Fixed user mapping broken in Samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Samba upgrade from 2:4.7.6+
Environment:
Operating System: Ubuntu 18.04.6 LTS
Kernel: Linux 5.4.0-1058-oracle (Oracle OCI kernel)
apt list -a samba
samba/bionic-
samba/bionic 2:4.7.6+
/etc/samba/smb.conf (relevant parts):
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.TLD
idmap config * : backend = tdb
idmap config * : range = 3000-99999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 100000-199999
username map = /etc/samba/user.map
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
/etc/samba/
!root = DOMAIN\
Expected behaviour (running without problems in 2:4.7.6+
User DOMAIN\
Behaviour after (unattended) upgrade to 2:4.7.6+
Changes:
/var/log/
2021-12-08 06:59:55,179 INFO Packages that will be upgraded: busybox-initramfs busybox-static libnss-winbind libwbclient0 python-samba samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules winbind
Problem:
User DOMAIN\
Detailed problem description:
Attempt to access Samba shares from Windows (Server 2016, current patch level).
Errors differ if Client for NFS is installed in Windows or not.
When Client for NFS ist installed, Windows tries to connect with NFS first, so remove it for testing or results will be false (ERROR_
Trying to acces Samba with SMB results in immediate error:
[Window Title]
Network Error
[Main Instruction]
Windows cannot access \\sambaserver
[Content]
Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems, click Diagnose.
[^] Hide details [Diagnose] [Cancel]
[Expanded Information]
Error code: 0x80070035
The network path was not found.
I could not find any corresponding log file entry on Samba server in any log.
IMPORTANT: Attempt to connect as regular AD domain user from SAME server (Map network drive using different credentials) works without any problem.
After rolling back all packages to 2:4.7.6+
apt install libnss-
# I hope that prevents from further unattended upgrade till the bug is fixed:
apt-mark hold libnss-winbind libsmbclient libwbclient0 python-samba samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient winbind
CVE References
affects: | ubuntu → samba (Ubuntu) |
tags: | added: bionic |
I wonder if the new "min domain uid" parameter is related to this issue. See:
https:/ /www.samba. org/samba/ security/ CVE-2020- 25717.html