Permission Denied for every share after upgrade to 2:4.7.6+dfsg~ubuntu-0ubuntu2.26
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Incomplete
|
Undecided
|
Ubuntu Security Team |
Bug Description
Our file shares on our samba server was working until last Tuesday, when an unattended upgrade upgraded Samba to 2:4.7.6+
Environment:
OS: Ubbuntu 18.04.2 LTS
Kernel: 4.15.0-163-generic
#######
/etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.AD.DOMAIN
server string = default
fruit:aapl = yes
log file = /var/log/
max log size = 5000
log level = 8
# Authentication
server role = standalone server
security = ADS
passdb backend = tdbsam
map to guest = bad user
interfaces = 10.100.0.100
hosts allow = 10.0.0.0/8
dns proxy = no
bind interfaces only = no
client signing = yes
client use spnego = yes
password server = *
encrypt passwords = yes
kerberos method = secrets and keytab
# Printers
# Don't load printers
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
include = /etc/samba/
#######
/etc/samba/
[Share_one]
comment = Share_one
path = /mnt/zpool1/
write list =
create mask = 744
directory mask = 755
guest ok = no
read only = no
browseable = yes
printable = no
writable = yes
inherit permissions = yes
inherit acls = yes
users = @"DOMAIN\group one", @"DOMAIN\group two"
force group =
vfs objects = catia fruit streams_xattr
fruit:resource = xattr
fruit:encoding = native
#######
/etc/krb5.conf
[libdefaults]
default_realm = AD.DOMAIN.COM
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
AD.DOMAIN.COM = {
kdc = "dc1.ad.domain.com"
admin_server = "dc1.ad.domain.com"
}
[domain_realm]
.ad.domain.com = AD.DOMAIN.COM
ad.domain.com = AD.DOMAIN.COM
[logging]
Default = FILE:/var/
#######
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = AD.DOMAIN.COM
[domain/
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
[nss]
filter_users = user1,user2,
#######
Changes:
Start-Date: 2021-12-07 06:40:49
Commandline: /usr/bin/
Upgrade: python-samba:amd64 (2:4.7.
End-Date: 2021-12-07 06:41:02
Problem:
No Domain Users or Administrators are able to access any of the shares any longer. All we get when trying to accessing the drives from our Windows workstations is that we do not have permissions to access the drives.
Additionally from the logs, it looks like domain users and administrators authenticate successfully, so I can see that LDAP / AD Authentication is working. But users are just not able to access files / folders from their clients to the samba shares.
Hello David and thanks for this bug report. Version 2:4.7.6+ dfsg~ubuntu- 0ubuntu2. 26 had a regression with the Kerberos authentication, which is fixed in version 2:4.7.6+ dfsg~ubuntu- 0ubuntu2. 27:
------- ------- ------- ------- ------- ------- ------- ------- ------- ------- --- 6+dfsg~ ubuntu- 0ubuntu2. 27) bionic-security; urgency=medium
samba (2:4.7.
* SECURITY REGRESSION: Kerberos authentication on standalone server in auth/user_ krb5.c. ------- ------- ------- ------- ------- ------- ------- ------- ------- ---
MIT realm broken
- debian/patches/bug14922.patch: fix MIT Realm regression in
source3/
-------
Can you please try updating to this version and let us know if it fixes (or doesn't fix!) the issue you're facing? Thank you.