Ubuntu
samba package

net join doesn't work by default since switch to 4.x

Bug #1268180 reported by Stéphane Graber
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Unassigned

Bug Description

I just installed a new clean 14.04 system and it looks like the default samba doesn't work by default for a standard net join:

root@rproxy01:~# net join -U stgraber stgraber.net
Enter stgraber's password:
Failed to open /var/lib/samba/private/secrets.tdb
Failed to join domain: Unable to open secrets database
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain STGRABER
Unable to find a suitable server for domain STGRABER

This appears to be entirely linked to the first error. Creating the missing /var/lib/samba/private directory and attempting the join again succeeds.

The configuration I'm using is quite minimal and simple:
[global]
    workgroup = STGRABER
    realm = stgraber.net
    server string = %h
    security = ads
    kerberos method = system keytab
    load printers = No

I suspect fixing this should be as simple as having /var/lib/samba/private shipped by samba-common.

Oh and since I couldn't use ubuntu-bug from that system (single stack IPv6 and Launchpad doesn't support IPv6), here are some package information:
ii python-samba 2:4.0.13+dfsg-1ubuntu1 amd64 Python bindings for Samba
ii samba-common 2:4.0.13+dfsg-1ubuntu1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.0.13+dfsg-1ubuntu1 amd64 Samba common files used by both the server and the client
ii samba-libs:amd64 2:4.0.13+dfsg-1ubuntu1 amd64 Samba core libraries

CVE References

Robie Basak (racb)
Changed in samba (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
William Van Hevelingen (blkperl) wrote :

Not able to reproduce, looks like that directory is provided by the package.

root@testsmb1:~# dpkg -L samba | grep private
/var/lib/samba/private

Revision history for this message
Stéphane Graber (stgraber) wrote :

That's because you have the "samba" binary package installed, "net" is provided by samba-common-bin so systems with just samba-common-bin should be able to net join.

I suspect /var/lib/samba/private ought to be part of samba-common-bin or samba-common instead of samba.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package samba - 2:4.1.6+dfsg-1ubuntu1

---------------
samba (2:4.1.6+dfsg-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
       - Add "(Samba, Ubuntu)" to server string.
       - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + debian/control:
      - Don't build against or suggest ctdb and tdb.
    + debian/rules:
      - Drop explicit configuration options for ctdb and tdb.
    + Add ufw integration:
      - Created debian/samba.ufw.profile:
      - debian/rules, debian/samba.install: install profile
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + debian/samba.logrotate: call upstart interfaces unconditionally instead
      of hacking arround with pid files.
    + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
      first dummy transitional package version.
    + Dropped patches:
      - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
      - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
      - debian/patches/readline-ftbfs.patch: Use the debian version.
    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
      (LP: #1268180)

samba (2:4.1.6+dfsg-1) unstable; urgency=high

  * New upstream security release. Fixes:
    - CVE-2013-4496: password lockout not enforced for SAMR password changes
    - CVE-2013-6442: smbcacls can remove a file or directory ACL by mistake
  * Backport fix for readline 6.3 from master

samba (2:4.1.5+dfsg-1) unstable; urgency=medium

  [ Jelmer Vernooij ]
  * Fix watch file.

  [ Ivo De Decker ]
  * New upstream release.
  * Remove the part of patch 26_heimdal_compat integrated upstream.

samba (2:4.1.4+dfsg-3) unstable; urgency=medium

  * Move samba.dckeytab module to samba package, as it relies on hdb.
    Closes: #736405, #736430

samba (2:4.1.4+dfsg-2) unstable; urgency=medium

  [ Jelmer Vernooij ]
  * Depend on newer version of ctdb, as Samba won't build against older
    versions without --enable-old-ctdb.
  * Bump standards version to 3.9.5 (no changes).
  * Move libpac, db_glue and hdb module from samba-libs to samba package
    to reduce size and dependency set of libs package.
  * Fix compatibility with newer versions of the Heimdal HDB API.
    + Update 26_heimdal_compat: Fix initialization of HDB plugin. Thanks Jeff
      Clark. Closes: #732342
    + Add dependency on specific version of the Heimdal HDB API.
      Closes: #732344

  [ Steve Langasek ]
  * dhcp3-client is superseded by dhcp-client; update the references in
    the package. Closes: #736070.
  * Move the dhcp client hook from /etc/dhcp3 to /etc/dhcp.
    Closes: #649100.
  * debian/bin/xsltproc: don't use $FAKETIME as the variable name in our
    wrapper script, this seems to make faketime unhappy.
...

Read more...

Changed in samba (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.