[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)

L.P.H. van Belle belle at bazuin.nl
Mon Feb 14 10:58:30 UTC 2022


Add and try again ..

In smb.conf Global 

min protocol = SMB2

I still have 1 server running with Version 4.6.16-Debian on a wheezy with a 4.19.x kernel 
And that works fine here with W7 10 and 11. 

Small sidenote, i run smbd and winbind only on that one. 
No SSSD. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Daniel H. Peger via samba
> Verzonden: maandag 14 februari 2022 11:09
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] ActiveDirectory authorization broke from 
> samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
> 
> Hi,
> 
> I'm using sssd based authorization to grant access to samba 
> shares based on AD memberships.
> 
> Everything used to work with Ubuntu 18.04 (up to samba 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba 
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt 
> keeps popping up despite valid
> user/password combination. If I allow public guest access to 
> the share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
> 
> I already tried to increase samba's log level but I'm unable 
> to find any related clues. I saw
> some security findings were fixed but could not directly 
> relate any of the issues to my problem.
> 
> The AD integration itself is still working (login, sudoers, 
> group memberships, etc) only access to
> the samba shares is no longer possible.
> 
> Here's my config:
> 
> /etc/smb.conf:
> 
>     [global]
>         security = ads
>         workgroup = workgroup
>         realm = workgroup.int
>         netbios name = 192-186-99-32
>         kerberos method = secrets and keytab
>         log level = 3
>         guest account = nobody
>         restrict anonymous = 2
>         browse list = no
>         server signing = mandatory
>     
>     [Share]
>         path = /srv/share
>         public = no
>         guest ok = no
>         browseable = no
>         read only = yes
>         force user = adm
>         force group = staff
>         create mask = 0770
>         directory mask = 0770
>         valid users = @"staff"
>         write list = 
>         read list = @"staff"
> 
> 
> /etc/sssd/sssd.conf:
> 
>     [sssd]
>     domains = workgroup.int
>     config_file_version = 2
>     services = nss, pam
>     default_domain_suffix = workgroup.int
>     
>     [domain/workgroup.int]
>     ad_domain = workgroup.int
>     ad_hostname = 192-168-99-32.workgroup.int
>     ad_server = dc01.workgroup.int, dc02.workgroup.int
>     krb5_realm = WORKGROUP.INT
>     realmd_tags = manages-system joined-with-adcli
>     cache_credentials = True
>     id_provider = ad
>     krb5_store_password_if_offline = True
>     default_shell = /bin/bash
>     ldap_id_mapping = True
>     ldap_referrals = False
>     use_fully_qualified_names = True
>     fallback_homedir = /home/%u@%d
>     access_provider = simple
>     simple_allow_groups = Staff
>     simple_allow_users = workgroup_service
>     dyndns_update = True
>     dyndns_refresh_interval = 86400  # once a day
>     debug_level = 0x0200
>     
> 
> realm -list:
> 
>     workgroup.int
>       type: kerberos
>       realm-name: WORKGROUP.INT
>       domain-name: workgroup.int
>       configured: kerberos-member
>       server-software: active-directory
>       client-software: sssd
>       required-package: sssd-tools
>       required-package: sssd
>       required-package: libnss-sss
>       required-package: libpam-sss
>       required-package: adcli
>       required-package: samba-common-bin
>       login-formats: %U at workgroup.int
>       login-policy: allow-permitted-logins
>       permitted-logins: workgroup_service at workgroup.int
>       permitted-groups: Staff
>     
> 
> Could someone please provide any additional help? I'd gladly 
> provide additional log or
> configuration information, if I'd know what information could 
> be relevant.
> 
> Thanks in advance
> Daniel
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list