[Samba] Kerberos authentication on standalone server in MIT realm breaks after 4.11.6 -> 4.13.14 update

Chapiron Sebastien Sebastien.Chapiron at ssi.gouv.fr
Fri Nov 26 09:12:55 UTC 2021 

Hi,
We have a standalone samba server (relevant configuration in [1]) for file sharing in a MIT realm on Ubuntu 20.04 with SSSD.
It was recently updated from 4.11.6 to 4.13.14 and the update broke Kerberos authentication in our setup: server replies NT_STATUS_ACCESS_DENIED whereas the client has a valid TGS.
I can also reproduce the issue in the latest 4.15.2 release (built from source).
Downgrading back to 4.11.6 fixes the issue.

I can provide full logs if needed but since they are quite big I tried to isolate differing lines between a working scenario with version 4.11.6 [2] and a NT_STATUS_ACCESS_DENIED scenario with version 4.13.14 [3]. Both scenario consisted of having a client listing the server's shares with smbclient -k -L <server's fqdn>. I'm not sure if the lines of log are relevant or useful for investigating the issue so don't hesitate to ask for more logs, information and/or tests.

Best regards,

Sebastien Chapiron


[1] Relevant parts of the smb.conf:

[global]
    workgroup = MY.REALM
    realm = MY.REALM
    kerberos method = system keytab
    server role = standalone server
    security = USER
    obey pam restrictions = no


[2] Extract of log with smbd v4.11.6 (working)

[2021/11/25 16:37:20.322572,  2, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
  obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed:  Miscellaneous failure (see text): Ticket have not authorization data of type 128
[2021/11/25 16:37:20.322644,  3, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_util.c:54(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for myuser at MY.REALM, resorting to local user lookup
[2021/11/25 16:37:20.322680,  3, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at MY.REALM]
[2021/11/25 16:37:20.322707, 10, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:96(get_user_from_kerberos_info)
  Mapping [MY.REALM] to short name using winbindd
[2021/11/25 16:37:20.322795,  3, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:106(get_user_from_kerberos_info)
  Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2021/11/25 16:37:20.322834, 10, pid=161275, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:113(get_user_from_kerberos_info)
  Domain is [MY.REALM] (using Winbind)
[2021/11/25 16:37:20.322866,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user MY.REALM\myuser
[2021/11/25 16:37:20.322891,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.realm\myuser
[2021/11/25 16:37:20.335147,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:127(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MY.REALM\myuser
[2021/11/25 16:37:20.345945,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:140(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MY.REALM\MYUSER
[2021/11/25 16:37:20.357010,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:152(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in my.realm\myuser
[2021/11/25 16:37:20.357105,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MY.REALM\myuser]!
[2021/11/25 16:37:20.357137,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user myuser
[2021/11/25 16:37:20.357162,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is myuser
[2021/11/25 16:37:20.357270,  5, pid=161275, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [myuser]!


[3] Extract of log with smbd v4.13.14 (not working: NT_STATUS_ACCESS_DENIED)

[2021/11/25 16:41:47.238756,  2, pid=162160, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
  obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed:  Miscellaneous failure (see text): Ticket have not authorization data of type 128
[2021/11/25 16:41:47.238789,  3, pid=162160, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for myuser at MY.REALM, resorting to local user lookup
[2021/11/25 16:41:47.238842,  3, pid=162160, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at MY.REALM]
[2021/11/25 16:41:47.238883,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user MY.REALM\myuser
[2021/11/25 16:41:47.238912,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.realm\myuser
[2021/11/25 16:41:47.251670,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:127(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MY.REALM\myuser
[2021/11/25 16:41:47.263878,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:140(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MY.REALM\MYUSER
[2021/11/25 16:41:47.275035,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:152(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in my.realm\myuser
[2021/11/25 16:41:47.275133,  5, pid=162160, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MY.REALM\myuser]!
[2021/11/25 16:41:47.275164,  3, pid=162160, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username MY.REALM\myuser is invalid on this system
[2021/11/25 16:41:47.275194,  3, pid=162160, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2021/11/25 16:41:47.275256,  3, pid=162160, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/11/25 16:41:47.275335, 10, pid=162160, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3747(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: mid [1] idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:3911
Les données à caractère personnel recueillies et traitées dans le cadre de cet échange, le sont à seule fin d’exécution d’une relation professionnelle et s’opèrent dans cette seule finalité et pour la durée nécessaire à cette relation. Si vous souhaitez faire usage de vos droits de consultation, de rectification et de suppression de vos données, veuillez contacter contact.rgpd at sgdsn.gouv.fr. Si vous avez reçu ce message par erreur, nous vous remercions d’en informer l’expéditeur et de détruire le message. The personal data collected and processed during this exchange aims solely at completing a business relationship and is limited to the necessary duration of that relationship. If you wish to use your rights of consultation, rectification and deletion of your data, please contact: contact.rgpd at sgdsn.gouv.fr. If you have received this message in error, we thank you for informing the sender and destroying the message.

More information about the samba mailing list