Comment 1 Arvid Requate 2018-07-09 18:38:48 CEST

As a workaround the following option can be set on all Samba AD/DCs of the domain:

 auth methods = anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain

e.g. via UCR:

ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"

Please note that this may cause unintended changes of behavior. Unfortunately there is only "auth methods" and it affects both, local logon and netlogon. In this case only the netlogon behavior needed adjustment.


I also checked the behavior of a share access to Microsoft Windows memberserver in a native Microsoft AD domain and I could not get it to allow authentication with UCSDOM\user1 . I tried several tweaks to the local security policy regarding NTLM connections. If we could find out the setting that makes Windows accept this, then we could make a proposal for Samba.

Comment 2 Stefan Gohmann 2018-10-04 08:44:22 CEST

I've added a knowledge base article: https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918

a caveat when using a member server as file share:

the setting MUST NOT be applied on the member server or else the authentication will break. only set it on the DC!

Comment 4 Ingo Steuwer 2019-03-28 21:02:15 CET

Summary:

The known problematic scenarios:

1. Clients from other Domains, for example in an Active Directory domain in sync using the Active Directory Connector

2. Clients without a Domain, for example Printers, unmanaged Clients or BYOD Clients

Bug affects only shares on a memberserver, but configuration changes are needed on the Domaincontrollers.

Comment 5 Arvid Requate 2019-04-15 19:43:39 CEST

Created attachment 9973 [details]
s3-auth-add-map-untrusted-to-domain-handling.patch

This patch would revert the removal of the option "map untrusted to domain". Re-enabling this option is a local change on the memberserver in contrast to the workaround of Comment 1, which affects all DCs. The patch applies to Samba 4.8. To apply it to Samba 4.10.2 a trivial context adjustment is required for one of the five patch hunks.

Comment 6 Arvid Requate 2019-05-07 18:52:23 CEST

The patch from Comment 5 doesn't help, because the option doesn't help any longer, as stated in the original bug description.

Comment 7 Arvid Requate 2019-05-15 18:40:50 CEST

Patches attached to Bug 49426 merged for Bug 49479:

r18566 | 97_*auth_methods*.quilt

17e0c70471 | Advisory update for samba.yaml


Summary: With Bug 49479 we plan to backport Samba 4.10 to UCS 4.3. Bug the "auth methods" option has been removed from upstream Samba source code. We re-added the option to Samba 4.10, to allow the workaround mentioned in Comment 1, i.e. setting the following UCR-Variable on Samba/AD 4.10 Domaincontrollers:

ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"

Comment 8 Felix Botner 2019-05-17 12:50:30 CEST

OK - yaml
OK - auth methods"="sam winbind sam_ignoredomain"

with 

-> ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"
-> /etc/init.d/samba restart

on the UCS master i can logon on a share on my memberserver from an unjoined client (smbclient, win7)

One question though, every samba-tool command prints out this warning

-> samba-tool dbcheck
WARNING: The "auth methods" option is deprecated

because 

97_add_option_auth_methods.quilt:
+<samba:parameter name="auth methods"
+                 context="G"
+                 type="cmdlist"
+                 deprecated="1"

I think that is OK because it is deprecated, just wanted to ask.

Comment 9 Arvid Requate 2019-05-20 15:18:10 CEST

r18580 | remove warning message about deprecated option

e54fd00082 | Advisory update

Comment 10 Felix Botner 2019-05-22 17:54:41 CEST

OK - yaml
OK - warning removed

Comment 11 Arvid Requate 2019-05-29 13:51:24 CEST

<http://errata.software-univention.de/ucs/4.3/516.html>