AD-joined Samba Server stops working after upgrade to 4.13.14+dfsg-0ubuntu0.20.04.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Ubuntu Release: Ubuntu 20.04.3 LTS
Package: samba 4.13.14+
Expected behavior:
I'm running a 20.04.03 LTS server joined into an AD-Domain via sssd.
Logging in via ssh works like fine.
The server also exports the user homes via samba, so the users can access
their homes e.g. via \\myserver\
"just like that". The authentication via kerberos works flawlessly,
they do not have to provide a password.
That was the case for the system as long as it was running samba version 4.11.6.
What happens instead?
After a regular nightly system security update, the samba server
stack went from:
libsmbclient 2:4.11.
libwbclient0 2:4.11.
python3-samba 2:4.11.
samba 2:4.11.
samba-common 2:4.11.
samba-common-bin 2:4.11.
samba-dsdb-modules 2:4.11.
samba-libs 2:4.11.
samba-vfs-modules 2:4.11.
to:
libsmbclient 2:4.13.
libwbclient0 2:4.13.
python3-samba 2:4.13.
samba 2:4.13.
samba-common 2:4.13.
samba-common-bin 2:4.13.
samba-dsdb-modules 2:4.13.
samba-libs 2:4.13.
samba-vfs-modules 2:4.13.
(aktually the following packages got updated:
libicu66 libipa-hbac0 libldb2 libsmbclient libsss-idmap0 libwbclient0 python3-ldb python3-samba python3-sss samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools)
After the update, the export of the user homes is not working anymore.
The Windows10 users are not able to reach it via "\\myserver\
The share is unavailable.
I can reproduce that behavior, by restoring an older snapshot
of that virtual server. It works fine at first (immediately after the
restore), but then -after an initiated package update- it stops working.
Here is my smb.conf:
-------
[global]
interfaces = lo ens160
bind interfaces only = yes
realm = MYDOMA.IN
kerberos method = secrets and keytab
server string = %h server (Samba, Ubuntu)
log file = /var/log/
max log size = 1000
logging = file
panic action = /usr/share/
log level = 3
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[Homes]
comment = User Homes
path = /home/mydoma.in/%U
browsable = yes
valid users = %U
force group = "Domain users"
follow symlinks = yes
wide links = no
writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
-------
When trying to connect from a Windows10 client, the updated samba server (4.13.14) logs for that particular IP address show:
[2021/11/25 11:12:52.256505, 1] ../../source3/
fill_
[2021/11/25 11:12:52.256532, 3] ../../source3/
../..
[2021/11/25 11:12:52.258626, 1] ../../source3/
fill_
[2021/11/25 11:12:52.258647, 3] ../../source3/
../..
[2021/11/25 11:12:52.259947, 1] ../../source3/
auth3_
[2021/11/25 11:12:52.259983, 3] ../../source3/
smbd_
[2021/11/25 11:12:52.260415, 3] ../../source3/
Server exit (NT_STATUS_
Samba Team announced that domain member setups must use winbindd in 4.8.0: /www.samba. org/samba/ history/ samba-4. 8.0.html in 2018.
https:/
In order to accept AD Kerberos authentication you need to configure the server as
domain member with 'security = ads' and without 'server role = standalone server'.
In your case you most likely want to configure idmap_nss (see man idmap_nss)
and run winbindd, but without nss_winbind.
Note the above implies the patches from /bugzilla. samba.org/ show_bug. cgi?id= 14901
https:/
are included.
Unrelated here but the patch from /bugzilla. samba.org/ show_bug. cgi?id= 14899
https:/
should also be applied.