samba - Feb 2022 - ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)

Hi,

I'm using sssd based authorization to grant access to samba shares based on
AD memberships.

Everything used to work with Ubuntu 18.04 (up to samba
2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.27)
users can no
longer access shares from Windows clients - password prompt keeps popping up
despite valid
user/password combination. If I allow public guest access to the share (public =
yes,
guest ok = yes) accessing the files from Windows ist possible.

I already tried to increase samba's log level but I'm unable to find any
related clues. I saw
some security findings were fixed but could not directly relate any of the
issues to my problem.

The AD integration itself is still working (login, sudoers, group memberships,
etc) only access to
the samba shares is no longer possible.

Here's my config:

/etc/smb.conf:

    [global]
        security = ads
        workgroup = workgroup
        realm = workgroup.int
        netbios name = 192-186-99-32
        kerberos method = secrets and keytab
        log level = 3
        guest account = nobody
        restrict anonymous = 2
        browse list = no
        server signing = mandatory
    
    [Share]
        path = /srv/share
        public = no
        guest ok = no
        browseable = no
        read only = yes
        force user = adm
        force group = staff
        create mask = 0770
        directory mask = 0770
        valid users = @"staff"
        write list = 
        read list = @"staff"


/etc/sssd/sssd.conf:

    [sssd]
    domains = workgroup.int
    config_file_version = 2
    services = nss, pam
    default_domain_suffix = workgroup.int
    
    [domain/workgroup.int]
    ad_domain = workgroup.int
    ad_hostname = 192-168-99-32.workgroup.int
    ad_server = dc01.workgroup.int, dc02.workgroup.int
    krb5_realm = WORKGROUP.INT
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    ldap_referrals = False
    use_fully_qualified_names = True
    fallback_homedir = /home/%u@%d
    access_provider = simple
    simple_allow_groups = Staff
    simple_allow_users = workgroup_service
    dyndns_update = True
    dyndns_refresh_interval = 86400  # once a day
    debug_level = 0x0200
    

realm -list:

    workgroup.int
      type: kerberos
      realm-name: WORKGROUP.INT
      domain-name: workgroup.int
      configured: kerberos-member
      server-software: active-directory
      client-software: sssd
      required-package: sssd-tools
      required-package: sssd
      required-package: libnss-sss
      required-package: libpam-sss
      required-package: adcli
      required-package: samba-common-bin
      login-formats: %U at workgroup.int
      login-policy: allow-permitted-logins
      permitted-logins: workgroup_service at workgroup.int
      permitted-groups: Staff
    

Could someone please provide any additional help? I'd gladly provide
additional log or
configuration information, if I'd know what information could be relevant.

Thanks in advance
Daniel

Add and try again ..

In smb.conf Global 

min protocol = SMB2

I still have 1 server running with Version 4.6.16-Debian on a wheezy with a
4.19.x kernel
And that works fine here with W7 10 and 11. 

