[Samba] [Pkg-samba-maint] Bug#1001053: Configuration with non SMB (MIT-kerberos) broken after 4.13.13+dfsg-1~deb11u2 security patch
Jostein Fossheim
nightowl at vigilantes.no
Fri Dec 3 10:55:33 UTC 2021
I can comfirm that our WINDOWS-clients indeed are using FQDN in
everything, and username at REALM for authentication. Everything are
automatically mounted with:
net use /USER:username at EXAMPLE.COM S: \\example-file-server.example.com\zfspool
Whitch results in:
System error 5 has occurred.
Access is denied.
I was just lazy when testing locally on the file-server, in my
original post. Still the same results when specify FQDN and
username at REALM.
Using just \\servername has also usally worked, since we have issued
princiipials with CIFS/servername at EXAMPLE.COM and stored them in the
keytab-file.
I tried your suggestion about the "min domain uid = 0" option, but with no luck.
Our UIDs / GIDs from the directory server starts at 10000... , and so
forth, is there a way to specify a max ?
Output from testparm:
[global]
dedicated keytab file = /etc/krb5.keytab
dns proxy = No
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
min domain uid = 0
panic action = /usr/share/samba/panic-action %d
password server = example-kdc-server.example.com
realm = EXAMPLE.COM
security = USER
server role = standalone server
server string = NAS server (samba)
syslog = 0
workgroup = EXAMPLE.COM
idmap config * : backend = tdb
Testing from the file-server itself, I get the same result when
testing from another server/debian machine:
smbclient -d 5 -k -U username at EXAMPLE.COM -L //example-file-server.example.com
resolve_hosts: Attempting host lookup for name rud-nas<0x20>
namecache_store: storing 1 address for
example-file-server.example.com#20: 127.0.1.1
Connecting to 127.0.1.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
session request ok
negotiated dialect[SMB3_11] against server[example-file-server.example.com]
cli_session_setup_spnego_send: Connect to
example-file-server.example.com as username at EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: {Access Denied} A process has requested access to
an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED
Any other tips or suggestions? Things that can be tested?
It is failry easy since for the moment one server is running the
seucirty update, so I can test dem in paralell, and I can for the time
beeing farily easy do a rollback to the the "pre-security" update
packages.
On Fri, Dec 3, 2021 at 10:16 AM L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>
> Few tips..
>
> 1) Start using FQDN in everything. ( as per microsoft its adviced)
> 2) with auths, try "username at REALM" if ADDOM\username doesnt work.
>
> 3) What happens if you add this to smb.conf (global)
>
> min domain uid = 0
>
> That should give a work around on the access denied.
>
> Next updates ( in 4.14 and 4.15 ) should befix that regression bug.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Pkg-samba-maint
> > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl at alioth-lists.d
> ebian.net] Namens Jostein Fossheim
> > Verzonden: vrijdag 3 december 2021 9:51
> > Aan: submit at bugs.debian.org
> > Onderwerp: [Pkg-samba-maint] Bug#1001053: Configuration with
> > non SMB (MIT-kerberos) broken after 4.13.13+dfsg-1~deb11u2
> > security patch
> >
> > Package: samba
> > Version: 4.13.13+dfsg-1~deb11u2
> >
> >
> > Hello,
> >
> > My organisation are running an custom bulit LDAP/MIT-kerberos realm
> > (the KDCs are not runnning MIT-kerberos through Samba, just standalone
> > installations). For years have configured this KDCs to be used for two
> > important Debian (now running Bullseye) based file-servers. We are
> > both serving NFSv4 and Windows SMB clients. I resently upgraded the
> > servers with the lastest debian-security update with samba
> > (2:4.13.13+dfsg-1~deb11u2), and suddently all windows-clients reported
> > access denied while connecting to the samba servers.
> >
> > I assume our troubles are related to this security issue:
> >
> > https://www.samba.org/samba/security/CVE-2020-25719.html
> >
> > Which is reffered to in the debian package:
> >
> > https://tracker.debian.org/news/1279235/accepted-samba-241313d
> fsg-1deb11u2-source-into-proposed-updates-stable-new-proposed-> updates/
> >
> >
> >
> > I asume the problems is caused by our KDCs not issuing PACs while
> > issuing tickets.
> >
> > Any advice on how to handle this issue? Either disable PAC-check on
> > the servers, do some configuration that stil will allow connections,
> > or configure our KDCs to inclued PACs in their tickers.
> >
> > I am able to uinstall the secuirty patch on the servers for now, so at
> > least our users can maintain their workflow, but I realize this is a
> > short time soulution.
