[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)

Daniel H. Peger daniel at peger.de
Mon Feb 14 10:08:36 UTC 2022


Hi,

I'm using sssd based authorization to grant access to samba shares based on AD memberships.

Everything used to work with Ubuntu 18.04 (up to samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.27) users can no
longer access shares from Windows clients - password prompt keeps popping up despite valid
user/password combination. If I allow public guest access to the share (public = yes,
guest ok = yes) accessing the files from Windows ist possible.

I already tried to increase samba's log level but I'm unable to find any related clues. I saw
some security findings were fixed but could not directly relate any of the issues to my problem.

The AD integration itself is still working (login, sudoers, group memberships, etc) only access to
the samba shares is no longer possible.

Here's my config:

/etc/smb.conf:

    [global]
        security = ads
        workgroup = workgroup
        realm = workgroup.int
        netbios name = 192-186-99-32
        kerberos method = secrets and keytab
        log level = 3
        guest account = nobody
        restrict anonymous = 2
        browse list = no
        server signing = mandatory
    
    [Share]
        path = /srv/share
        public = no
        guest ok = no
        browseable = no
        read only = yes
        force user = adm
        force group = staff
        create mask = 0770
        directory mask = 0770
        valid users = @"staff"
        write list = 
        read list = @"staff"


/etc/sssd/sssd.conf:

    [sssd]
    domains = workgroup.int
    config_file_version = 2
    services = nss, pam
    default_domain_suffix = workgroup.int
    
    [domain/workgroup.int]
    ad_domain = workgroup.int
    ad_hostname = 192-168-99-32.workgroup.int
    ad_server = dc01.workgroup.int, dc02.workgroup.int
    krb5_realm = WORKGROUP.INT
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    ldap_referrals = False
    use_fully_qualified_names = True
    fallback_homedir = /home/%u@%d
    access_provider = simple
    simple_allow_groups = Staff
    simple_allow_users = workgroup_service
    dyndns_update = True
    dyndns_refresh_interval = 86400  # once a day
    debug_level = 0x0200
    

realm -list:

    workgroup.int
      type: kerberos
      realm-name: WORKGROUP.INT
      domain-name: workgroup.int
      configured: kerberos-member
      server-software: active-directory
      client-software: sssd
      required-package: sssd-tools
      required-package: sssd
      required-package: libnss-sss
      required-package: libpam-sss
      required-package: adcli
      required-package: samba-common-bin
      login-formats: %U at workgroup.int
      login-policy: allow-permitted-logins
      permitted-logins: workgroup_service at workgroup.int
      permitted-groups: Staff
    

Could someone please provide any additional help? I'd gladly provide additional log or
configuration information, if I'd know what information could be relevant.

Thanks in advance
Daniel



More information about the samba mailing list