Chapiron Sebastien
2021-Nov-26 09:12 UTC
[Samba] Kerberos authentication on standalone server in MIT realm breaks after 4.11.6 -> 4.13.14 update
Hi,
We have a standalone samba server (relevant configuration in [1]) for file
sharing in a MIT realm on Ubuntu 20.04 with SSSD.
It was recently updated from 4.11.6 to 4.13.14 and the update broke Kerberos
authentication in our setup: server replies NT_STATUS_ACCESS_DENIED whereas the
client has a valid TGS.
I can also reproduce the issue in the latest 4.15.2 release (built from source).
Downgrading back to 4.11.6 fixes the issue.
I can provide full logs if needed but since they are quite big I tried to
isolate differing lines between a working scenario with version 4.11.6 [2] and a
NT_STATUS_ACCESS_DENIED scenario with version 4.13.14 [3]. Both scenario
consisted of having a client listing the server's shares with smbclient -k
-L <server's fqdn>. I'm not sure if the lines of log are relevant
or useful for investigating the issue so don't hesitate to ask for more
logs, information and/or tests.
Best regards,
Sebastien Chapiron
[1] Relevant parts of the smb.conf:
[global]
workgroup = MY.REALM
realm = MY.REALM
kerberos method = system keytab
server role = standalone server
security = USER
obey pam restrictions = no
[2] Extract of log with smbd v4.11.6 (working)
[2021/11/25 16:37:20.322572, 2, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed:
Miscellaneous failure (see text): Ticket have not authorization data of type 128
[2021/11/25 16:37:20.322644, 3, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec_util.c:54(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC for myuser at MY.REALM,
resorting to local user lookup
[2021/11/25 16:37:20.322680, 3, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [myuser at MY.REALM]
[2021/11/25 16:37:20.322707, 10, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:96(get_user_from_kerberos_info)
Mapping [MY.REALM] to short name using winbindd
[2021/11/25 16:37:20.322795, 3, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:106(get_user_from_kerberos_info)
Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2021/11/25 16:37:20.322834, 10, pid=161275, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:113(get_user_from_kerberos_info)
Domain is [MY.REALM] (using Winbind)
[2021/11/25 16:37:20.322866, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user MY.REALM\myuser
[2021/11/25 16:37:20.322891, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is my.realm\myuser
[2021/11/25 16:37:20.335147, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:127(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is MY.REALM\myuser
[2021/11/25 16:37:20.345945, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:140(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is MY.REALM\MYUSER
[2021/11/25 16:37:20.357010, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:152(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in my.realm\myuser
[2021/11/25 16:37:20.357105, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [MY.REALM\myuser]!
[2021/11/25 16:37:20.357137, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user myuser
[2021/11/25 16:37:20.357162, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is myuser
[2021/11/25 16:37:20.357270, 5, pid=161275, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals did find user [myuser]!
[3] Extract of log with smbd v4.13.14 (not working: NT_STATUS_ACCESS_DENIED)
[2021/11/25 16:41:47.238756, 2, pid=162160, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed:
Miscellaneous failure (see text): Ticket have not authorization data of type 128
[2021/11/25 16:41:47.238789, 3, pid=162160, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC for myuser at MY.REALM,
resorting to local user lookup
[2021/11/25 16:41:47.238842, 3, pid=162160, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [myuser at MY.REALM]
[2021/11/25 16:41:47.238883, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user MY.REALM\myuser
[2021/11/25 16:41:47.238912, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is my.realm\myuser
[2021/11/25 16:41:47.251670, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:127(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is MY.REALM\myuser
[2021/11/25 16:41:47.263878, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:140(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is MY.REALM\MYUSER
[2021/11/25 16:41:47.275035, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:152(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in my.realm\myuser
[2021/11/25 16:41:47.275133, 5, pid=162160, effective(0, 0), real(0, 0)]
../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [MY.REALM\myuser]!
[2021/11/25 16:41:47.275164, 3, pid=162160, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username MY.REALM\myuser is invalid on this
system
[2021/11/25 16:41:47.275194, 3, pid=162160, effective(0, 0), real(0, 0)]
../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to system
user (NT_STATUS_LOGON_FAILURE)
[2021/11/25 16:41:47.275256, 3, pid=162160, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/11/25 16:41:47.275335, 10, pid=162160, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3747(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: mid [1] idx[1] status[NT_STATUS_ACCESS_DENIED]
body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:3911
Les donn?es ? caract?re personnel recueillies et trait?es dans le cadre de cet
?change, le sont ? seule fin d?ex?cution d?une relation professionnelle et
s?op?rent dans cette seule finalit? et pour la dur?e n?cessaire ? cette
relation. Si vous souhaitez faire usage de vos droits de consultation, de
rectification et de suppression de vos donn?es, veuillez contacter contact.rgpd
at sgdsn.gouv.fr. Si vous avez re?u ce message par erreur, nous vous remercions
d?en informer l?exp?diteur et de d?truire le message. The personal data
collected and processed during this exchange aims solely at completing a
business relationship and is limited to the necessary duration of that
relationship. If you wish to use your rights of consultation, rectification and
deletion of your data, please contact: contact.rgpd at sgdsn.gouv.fr. If you
have received this message in error, we thank you for informing the sender and
destroying the message.
Ralph Boehme
2021-Nov-26 10:16 UTC
[Samba] Kerberos authentication on standalone server in MIT realm breaks after 4.11.6 -> 4.13.14 update
Hello Sebastien, On 11/26/21 10:12, Chapiron Sebastien via samba wrote:> get_user_from_kerberos_info: Username MY.REALM\myuser is invalid on this system > [2021/11/25 16:41:47.275194, 3, pid=162160, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)This looks like a regression introduced by the recent security fixes. The attached patch should hopefully fixes it. Can you please give it a whirl and report back whether it fixes the issue for you? As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: CVE-2020-25717-MIT-regression.patch Type: text/x-patch Size: 1828 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/CVE-2020-25717-MIT-regression.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/OpenPGP_signature.sig>