net join doesn't work by default since switch to 4.x

Bug #1268180 reported by Stéphane Graber on 2014-01-11
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Unassigned

Bug Description

I just installed a new clean 14.04 system and it looks like the default samba doesn't work by default for a standard net join:

root@rproxy01:~# net join -U stgraber stgraber.net
Enter stgraber's password:
Failed to open /var/lib/samba/private/secrets.tdb
Failed to join domain: Unable to open secrets database
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain STGRABER
Unable to find a suitable server for domain STGRABER

This appears to be entirely linked to the first error. Creating the missing /var/lib/samba/private directory and attempting the join again succeeds.

The configuration I'm using is quite minimal and simple:
[global]
    workgroup = STGRABER
    realm = stgraber.net
    server string = %h
    security = ads
    kerberos method = system keytab
    load printers = No

I suspect fixing this should be as simple as having /var/lib/samba/private shipped by samba-common.

Oh and since I couldn't use ubuntu-bug from that system (single stack IPv6 and Launchpad doesn't support IPv6), here are some package information:
ii python-samba 2:4.0.13+dfsg-1ubuntu1 amd64 Python bindings for Samba
ii samba-common 2:4.0.13+dfsg-1ubuntu1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.0.13+dfsg-1ubuntu1 amd64 Samba common files used by both the server and the client
ii samba-libs:amd64 2:4.0.13+dfsg-1ubuntu1 amd64 Samba core libraries

CVE References

Robie Basak (racb) on 2014-01-13
Changed in samba (Ubuntu):
status: New → Triaged
importance: Undecided → High

Not able to reproduce, looks like that directory is provided by the package.

root@testsmb1:~# dpkg -L samba | grep private
/var/lib/samba/private

Stéphane Graber (stgraber) wrote :

That's because you have the "samba" binary package installed, "net" is provided by samba-common-bin so systems with just samba-common-bin should be able to net join.

I suspect /var/lib/samba/private ought to be part of samba-common-bin or samba-common instead of samba.

Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package samba - 2:4.1.6+dfsg-1ubuntu1

---------------
samba (2:4.1.6+dfsg-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
       - Add "(Samba, Ubuntu)" to server string.
       - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + debian/control:
      - Don't build against or suggest ctdb and tdb.
    + debian/rules:
      - Drop explicit configuration options for ctdb and tdb.
    + Add ufw integration:
      - Created debian/samba.ufw.profile:
      - debian/rules, debian/samba.install: install profile
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + debian/samba.logrotate: call upstart interfaces unconditionally instead
      of hacking arround with pid files.
    + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
      first dummy transitional package version.
    + Dropped patches:
      - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
      - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
      - debian/patches/readline-ftbfs.patch: Use the debian version.
    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
      (LP: #1268180)

samba (2:4.1.6+dfsg-1) unstable; urgency=high

  * New upstream security release. Fixes:
    - CVE-2013-4496: password lockout not enforced for SAMR password changes
    - CVE-2013-6442: smbcacls can remove a file or directory ACL by mistake
  * Backport fix for readline 6.3 from master

samba (2:4.1.5+dfsg-1) unstable; urgency=medium

  [ Jelmer Vernooij ]
  * Fix watch file.

  [ Ivo De Decker ]
  * New upstream release.
  * Remove the part of patch 26_heimdal_compat integrated upstream.

samba (2:4.1.4+dfsg-3) unstable; urgency=medium

  * Move samba.dckeytab module to samba package, as it relies on hdb.
    Closes: #736405, #736430

samba (2:4.1.4+dfsg-2) unstable; urgency=medium

  [ Jelmer Vernooij ]
  * Depend on newer version of ctdb, as Samba won't build against older
    versions without --enable-old-ctdb.
  * Bump standards version to 3.9.5 (no changes).
  * Move libpac, db_glue and hdb module from samba-libs to samba package
    to reduce size and dependency set of libs package.
  * Fix compatibility with newer versions of the Heimdal HDB API.
    + Update 26_heimdal_compat: Fix initialization of HDB plugin. Thanks Jeff
      Clark. Closes: #732342
    + Add dependency on specific version of the Heimdal HDB API.
      Closes: #732344

  [ Steve Langasek ]
  * dhcp3-client is superseded by dhcp-client; update the references in
    the package. Closes: #736070.
  * Move the dhcp client hook from /etc/dhcp3 to /etc/dhcp.
    Closes: #649100.
  * debian/bin/xsltproc: don't use $FAKETIME as the variable name in our
    wrapper script, this seems to make faketime unhappy.
...

Read more...

Changed in samba (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers