[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
Daniel H. Peger
daniel at peger.de
Mon Feb 14 10:08:36 UTC 2022
Hi,
I'm using sssd based authorization to grant access to samba shares based on AD memberships.
Everything used to work with Ubuntu 18.04 (up to samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.27) users can no
longer access shares from Windows clients - password prompt keeps popping up despite valid
user/password combination. If I allow public guest access to the share (public = yes,
guest ok = yes) accessing the files from Windows ist possible.
I already tried to increase samba's log level but I'm unable to find any related clues. I saw
some security findings were fixed but could not directly relate any of the issues to my problem.
The AD integration itself is still working (login, sudoers, group memberships, etc) only access to
the samba shares is no longer possible.
Here's my config:
/etc/smb.conf:
[global]
security = ads
workgroup = workgroup
realm = workgroup.int
netbios name = 192-186-99-32
kerberos method = secrets and keytab
log level = 3
guest account = nobody
restrict anonymous = 2
browse list = no
server signing = mandatory
[Share]
path = /srv/share
public = no
guest ok = no
browseable = no
read only = yes
force user = adm
force group = staff
create mask = 0770
directory mask = 0770
valid users = @"staff"
write list =
read list = @"staff"
/etc/sssd/sssd.conf:
[sssd]
domains = workgroup.int
config_file_version = 2
services = nss, pam
default_domain_suffix = workgroup.int
[domain/workgroup.int]
ad_domain = workgroup.int
ad_hostname = 192-168-99-32.workgroup.int
ad_server = dc01.workgroup.int, dc02.workgroup.int
krb5_realm = WORKGROUP.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_referrals = False
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = Staff
simple_allow_users = workgroup_service
dyndns_update = True
dyndns_refresh_interval = 86400 # once a day
debug_level = 0x0200
realm -list:
workgroup.int
type: kerberos
realm-name: WORKGROUP.INT
domain-name: workgroup.int
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U at workgroup.int
login-policy: allow-permitted-logins
permitted-logins: workgroup_service at workgroup.int
permitted-groups: Staff
Could someone please provide any additional help? I'd gladly provide additional log or
configuration information, if I'd know what information could be relevant.
Thanks in advance
Daniel
More information about the samba
mailing list