Univention Bugzilla – Bug 55516
Pre-Update check: Broken Samba/AD function if "auth methods" is set
Last modified: 2023-01-20 12:03:57 CET
Until we have fixed Bug #55515, we should block the UCS 5.0-2 upgrade if "auth methods" is set. +++ This bug was initially created as a clone of Bug #55515 +++ In a customer environment the sysvol share of the Samba 4 / AD DC was no longer accessible if auth methods was set. If the auth methods setting is removed, the cross domain share access doesn't work anymore: https://help.univention.com/t/problem-cross-domain-share-access-via-same-user-and-password-doesnt-work-any-more/9918 Steps to reproduce: root@primary501:~# univention-app info UCS: 5.0-2 errata515 Installed: samba4=4.16 self-service=5.0 self-service-backend=5.0 4.4/riot=1.9.6 4.4/synapse=1.48.0 Upgradable: root@primary501:~# ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" Create samba/global/options/auth methods Multifile: /etc/samba/smb.conf Script: /etc/univention/templates/scripts/samba.local.config.py root@primary501:~# /etc/init.d/samba restart [ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service. [ ok ] Stopping smbd (via systemctl): smbd.service. [ ok ] Stopping nmbd (via systemctl): nmbd.service. [ ok ] Starting nmbd (via systemctl): nmbd.service. [ ok ] Starting smbd (via systemctl): smbd.service. [ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service. root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls tree connect failed: NT_STATUS_ACCESS_DENIED root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:32 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41683004 blocks available root@primary501:~# ucr unset samba/global/options/"auth methods" Unsetting samba/global/options/auth methods Multifile: /etc/samba/smb.conf Script: /etc/univention/templates/scripts/samba.local.config.py root@primary501:~# /etc/init.d/samba restart [ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service. [ ok ] Stopping smbd (via systemctl): smbd.service. [ ok ] Stopping nmbd (via systemctl): nmbd.service. [ ok ] Starting nmbd (via systemctl): nmbd.service. [ ok ] Starting smbd (via systemctl): smbd.service. [ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service. root@primary501:~# smbclient "//$(hostname -f)/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:59 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41682936 blocks available root@primary501:~# smbclient "//127.0.0.1/sysvol" -P -c ls . D 0 Fri Dec 16 16:34:08 2022 .. D 0 Sun Dec 18 23:58:59 2022 deadlock50.intranet D 0 Fri Dec 16 16:34:09 2022 49010764 blocks of size 1024. 41682936 blocks available root@primary501:~#
1c76ffe0e2 | Add preup check for Samba "auth methods" Released as ucs502/preup.sh and pre-update-checks-5.0-2, both signed.
OK: ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" blocks upgrade OK: message Verified
Has been released