Ubuntu
samba package

samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind

Bug #1956635 reported by Kellen Renshaw on 2022-01-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

The patches for CVE-2020-25717 appear to have introduced a functional regression in the Samba packages 2:4.7.6+dfsg~ubuntu-0ubuntu2.26 and greater.

After update (both to .26 and .27), the smbd service fails to authenticate users with the following message:
[2021/12/16 21:57:51.633034, 0] ../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS

Rolling back to 2:4.7.6+dfsg~ubuntu-0ubuntu2.24 or earlier restores functionality.

Inspecting the CVE patches, I noticed that the patches assume that winbind is required for *all* AD related modes. This is true in Samba 4.8+, but not on the 4.7 series. This causes failures in environments using something other than winbind, in the case I am looking at, SSSD.

I believe the most direct culprit is in the "CVE-2020-25717-26.patch" file in the packaging. Specifically, the following bit of patch:
   switch (wbc_err) {
- case WBC_ERR_WINBIND_NOT_AVAILABLE:
    case WBC_ERR_SUCCESS:
     break;
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ DBG_ERR("winbindd not running - "
+ "but required as domain member: %s\n",
+ nt_errstr(status));
+ goto done;

This is the error message encountered. The patch turns the condition of "no running winbind" into an error, when it wasn't one before. I am unsure if this is a hard requirement for the CVE to be corrected, and it appears that other changes in the kerberos PAC handling code may make restoration of the expected 4.7 behavior interesting.

I believe this is related to these other bugs that are similar:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954877
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342

Tags:

CVE References

2020-25717

Revision history for this message

Kellen Renshaw (krenshaw) wrote on 2022-01-11:

Received this explanation:
CVE-2020-25717 is about samba performing a fallback from "DOMAIN\account" to
simply "account" and ignoring the domain part. This would allow users to take
advantage of the fallback to escalate privileges.

The only way to fix the issue is to remove the fallback, hence winbind is now
required after the security update is applied. While this was a soft requirement
in 4.8 and later versions, fixing the security issue changed it to a hard
requirement as the fallback is no longer available. While the soft requirement
was introduced in 4.8, if we want to fix the security issue in 4.7 in Bionic, we
unfortunately had to require winbind also.

Changed in samba (Ubuntu):
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusamba package