[Samba] ActiveDirectory authorization broke from samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 to 2:4.7.6+dfsg~ubuntu-0ubuntu2.27 (ubuntu 18.04)

[Rowland Penny]

On Mon, 2022-02-14 at 10:08 +0000, Daniel H. Peger via samba wrote:
> Hi,
> 
> I'm using sssd based authorization to grant access to samba shares
> based on AD memberships.
> 
> Everything used to work with Ubuntu 18.04 (up to samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.23) but
> recently after applying security patches (samba 2:4.7.6+dfsg~ubuntu-
> 0ubuntu2.27) users can no
> longer access shares from Windows clients - password prompt keeps
> popping up despite valid
> user/password combination. If I allow public guest access to the
> share (public = yes,
> guest ok = yes) accessing the files from Windows ist possible.
> 
> I already tried to increase samba's log level but I'm unable to find
> any related clues. I saw
> some security findings were fixed but could not directly relate any
> of the issues to my problem.
> 
> The AD integration itself is still working (login, sudoers, group
> memberships, etc) only access to
> the samba shares is no longer possible.
> 
> Here's my config:
> 
> /etc/smb.conf:
> 
>     [global]
>         security = ads
>         workgroup = workgroup
>         realm = workgroup.int
>         netbios name = 192-186-99-32
>         kerberos method = secrets and keytab
>         log level = 3
>         guest account = nobody
>         restrict anonymous = 2
>         browse list = no
>         server signing = mandatory
>     
>     [Share]
>         path = /srv/share
>         public = no
>         guest ok = no
>         browseable = no
>         read only = yes
>         force user = adm
>         force group = staff
>         create mask = 0770
>         directory mask = 0770
>         valid users = @"staff"
>         write list = 
>         read list = @"staff"
> 
> 
> /etc/sssd/sssd.conf:
> 
>     [sssd]
>     domains = workgroup.int
>     config_file_version = 2
>     services = nss, pam
>     default_domain_suffix = workgroup.int
>     
>     [domain/workgroup.int]
>     ad_domain = workgroup.int
>     ad_hostname = 192-168-99-32.workgroup.int
>     ad_server = dc01.workgroup.int, dc02.workgroup.int
>     krb5_realm = WORKGROUP.INT
>     realmd_tags = manages-system joined-with-adcli
>     cache_credentials = True
>     id_provider = ad
>     krb5_store_password_if_offline = True
>     default_shell = /bin/bash
>     ldap_id_mapping = True
>     ldap_referrals = False
>     use_fully_qualified_names = True
>     fallback_homedir = /home/%u@%d
>     access_provider = simple
>     simple_allow_groups = Staff
>     simple_allow_users = workgroup_service
>     dyndns_update = True
>     dyndns_refresh_interval = 86400  # once a day
>     debug_level = 0x0200
>     
> 
> realm -list:
> 
>     workgroup.int
>       type: kerberos
>       realm-name: WORKGROUP.INT
>       domain-name: workgroup.int
>       configured: kerberos-member
>       server-software: active-directory
>       client-software: sssd
>       required-package: sssd-tools
>       required-package: sssd
>       required-package: libnss-sss
>       required-package: libpam-sss
>       required-package: adcli
>       required-package: samba-common-bin
>       login-formats: %U at workgroup.int
>       login-policy: allow-permitted-logins
>       permitted-logins: workgroup_service at workgroup.int
>       permitted-groups: Staff
>     
> 
> Could someone please provide any additional help? I'd gladly provide
> additional log or
> configuration information, if I'd know what information could be
> relevant.
> 
> Thanks in advance
> Daniel

My advice is to upgrade everything and dump sssd.

Rowland