> >
> >
> >
> >
> >
> >
> >
> > The servers' smb.conf:
> >
> >
> > [global]
> > workgroup = EXAMPLE.COM
> > server string = NAS server (samba)
> >
> > server role = standalone server
> > security = user
> > realm = EXAMPLE.COM
> > encrypt passwords = yes
> >
> > kerberos method = dedicated keytab
> > dedicated keytab file = /etc/krb5.keytab
> >
> > password server = example-kdc-server.example.com
> >
> > dns proxy = no
> >
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> >
> > syslog = 0
> > panic action = /usr/share/samba/panic-action %d
> >
> > map to guest = bad user
> >
> >
> >
> >
> >
> > Log-file from the server:
> >
> >
> > [2021/12/03 08:47:46.876654, 2]
> > ../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
> > obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal
> > OID) failed: Miscellaneous failure (see text): Ticket have not
> > authorization data of type 128
> > [2021/12/03 08:47:46.876663, 3]
> > ../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
> > gensec_generate_session_info_pac: Unable to find PAC for
> > example_user at EXAMPLE.COM, resorting to local user lookup
> > [2021/12/03 08:47:46.876670, 3]
> > ../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
> > Kerberos ticket principal name is [example_user at EXAMPLE.COM]
> > [2021/12/03 08:47:46.876684, 5]
> > ../../source3/lib/username.c:181(Get_Pwnam_alloc)
> > Finding user EXAMPLE.COM\example_user
> > [2021/12/03 08:47:46.876690, 5]
> > ../../source3/lib/username.c:120(Get_Pwnam_internals)
> > Trying _Get_Pwnam(), username as lowercase is
> > EXAMPLE.COM\example_user
> > [2021/12/03 08:47:46.896429, 5]
> > ../../source3/lib/username.c:127(Get_Pwnam_internals)
> > Trying _Get_Pwnam(), username as given is EXAMPLE.COM\example_user
> > [2021/12/03 08:47:46.904156, 5]
> > ../../source3/lib/username.c:140(Get_Pwnam_internals)
> > Trying _Get_Pwnam(), username as uppercase is
> > EXAMPLE.COM\example_user
> > [2021/12/03 08:47:46.912256, 5]
> > ../../source3/lib/username.c:152(Get_Pwnam_internals)
> > Checking combinations of 0 uppercase letters in
> > EXAMPLE.COM\example_user
> > [2021/12/03 08:47:46.912297, 5]
> > ../../source3/lib/username.c:158(Get_Pwnam_internals)
> > Get_Pwnam_internals didn't find user [EXAMPLE.COM\example_user]!
> > [2021/12/03 08:47:46.912312, 3]
> > ../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
> > get_user_from_kerberos_info: Username EXAMPLE.COM\example_user is
> > invalid on this system
> > [2021/12/03 08:47:46.912330, 3]
> > ../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
> > auth3_generate_session_info_pac: Failed to map kerberos principal to
> > system user (NT_STATUS_LOGON_FAILURE)
> >
> >
> >
> >
> >
> >
> > Output from smbclient (with samba samba=2:4.13.13+dfsg-1~deb11u2)
> >
> > smbclient -d 5 -k -L //example-file-server
> >
> >
> > sitename_fetch: No stored sitename for realm
> > 'example_user at EXAMPLE.COM'
> > name example-file-server#20 found.
> > Socket options:
> > SO_KEEPALIVE = 0
> > SO_REUSEADDR = 0
> > SO_BROADCAST = 0
> > TCP_NODELAY = 1
> > TCP_KEEPCNT = 9
> > TCP_KEEPIDLE = 7200
> > TCP_KEEPINTVL = 75
> > IPTOS_LOWDELAY = 0
> > IPTOS_THROUGHPUT = 0
> > SO_REUSEPORT = 0
> > SO_SNDBUF = 46080
> > SO_RCVBUF = 131072
> > SO_SNDLOWAT = 1
> > SO_RCVLOWAT = 1
> > SO_SNDTIMEO = 0
> > SO_RCVTIMEO = 0
> > TCP_QUICKACK = 1
> > TCP_DEFER_ACCEPT = 0
> > TCP_USER_TIMEOUT = 0
> > session request ok
> > negotiated dialect[SMB3_11] against server[example-file-server]
> > cli_session_setup_spnego_send: Connect to example-file-server as
> > example_user at EXAMPLE.COM using SPNEGO
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > SPNEGO login failed: {Access Denied} A process has requested access to
> > an object but has not been granted those access rights.
> > session setup failed: NT_STATUS_ACCESS_DENIED
> >
> >
> >
> >
> >
> >
> > Output from smbclient (with samba samba=2:4.13.5+dfsg-2)
> >
> > smbclient -d 5 -k -L //example-file-server
> >
> >
> >
> >
> > sitename_fetch: No stored sitename for realm 'EXAMPLE.COM'
> > name example-file-server#20 found.
> > Socket options:
> > SO_KEEPALIVE = 0
> > SO_REUSEADDR = 0
> > SO_BROADCAST = 0
> > TCP_NODELAY = 1
> > TCP_KEEPCNT = 9
> > TCP_KEEPIDLE = 7200
> > TCP_KEEPINTVL = 75
> > IPTOS_LOWDELAY = 0
> > IPTOS_THROUGHPUT = 0
> > SO_REUSEPORT = 0
> > SO_SNDBUF = 2626560
> > SO_RCVBUF = 131072
> > SO_SNDLOWAT = 1
> > SO_RCVLOWAT = 1
> > SO_SNDTIMEO = 0
> > SO_RCVTIMEO = 0
> > TCP_QUICKACK = 1
> > TCP_DEFER_ACCEPT = 0
> > TCP_USER_TIMEOUT = 0
> > session request ok
> > negotiated dialect[SMB3_11] against server[example-file-server]
> > cli_session_setup_spnego_send: Connect to example-file-server as
> > example_user at EXAMPLE.COM using SPNEGO
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > session setup ok
> > signed SMB2 message
> > tconx ok
> >
> > Sharename Type Comment
> > --------- ---- -------
> > Bind RPC Pipe: host example-file-server auth_type 0, auth_level 1
> > rpc_api_pipe: host example-file-server
> > rpc_read_send: data_to_read: 52
> > check_bind_response: accepted!
> > rpc_api_pipe: host example-file-server
> > rpc_read_send: data_to_read: 568
> > share1 Disk 1TB (Jbod/disc grinder)
> > usbpool Disk USBs
> > share2 Disk 16TB (Raid5 in 5x4TB disks)
> > health-logs Disk Disk health logs
> > IPC$ IPC IPC Service (NAS server (samba))
> > SMB1 disabled -- no workgroup available
> >
> > _______________________________________________
> > Pkg-samba-maint mailing list
> > Pkg-samba-maint at alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> >
> >
>
More information about the samba
mailing list