[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 14 10:58:30 UTC 2022
Add and try again ..
In smb.conf Global
min protocol = SMB2
I still have 1 server running with Version 4.6.16-Debian on a wheezy with a 4.19.x kernel
And that works fine here with W7 10 and 11.
Small sidenote, i run smbd and winbind only on that one.
No SSSD.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Daniel H. Peger via samba
> Verzonden: maandag 14 februari 2022 11:09
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] ActiveDirectory authorization broke from
> samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
>
> Hi,
>
> I'm using sssd based authorization to grant access to samba
> shares based on AD memberships.
>
> Everything used to work with Ubuntu 18.04 (up to samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt
> keeps popping up despite valid
> user/password combination. If I allow public guest access to
> the share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
>
> I already tried to increase samba's log level but I'm unable
> to find any related clues. I saw
> some security findings were fixed but could not directly
> relate any of the issues to my problem.
>
> The AD integration itself is still working (login, sudoers,
> group memberships, etc) only access to
> the samba shares is no longer possible.
>
> Here's my config:
>
> /etc/smb.conf:
>
> [global]
> security = ads
> workgroup = workgroup
> realm = workgroup.int
> netbios name = 192-186-99-32
> kerberos method = secrets and keytab
> log level = 3
> guest account = nobody
> restrict anonymous = 2
> browse list = no
> server signing = mandatory
>
> [Share]
> path = /srv/share
> public = no
> guest ok = no
> browseable = no
> read only = yes
> force user = adm
> force group = staff
> create mask = 0770
> directory mask = 0770
> valid users = @"staff"
> write list =
> read list = @"staff"
>
>
> /etc/sssd/sssd.conf:
>
> [sssd]
> domains = workgroup.int
> config_file_version = 2
> services = nss, pam
> default_domain_suffix = workgroup.int
>
> [domain/workgroup.int]
> ad_domain = workgroup.int
> ad_hostname = 192-168-99-32.workgroup.int
> ad_server = dc01.workgroup.int, dc02.workgroup.int
> krb5_realm = WORKGROUP.INT
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> ldap_referrals = False
> use_fully_qualified_names = True
> fallback_homedir = /home/%u@%d
> access_provider = simple
> simple_allow_groups = Staff
> simple_allow_users = workgroup_service
> dyndns_update = True
> dyndns_refresh_interval = 86400 # once a day
> debug_level = 0x0200
>
>
> realm -list:
>
> workgroup.int
> type: kerberos
> realm-name: WORKGROUP.INT
> domain-name: workgroup.int
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: sssd-tools
> required-package: sssd
> required-package: libnss-sss
> required-package: libpam-sss
> required-package: adcli
> required-package: samba-common-bin
> login-formats: %U at workgroup.int
> login-policy: allow-permitted-logins
> permitted-logins: workgroup_service at workgroup.int
> permitted-groups: Staff
>
>
> Could someone please provide any additional help? I'd gladly
> provide additional log or
> configuration information, if I'd know what information could
> be relevant.
>
> Thanks in advance
> Daniel
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list