[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)
Rowland Penny
rpenny at samba.org
Mon Feb 14 11:09:14 UTC 2022
On Mon, 2022-02-14 at 10:08 +0000, Daniel H. Peger via samba wrote:
> Hi,
>
> I'm using sssd based authorization to grant access to samba shares
> based on AD memberships.
>
> Everything used to work with Ubuntu 18.04 (up to samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-
> 0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt keeps
> popping up despite valid
> user/password combination. If I allow public guest access to the
> share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
>
> I already tried to increase samba's log level but I'm unable to find
> any related clues. I saw
> some security findings were fixed but could not directly relate any
> of the issues to my problem.
>
> The AD integration itself is still working (login, sudoers, group
> memberships, etc) only access to
> the samba shares is no longer possible.
>
> Here's my config:
>
> /etc/smb.conf:
>
> [global]
> security = ads
> workgroup = workgroup
> realm = workgroup.int
> netbios name = 192-186-99-32
> kerberos method = secrets and keytab
> log level = 3
> guest account = nobody
> restrict anonymous = 2
> browse list = no
> server signing = mandatory
>
> [Share]
> path = /srv/share
> public = no
> guest ok = no
> browseable = no
> read only = yes
> force user = adm
> force group = staff
> create mask = 0770
> directory mask = 0770
> valid users = @"staff"
> write list =
> read list = @"staff"
>
>
> /etc/sssd/sssd.conf:
>
> [sssd]
> domains = workgroup.int
> config_file_version = 2
> services = nss, pam
> default_domain_suffix = workgroup.int
>
> [domain/workgroup.int]
> ad_domain = workgroup.int
> ad_hostname = 192-168-99-32.workgroup.int
> ad_server = dc01.workgroup.int, dc02.workgroup.int
> krb5_realm = WORKGROUP.INT
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> ldap_referrals = False
> use_fully_qualified_names = True
> fallback_homedir = /home/%u@%d
> access_provider = simple
> simple_allow_groups = Staff
> simple_allow_users = workgroup_service
> dyndns_update = True
> dyndns_refresh_interval = 86400 # once a day
> debug_level = 0x0200
>
>
> realm -list:
>
> workgroup.int
> type: kerberos
> realm-name: WORKGROUP.INT
> domain-name: workgroup.int
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: sssd-tools
> required-package: sssd
> required-package: libnss-sss
> required-package: libpam-sss
> required-package: adcli
> required-package: samba-common-bin
> login-formats: %U at workgroup.int
> login-policy: allow-permitted-logins
> permitted-logins: workgroup_service at workgroup.int
> permitted-groups: Staff
>
>
> Could someone please provide any additional help? I'd gladly provide
> additional log or
> configuration information, if I'd know what information could be
> relevant.
>
> Thanks in advance
> Daniel
My advice is to upgrade everything and dump sssd.
Rowland
More information about the samba
mailing list