - univention-updaterAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Julia Bremer <bremer>
Severity: normal    
Priority: P5 CC: damrose, requate, turfeld
Version: UCS 5.0   
Target Milestone: UCS 5.0-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2022112921000201 Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 47314, 55515    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2022-12-22 13:09:44 CET 
Until we have fixed Bug #55515, we should block the UCS 5.0-2 upgrade if "auth methods" is set.

+++ This bug was initially created as a clone of Bug #55515 +++

In a customer environment the sysvol share of the Samba 4 / AD DC was no longer accessible if auth methods was set.

If the auth methods setting is removed, the cross domain share access doesn't work anymore:
https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918


Steps to reproduce:
root@primary501:~# univention-app info
UCS: 5.0-2 errata515
Installed: samba4=4.16 self-service=5.0 self-service-backend=5.0 4.4/riot=1.9.6 4.4/synapse=1.48.0
Upgradable: 
root@primary501:~# ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"
Create samba/global/options/auth methods
Multifile: /etc/samba/smb.conf
Script: /etc/univention/templates/scripts/samba.local.config.py
root@primary501:~# /etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping smbd (via systemctl): smbd.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting smbd (via systemctl): smbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls
tree connect failed: NT_STATUS_ACCESS_DENIED
root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:32 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41683004 blocks available
root@primary501:~# ucr unset samba/global/options/"auth methods"
Unsetting samba/global/options/auth methods
Multifile: /etc/samba/smb.conf
Script: /etc/univention/templates/scripts/samba.local.config.py
root@primary501:~# /etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping smbd (via systemctl): smbd.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting smbd (via systemctl): smbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:59 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41682936 blocks available
root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:59 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41682936 blocks available
root@primary501:~#
Comment 2 Arvid Requate univentionstaff 2023-01-16 16:25:00 CET 
1c76ffe0e2 | Add preup check for Samba "auth methods"

Released as ucs502/preup.sh and pre-update-checks-5.0-2, both signed.
Comment 3 Julia Bremer univentionstaff 2023-01-20 12:03:45 CET 
OK: ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" blocks upgrade
OK: message

Verified
Comment 4 Julia Bremer univentionstaff 2023-01-20 12:03:57 CET 
Has been released