Bug 55515 – Broken Samba/AD function if "auth methods" is set

Bug 55515 - Broken Samba/AD function if "auth methods" is set


Summary:	Broken Samba/AD function if "auth methods" is set

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-3-errata
Assigned To:	Arvid Requate
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:	47314 55677 55678
Blocks:	55516
	Show dependency tree / graph

Reported:	2022-12-22 11:11 CET by Stefan Gohmann
Modified:	2023-02-16 11:58 CET (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.343
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022112921000201
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2022-12-22 11:11:41 CET

In a customer environment the sysvol share of the Samba 4 / AD DC was no longer accessible if auth methods was set.

If the auth methods setting is removed, the cross domain share access doesn't work anymore:
https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918


Steps to reproduce:
root@primary501:~# univention-app info
UCS: 5.0-2 errata515
Installed: samba4=4.16 self-service=5.0 self-service-backend=5.0 4.4/riot=1.9.6 4.4/synapse=1.48.0
Upgradable: 
root@primary501:~# ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"
Create samba/global/options/auth methods
Multifile: /etc/samba/smb.conf
Script: /etc/univention/templates/scripts/samba.local.config.py
root@primary501:~# /etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping smbd (via systemctl): smbd.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting smbd (via systemctl): smbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls
tree connect failed: NT_STATUS_ACCESS_DENIED
root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:32 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41683004 blocks available
root@primary501:~# ucr unset samba/global/options/"auth methods"
Unsetting samba/global/options/auth methods
Multifile: /etc/samba/smb.conf
Script: /etc/univention/templates/scripts/samba.local.config.py
root@primary501:~# /etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping smbd (via systemctl): smbd.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting smbd (via systemctl): smbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:59 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41682936 blocks available
root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls
  .                                   D        0  Fri Dec 16 16:34:08 2022
  ..                                  D        0  Sun Dec 18 23:58:59 2022
  deadlock50.intranet                 D        0  Fri Dec 16 16:34:09 2022

                49010764 blocks of size 1024. 41682936 blocks available
root@primary501:~#

Comment 1 Stefan Gohmann

2022-12-22 13:06:31 CET

It breaks with the upgrade from UCS 5.0-1 to UCS 5.0-2:
 - samba 2:4.13.13-1A~5.0.0.202205041854 → OK
 - samba 2:4.16.2-1A~5.0.0.202206271026 → fail

Comment 3 Arvid Requate

2023-02-13 11:45:33 CET

r19748 | Slim patch down to fix regression
54abd3fd19 | Advisory update

Package: samba
Version: 2:4.16.8-1A~5.0.0.202302131032
Branch: ucs_5.0-0
Scope: errata5.0-3

Comment 4 Julia Bremer

2023-02-15 09:00:47 CET

OK: Patch
OK: Cross domain auth works again if "auth methods" is set
OK: Sysvol share is accessible if "auth methods" is set
OK: Package build
OK YAML
Verified

Comment 5 Philipp Hahn

2023-02-16 11:58:02 CET

<https://errata.software-univention.de/#/?erratum=5.0x574>