Small sidenote, i run smbd and winbind only on that one. 
No SSSD. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Daniel H. Peger via samba
> Verzonden: maandag 14 februari 2022 11:09
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] ActiveDirectory authorization broke from 
> samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
> 
> Hi,
> 
> I'm using sssd based authorization to grant access to samba 
> shares based on AD memberships.
> 
> Everything used to work with Ubuntu 18.04 (up to samba 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt 
> keeps popping up despite valid
> user/password combination. If I allow public guest access to 
> the share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
> 
> I already tried to increase samba's log level but I'm unable 
> to find any related clues. I saw
> some security findings were fixed but could not directly 
> relate any of the issues to my problem.
> 
> The AD integration itself is still working (login, sudoers, 
> group memberships, etc) only access to
> the samba shares is no longer possible.
> 
> Here's my config:
> 
> /etc/smb.conf:
> 
>     [global]
>         security = ads
>         workgroup = workgroup
>         realm = workgroup.int
>         netbios name = 192-186-99-32
>         kerberos method = secrets and keytab
>         log level = 3
>         guest account = nobody
>         restrict anonymous = 2
>         browse list = no
>         server signing = mandatory
>     
>     [Share]
>         path = /srv/share
>         public = no
>         guest ok = no
>         browseable = no
>         read only = yes
>         force user = adm
>         force group = staff
>         create mask = 0770
>         directory mask = 0770
>         valid users = @"staff"
>         write list = 
>         read list = @"staff"
> 
> 
> /etc/sssd/sssd.conf:
> 
>     [sssd]
>     domains = workgroup.int
>     config_file_version = 2
>     services = nss, pam
>     default_domain_suffix = workgroup.int
>     
>     [domain/workgroup.int]
>     ad_domain = workgroup.int
>     ad_hostname = 192-168-99-32.workgroup.int
>     ad_server = dc01.workgroup.int, dc02.workgroup.int
>     krb5_realm = WORKGROUP.INT
>     realmd_tags = manages-system joined-with-adcli
>     cache_credentials = True
>     id_provider = ad
>     krb5_store_password_if_offline = True
>     default_shell = /bin/bash
>     ldap_id_mapping = True
>     ldap_referrals = False
>     use_fully_qualified_names = True
>     fallback_homedir = /home/%u@%d
>     access_provider = simple
>     simple_allow_groups = Staff
>     simple_allow_users = workgroup_service
>     dyndns_update = True
>     dyndns_refresh_interval = 86400  # once a day
>     debug_level = 0x0200
>     
> 
> realm -list:
> 
>     workgroup.int
>       type: kerberos
>       realm-name: WORKGROUP.INT
>       domain-name: workgroup.int
>       configured: kerberos-member
>       server-software: active-directory
>       client-software: sssd
>       required-package: sssd-tools
>       required-package: sssd
>       required-package: libnss-sss
>       required-package: libpam-sss
>       required-package: adcli
>       required-package: samba-common-bin
>       login-formats: %U at workgroup.int
>       login-policy: allow-permitted-logins
>       permitted-logins: workgroup_service at workgroup.int
>       permitted-groups: Staff
>     
> 
> Could someone please provide any additional help? I'd gladly 
> provide additional log or
> configuration information, if I'd know what information could 
> be relevant.
> 
> Thanks in advance
> Daniel
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Mon, 2022-02-14 at 10:08 +0000, Daniel H. Peger via samba
wrote:
> Hi,
> 
> I'm using sssd based authorization to grant access to samba shares
> based on AD memberships.
> 
> Everything used to work with Ubuntu 18.04 (up to samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-
> 0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt keeps
> popping up despite valid
> user/password combination. If I allow public guest access to the
> share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
> 
> I already tried to increase samba's log level but I'm unable to
find
> any related clues. I saw
> some security findings were fixed but could not directly relate any
> of the issues to my problem.
> 
> The AD integration itself is still working (login, sudoers, group
> memberships, etc) only access to
> the samba shares is no longer possible.
> 
> Here's my config:
> 
> /etc/smb.conf:
> 
>     [global]
>         security = ads
>         workgroup = workgroup
>         realm = workgroup.int
>         netbios name = 192-186-99-32
>         kerberos method = secrets and keytab
>         log level = 3
>         guest account = nobody
>         restrict anonymous = 2
>         browse list = no
>         server signing = mandatory
>     
>     [Share]
>         path = /srv/share
>         public = no
>         guest ok = no
>         browseable = no
>         read only = yes
>         force user = adm
>         force group = staff
>         create mask = 0770
>         directory mask = 0770
>         valid users = @"staff"
>         write list = 
>         read list = @"staff"
> 
> 
> /etc/sssd/sssd.conf:
> 
>     [sssd]
>     domains = workgroup.int
>     config_file_version = 2
>     services = nss, pam
>     default_domain_suffix = workgroup.int
>     
>     [domain/workgroup.int]
>     ad_domain = workgroup.int
>     ad_hostname = 192-168-99-32.workgroup.int
>     ad_server = dc01.workgroup.int, dc02.workgroup.int
>     krb5_realm = WORKGROUP.INT
>     realmd_tags = manages-system joined-with-adcli
>     cache_credentials = True
>     id_provider = ad
>     krb5_store_password_if_offline = True
>     default_shell = /bin/bash
>     ldap_id_mapping = True
>     ldap_referrals = False
>     use_fully_qualified_names = True
>     fallback_homedir = /home/%u@%d
>     access_provider = simple
>     simple_allow_groups = Staff
>     simple_allow_users = workgroup_service
>     dyndns_update = True
>     dyndns_refresh_interval = 86400  # once a day
>     debug_level = 0x0200
>     
> 
> realm -list:
> 
>     workgroup.int
>       type: kerberos
>       realm-name: WORKGROUP.INT
>       domain-name: workgroup.int
>       configured: kerberos-member
>       server-software: active-directory
>       client-software: sssd
>       required-package: sssd-tools
>       required-package: sssd
>       required-package: libnss-sss
>       required-package: libpam-sss
>       required-package: adcli
>       required-package: samba-common-bin
>       login-formats: %U at workgroup.int
>       login-policy: allow-permitted-logins
>       permitted-logins: workgroup_service at workgroup.int
>       permitted-groups: Staff
>     
> 
> Could someone please provide any additional help? I'd gladly provide
> additional log or
> configuration information, if I'd know what information could be
> relevant.
> 
> Thanks in advance
> Daniel
My advice is to upgrade everything and dump sssd.

Rowland

> In smb.conf Global
> 
> min protocol = SMB2
I tried that but it didn't solve the problem. However it changed the error
pattern. Now on Windows
2021R2 Server accessing the share results in a network error message (this
server should have both
SMB1 and SMB2 enabled). Windows 2019 Server keeps on asking for user/password
accompanied by an
"access denied" message (this server has SMB1 disabled).
> I still have 1 server running with Version 4.6.16-Debian on a wheezy with a
4.19.x kernel
> And that works fine here with W7 10 and 11. 
Yes, as mentioned it used to work fine for me as well prior to installing the
security updates.

> My advice is to upgrade everything and dump sssd.
Updating everything is not really an option. The servers are part of a larger
deployment scenario and we'll probably stick to Ubuntu 18.04. until end of
LTS (April 2023). Regarding sssd vs winbind I'm a little surprised to see
use of sssd is discouraged. I'm not involved in this at all but some years
ago winbind looked like being deprecated in favor of sssd. Now it's the
other way around?

However integration used to work before updating the samba packages with the
patch versions. That is I'd love to make this run again (setup is all
automated and would be a bigger effort to change) with minimal changes.

> My advice is to upgrade everything and dump sssd.
I saw a comment of yours on unix.stackexchange.com
(https://unix.stackexchange.com/questions/633394/samba-file-server-ad-sssd-without-winbind)
stating that ADS security and SSSD is no longer supported/possible with more
recent versions of samba. With our upcoming software version we'll update
the OS to Ubuntu 20.04. (i.e. samba 4.13.17). Thus we probably need to tackle
the update sooner than later.

I there any upgrade/migration guide or something?

For anyone stumbling across this issue. We were able to make the sssd/samba
setup running again by
simply installing the debian winbind package and changing the access
specification from

    valid users = @"staff" 

to

    valid users = +"workgroup\staff"

The "workgroup" specification can be omitted if

    winbind use default domain = true

is configured in the global smb settings.

The mere presence of winbind seems to fix the setup.

Additionally we specified an id mapping. Not sure if this is actually needed
though...

Thanks