DEP8 failing with samba 4.15.5

Bug #1962166 reported by Andreas Hasenack
This bug affects 1 person
Affects Status Importance Assigned to Milestone
backuppc (Ubuntu)
Fix Released
Sergio Durigan Junior
samba (Ubuntu)

Bug Description

With samba 4.15.5, currently in jammy proposed, the smb backup test is showing multiple failures[1]:

XferErr cmdExecOrEval: about to exec /usr/bin/smbclient \\\\localhost\\public -U -E -d 1 -c tarmode\ full -mSMB3 -Tc -
tarExtract: /usr/share/backuppc/bin/BackupPC_tarExtract: got Full = 1
tarExtract: /usr/share/backuppc/bin/BackupPC_tarExtract starting... (XferLogLevel = 1)
tarExtract: ^@^@^@^@^@^@^@^@^@^@000000 ^@000000/Password for [WORKGROUP\]:./tmp.UKmPfI: checksum error at
__bpc_progress_fileCnt__ 0
  new 0 0/0 0 ^@^@^@^@^@^@^@^@^@^@000000 ^@000000/Password for [WORKGROUP\]:./tmp.UKmPfI -> 2262 14205542225 011215


tarExtract: 8190: checksum error at
tarExtract: Got unknown type 8 for 81887
tarExtract: 81888
tarExtract: Done: 8918 errors, 3659 filesExist, 1182600 sizeExist, 360882 sizeExistComp, 3980 filesTotal, 1593860 sizeTotal, 321 filesNew, 411260 sizeNew, 40098 sizeNewComp, 2499 inodeLast

With samba 4.13 the test works.


Related branches

Changed in backuppc (Ubuntu):
status: New → Triaged
tags: added: update-excuse update-excuses
Changed in samba (Ubuntu):
status: New → Triaged
Changed in backuppc (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → Sergio Durigan Junior (sergiodj)
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I investigated this bug and found that it's possibly a regression introduced in the 4.15.x series of Samba.

In a nutshell, Samba offers guest authentications (i.e., when username/password are provided but are ignored by libsmbclient, which will map the request to the Guest user configured on smb.conf), and anonymous authentication (i.e., when the username/password are empty; this is equivalent to invoking smbclient with -N).

I found that, on Samba 4.13.14 (currently in the -release pocket on Jammy), it is possible to perform an anonymous authentication using an empty password (specific via the PASSWD environment variable) and an empty user (specified via smbclient's -U option, but without actually providing a user). However, on Samba 4.15.5 (curent in the -proposed pocket on Jammy), this exact scenario doesn't work anymore.

backuppc will invoke smbclient exactly as described above, and that's what's triggering the problem. But it's possible to reproduce the problem without backuppc:

$ lxc launch ubuntu-daily:jammy samba-bug1962166
$ lxc shell samba-bug1962166
# apt update && apt full-upgrade -y
# apt install samba smbclient -y
# cat >> /etc/samba/smb.conf << EOF

  path = /srv/test
  read only = yes
  guest ok = yes
  browseable = yes
# mkdir /srv/test
# systemctl reload smbd.service
# PASSWD="" smbclient \\\\localhost\\test -U -L
Try "help" to get a list of possible commands.
smb: \>

Now, enable the -proposed repository inside the container, update samba and run the same command again. You will see:

# PASSWD="" smbclient \\\\localhost\\test -U -L
Password for [WORKGROUP\-L]:

smbclient doesn't recognize the empty user anymore; instead, it assumes that the username is "-L", which is obviously wrong.

Arguably, this method of authentication is very fragile (it relies on an obscure way to parse the command line arguments and identify that "-U" without a valid username in front of it actually means an empty user) and it could be said that it is backuppc's responsibility to identify when the samba share's user/password are empty and invoke smbclient with -N. However, it is not entirely clear to me whether this was an intentional change of behaviour or not, so I went ahead and filed an upstream bug explaining the situation to them. Hopefully we will get more pointers.

Meanwhile, I have a simple workaround that makes backuppc's autopkgtest pass again. Basically, we just need to actually provide a non-empty username/password combination when authenticating (it doesn't need to be valid data; anything will do); smbclient will then fall back to the guest authentication explained above. I will file an MP soon.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Filed a bug against upstream backuppc as well.

Changed in backuppc:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package backuppc - 4.4.0-5ubuntu1

backuppc (4.4.0-5ubuntu1) jammy; urgency=medium

  * d/t/smb-backup: Provide non-empty username/password values to
    authenticate against the Samba share, working around a possible Samba
    regression with anonymous authentication. (LP: #1962166)

 -- Sergio Durigan Junior <email address hidden> Fri, 25 Feb 2022 16:49:57 -0500

Changed in backuppc (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Nothing to fix in samba here IIUC, setting that to "invalid"

Changed in samba (Ubuntu):
status: Triaged → Invalid
tags: removed: server-todo
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.