Rainer Krienke
2021-Nov-17 08:43 UTC
[Samba] smb version 4.13.13+git.528 : problem with authentication, connect to shares suddenly fails
Hello,
We are using a SUSE SLES15SP3 linux installation for our samba server.
The configuration used to work since about a decade. Recently there was
a a security fix for samba and after installing it no user was able to
connect to any shares any more.
The new "broken" samba version is
4.13.13+git.528.140935f8d6a.3.12.1-x86_64. Downgrading to the version
before 4.3.10+git.236.0517d0e66bdf-3.7.12-x86_64 everything is fine
again, users can connect their shares without any problems. The samba
server is joined to our windows domain MYWINDOMAIN (using a *windows*
domain controller) and the join is reported as "OK". SID mapping also
works just fine from a user "myaccount" to SID (wbinfo -n myaccount)
and
back from SID to username (wbinfo -s <sid>). No matter which samba
version is installed.
On a test samba server "sambatest" (141.26.79.230) with the latest
SuSE
samba version I turned on debugging (log level = 5 winbind:5) and tried
to connect from a linux client (IP 141.26.9.13) to a share using:
smbclient -d 5 //sambatest/myaccount -U MYWINDOMAIN/myaccount.
Next I installed the old working samba version and did the same connect
again and then compared the logs generated by both share connect tries.
The server logs are mostly identical. In the logs from the older,
working version I see a successful authentication for user myaccount:
--old-ok------
[2021/11/16 08:47:56.465601, 3]
../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [myaccount]
succeeded
[2021/11/16 08:47:56.465675, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYWINDOMAIN]\[myaccount] at [Tue, 16 Nov
2021 08:47:56.465664 CET] with [NTLMv2] status [NT_STATUS_OK]
workstation [MYLINUXCLIENT] remote host [ipv4:141.26.9.13:47084] became
[MYWINDOMAIN]\[myaccount]
[S-1-5-21-273517061-3739583815-1147605690-1809]. local host
[ipv4:141.26.79.230:445]
{"timestamp": "2021-11-16T08:47:56.465786+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4624, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_OK", "localAddress":
"ipv4:141.26.79.230:445",
"remoteAddress": "ipv4:141.26.9.13:47084",
"serviceDescription": "SMB2",
"authDescription": null, "clientDomain":
"MYWINDOMAIN", "clientAccount":
"myaccount", "workstation": "MYLINUXCLIENT",
"becameAccount":
"myaccount", "becameDomain": "MYWINDOMAIN",
"becameSid":
"S-1-5-21-273517061-3739583815-1147605690-1809",
"mappedAccount":
"myaccount", "mappedDomain": "MYWINDOMAIN",
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "NTLMv2", "duration": 18322}}
[2021/11/16 08:47:56.465835, 2]
../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [myaccount] ->
[myaccount] -> [myaccount] succeeded
-------
In the logs from the latest smb server version I see a new function
check_user() that fails and thus authentication fails.
---new-smb-vers-----
[2021/11/16 08:39:32.649518, 3]
../../source3/auth/auth_util.c:1902(check_account)
Failed to find authenticated user MYWINDOMAIN\myaccount via
getpwnam(), denying access.
[2021/11/16 08:39:32.649549, 2]
../../source3/auth/auth.c:347(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [myaccount] ->
[myaccount] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/11/16 08:39:32.649575, 2]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYWINDOMAIN]\[myaccount] at [Tue, 16 Nov
2021 08:39:32.649568 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [MYLINUXCLIENT] remote host [ipv4:141.26.9.13:46936] mapped
to [MYWINDOMAIN]\[myaccount]. local host [ipv4:141.26.79.230:445]
{"timestamp": "2021-11-16T08:39:32.649676+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:141.26.79.230:445",
"remoteAddress": "ipv4:141.26.9.13:46936",
"serviceDescription": "SMB2",
"authDescription": null, "clientDomain":
"MYWINDOMAIN", "clientAccount":
"myaccount", "workstation": "MYLINUXCLIENT",
"becameAccount": null,
"becameDomain": null, "becameSid": null,
"mappedAccount": "myaccount",
"mappedDomain": "MYWINDOMAIN", "netlogonComputer":
null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "NTLMv2", "duration": 14952}}
[2021/11/16 08:39:32.649731, 3]
../../source3/auth/auth_util.c:2264(do_map_to_guest_server_info)
No such user myaccount [MYWINDOMAIN] - using guest account
-------
The samba client finally fails, reporting an access denied error,
probably because the user was mapped to "guest":
$ smbclient -d 5 //sambatest/myaccount -U MYWINDOMAIN/myaccount
....
session setup ok
tree connect failed: NT_STATUS_ACCESS_DENIED
The only thing I changed was the installed samba version. So my question
is if this new check_account() function can be passwd by by using a
smb-config option to achive the old (working) behaviour or what has to
be configured in smb.conf in order to make check_account() work as
expected, ie accept a valid user?
Thanks a lot for your help
Rainer
------------------------------------------
Our /etc/smb.conf:
[global]
workgroup = MYWINDOMAIN
server string = Samba on smbhosttest (version %v)
log file = /var/log/samba/log.%m
log level = 5 winbind:5
max log size = 0
unix extensions = no
wide links = yes
kernel oplocks = no
oplocks = yes
posix locking = no
blocking locks = no
acl allow execute always = yes
store dos attributes = no
max open files = 32808
dead time = 15
getwd cache = yes
stat cache = yes
browseable = no
use sendfile = true
aio read size = 32768
aio write size = 32768
disable netbios = yes
smb ports = 445
dos charset = CP850
unix charset = CP850
name resolve order = host wins bcast
netbios name = smbhosttest
clustering = no
passdb backend = tdbsam
vfs objects = fileid
realm = MYWINDOMAIN.UNI-KOBLENZ.DE
security = ADS
winbind use default domain = no
winbind max domain connections = 20
winbind max clients = 1000
winbind reconnect delay = 20
map to guest = bad user
idmap config MYWINDOMAIN : backend = nss
idmap config MYWINDOMAIN : range = 0-2000000
idmap config MYWINDOMAIN : read only = yes
idmap config * : backend = tdb
idmap config * : range = 3000000-4000000
idmap config * : read only = no
map acl inherit = yes
include = /etc/samba/smbshares.conf
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Web: http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://www.uni-koblenz.de/~krienke/mypgp.html, Fax: +49261287
1001312
Ralph Boehme
2021-Nov-17 09:11 UTC
[Samba] smb version 4.13.13+git.528 : problem with authentication, connect to shares suddenly fails
On 11/17/21 09:43, Rainer Krienke via samba wrote:> We are using a SUSE SLES15SP3 linux installation for our samba server. > The configuration used to work since about a decade. Recently there was > a a security fix for samba and after installing it no user was able to > connect to any shares any more.not using winbind in nsswitch, right? https://bugzilla.samba.org/show_bug.cgi?id=14901 has some background info and contains patches which should address this. Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20211117/4b1771da/OpenPGP_signature.sig>