[Samba] smb version 4.13.13+git.528 : problem with authentication, connect to shares suddenly fails

Rainer Krienke krienke at uni-koblenz.de
Wed Nov 17 08:43:21 UTC 2021 

Hello,

We are using a SUSE SLES15SP3 linux installation for our samba server. 
The configuration used to work since about a decade. Recently there was 
a a security fix for samba and after installing it no user was able to 
connect to any shares any more.

The new "broken" samba version is 
4.13.13+git.528.140935f8d6a.3.12.1-x86_64. Downgrading to the version 
before 4.3.10+git.236.0517d0e66bdf-3.7.12-x86_64 everything is fine 
again, users can connect their shares without any problems. The samba 
server is joined to our windows domain MYWINDOMAIN (using a *windows* 
domain controller) and the join is reported as "OK". SID mapping also 
works just fine from a user "myaccount" to SID (wbinfo -n myaccount) and 
back from SID to username (wbinfo -s <sid>). No matter which samba 
version is installed.

On a test samba server "sambatest" (141.26.79.230) with the latest SuSE 
samba version I turned on debugging (log level = 5 winbind:5) and tried 
to connect from a linux client (IP 141.26.9.13) to a share using:

smbclient -d 5 //sambatest/myaccount -U MYWINDOMAIN/myaccount.

Next I installed the old working samba version and did the same connect 
again and then compared the logs generated by both share connect tries.

The server logs are mostly identical. In the logs from the older, 
working version I see a successful authentication for user myaccount:

--old-ok------
[2021/11/16 08:47:56.465601,  3] 
../../source3/auth/auth.c:268(auth_check_ntlm_password)
   auth_check_ntlm_password: winbind authentication for user [myaccount] 
succeeded
[2021/11/16 08:47:56.465675,  3] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [MYWINDOMAIN]\[myaccount] at [Tue, 16 Nov 
2021 08:47:56.465664 CET] with [NTLMv2] status [NT_STATUS_OK] 
workstation [MYLINUXCLIENT] remote host [ipv4:141.26.9.13:47084] became 
[MYWINDOMAIN]\[myaccount] 
[S-1-5-21-273517061-3739583815-1147605690-1809]. local host 
[ipv4:141.26.79.230:445]
   {"timestamp": "2021-11-16T08:47:56.465786+0100", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_OK", "localAddress": "ipv4:141.26.79.230:445", 
"remoteAddress": "ipv4:141.26.9.13:47084", "serviceDescription": "SMB2", 
"authDescription": null, "clientDomain": "MYWINDOMAIN", "clientAccount": 
"myaccount", "workstation": "MYLINUXCLIENT", "becameAccount": 
"myaccount", "becameDomain": "MYWINDOMAIN", "becameSid": 
"S-1-5-21-273517061-3739583815-1147605690-1809", "mappedAccount": 
"myaccount", "mappedDomain": "MYWINDOMAIN", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 18322}}
[2021/11/16 08:47:56.465835,  2] 
../../source3/auth/auth.c:329(auth_check_ntlm_password)
   check_ntlm_password:  authentication for user [myaccount] -> 
[myaccount] -> [myaccount] succeeded
-------

In the logs from the latest smb server version I see a new function 
check_user() that fails and thus authentication fails.

---new-smb-vers-----
[2021/11/16 08:39:32.649518,  3] 
../../source3/auth/auth_util.c:1902(check_account)
   Failed to find authenticated user MYWINDOMAIN\myaccount via 
getpwnam(), denying access.
[2021/11/16 08:39:32.649549,  2] 
../../source3/auth/auth.c:347(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [myaccount] -> 
[myaccount] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2021/11/16 08:39:32.649575,  2] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [MYWINDOMAIN]\[myaccount] at [Tue, 16 Nov 
2021 08:39:32.649568 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] 
workstation [MYLINUXCLIENT] remote host [ipv4:141.26.9.13:46936] mapped 
to [MYWINDOMAIN]\[myaccount]. local host [ipv4:141.26.79.230:445]
   {"timestamp": "2021-11-16T08:39:32.649676+0100", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:141.26.79.230:445", 
"remoteAddress": "ipv4:141.26.9.13:46936", "serviceDescription": "SMB2", 
"authDescription": null, "clientDomain": "MYWINDOMAIN", "clientAccount": 
"myaccount", "workstation": "MYLINUXCLIENT", "becameAccount": null, 
"becameDomain": null, "becameSid": null, "mappedAccount": "myaccount", 
"mappedDomain": "MYWINDOMAIN", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 14952}}
[2021/11/16 08:39:32.649731,  3] 
../../source3/auth/auth_util.c:2264(do_map_to_guest_server_info)
   No such user myaccount [MYWINDOMAIN] - using guest account
-------

The samba client finally fails, reporting an access denied error, 
probably because the user was mapped to  "guest":

$ smbclient -d 5 //sambatest/myaccount -U MYWINDOMAIN/myaccount
....
session setup ok
tree connect failed: NT_STATUS_ACCESS_DENIED

The only thing I changed was the installed samba version. So my question 
is if this new check_account() function can be passwd by by using a 
smb-config option to achive the old (working) behaviour or what has to 
be configured in smb.conf in order to make check_account() work as 
expected, ie accept a valid user?

Thanks a lot for your help
Rainer

------------------------------------------
Our /etc/smb.conf:

[global]
         workgroup = MYWINDOMAIN
         server string = Samba on smbhosttest (version %v)
         log file = /var/log/samba/log.%m
         log level = 5 winbind:5

         max log size = 0
         unix extensions = no
         wide links = yes
         kernel oplocks = no
         oplocks = yes
         posix locking = no
         blocking locks = no
         acl allow execute always = yes

         store dos attributes = no
         max open files = 32808
         dead time = 15

         getwd cache = yes
         stat cache = yes
         browseable = no

         use sendfile = true
         aio read size = 32768
         aio write size = 32768

         disable netbios = yes
         smb ports = 445

         dos charset = CP850
         unix charset = CP850
         name resolve order = host wins bcast
         netbios name = smbhosttest

         clustering = no
         passdb backend = tdbsam
         vfs objects = fileid

         realm = MYWINDOMAIN.UNI-KOBLENZ.DE
         security = ADS

         winbind use default domain = no
         winbind max domain connections = 20
         winbind max clients = 1000
         winbind reconnect delay = 20
         map to guest = bad user

         idmap config MYWINDOMAIN : backend = nss
         idmap config MYWINDOMAIN : range = 0-2000000
         idmap config MYWINDOMAIN : read only = yes
         idmap config * : backend = tdb
         idmap config * : range = 3000000-4000000
         idmap config * : read only = no
         map acl inherit = yes

include = /etc/samba/smbshares.conf

-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, Web: http://www.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://www.uni-koblenz.de/~krienke/mypgp.html,     Fax: +49261287 
1001312

More information about the samba mailing list