samba - Dec 2021 - Configuration with non SMB (MIT-kerberos) broken after CVE-2020-25719 security patch?

Hello,

My organisation are running an custom bulit LDAP/MIT-kerberos realm (the
KDCs are not runnning MIT-kerberos through Samba, just standalone
installations). For years have configured this KDCs to be used for two
important Debian (now running Bullseye) based file-servers. We are both
serving NFSv4 and Windows SMB clients. I resently upgraded the servers with
the lastest debian-security update with samba (2:4.13.13+dfsg-1~deb11u2),
and suddently all windows-clients reported access denied while connecting
to the samba servers.

I assume our troubles are related to this security issue:

https://www.samba.org/samba/security/CVE-2020-25719.html

Which is reffered to in the debian package:

https://tracker.debian.org/news/1279235/accepted-samba-241313dfsg-1deb11u2-source-into-proposed-updates-stable-new-proposed-updates/



The servers' smb.conf:


[global]
   workgroup = EXAMPLE.COM
   server string = NAS server (samba)

   server role = standalone server
   security = user
   realm = EXAMPLE.COM
   encrypt passwords = yes

   kerberos method = dedicated keytab
   dedicated keytab file = /etc/krb5.keytab

   password server = example-kdc-server.example.com

   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000

   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   map to guest = bad user





Log-file from the server:


[2021/12/03 08:47:46.876654,  2]
../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
  obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID)
failed:  Miscellaneous failure (see text): Ticket have not authorization
data of type 128
[2021/12/03 08:47:46.876663,  3]
../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for
example_user at EXAMPLE.COM, resorting to local user lookup
[2021/12/03 08:47:46.876670,  3]
../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [example_user at EXAMPLE.COM]
[2021/12/03 08:47:46.876684,  5]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user EXAMPLE.COM\example_user
[2021/12/03 08:47:46.876690,  5]
../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.896429,  5]
../../source3/lib/username.c:127(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.904156,  5]
../../source3/lib/username.c:140(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912256,  5]
../../source3/lib/username.c:152(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912297,  5]
../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [EXAMPLE.COM\example_user]!
[2021/12/03 08:47:46.912312,  3]
../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username EXAMPLE.COM\example_user is invalid
on this system
[2021/12/03 08:47:46.912330,  3]
../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)






Output from smbclient (with samba samba=2:4.13.13+dfsg-1~deb11u2)

smbclient -d 5 -k -L //example-file-server


sitename_fetch: No stored sitename for realm 'example_user at
EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 46080
        SO_RCVBUF = 131072
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
        TCP_USER_TIMEOUT = 0
 session request ok
 negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
example_user at EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: {Access Denied} A process has requested access to an
object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED






Output from smbclient (with samba samba=2:4.13.5+dfsg-2)

smbclient -d 5 -k -L //example-file-server




sitename_fetch: No stored sitename for realm 'EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 131072
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
        TCP_USER_TIMEOUT = 0
 session request ok
 negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
example_user at EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
 session setup ok
signed SMB2 message
 tconx ok

        Sharename       Type      Comment
        ---------       ----      -------
Bind RPC Pipe: host example-file-server auth_type 0, auth_level 1
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 568
        share1 Disk      1TB (Jbod/disc grinder)
        usbpool         Disk      USBs
        share2 Disk      16TB (Raid5 in 5x4TB disks)
        health-logs     Disk      Disk health logs
        IPC$            IPC       IPC Service (NAS server (samba))
SMB1 disabled -- no workgroup available


Thank you for any advice you can offer!

I will dublicate this post in the debian package list.

On 12/3/21 09:25, Jostein Fossheim via samba wrote:
> Thank you for any advice you can offer!
you need the attached patch.

This is tracked here:

https://gitlab.com/samba-team/samba/-/merge_requests/2272

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2020-25717-MIT-regression.patch
Type: text/x-patch
Size: 1828 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20211203/80a7e75f/CVE-2020-25717-MIT-regression.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20211203/80a7e75f/OpenPGP_signature.sig>