samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The patches for CVE-2020-25717 appear to have introduced a functional regression in the Samba packages 2:4.7.6+
After update (both to .26 and .27), the smbd service fails to authenticate users with the following message:
[2021/12/16 21:57:51.633034, 0] ../source3/
auth3_generate_
Rolling back to 2:4.7.6+
Inspecting the CVE patches, I noticed that the patches assume that winbind is required for *all* AD related modes. This is true in Samba 4.8+, but not on the 4.7 series. This causes failures in environments using something other than winbind, in the case I am looking at, SSSD.
I believe the most direct culprit is in the "CVE-2020-
switch (wbc_err) {
- case WBC_ERR_
case WBC_ERR_SUCCESS:
break;
+ case WBC_ERR_
+ status = NT_STATUS_
+ DBG_ERR("winbindd not running - "
+ "but required as domain member: %s\n",
+ nt_errstr(status));
+ goto done;
This is the error message encountered. The patch turns the condition of "no running winbind" into an error, when it wasn't one before. I am unsure if this is a hard requirement for the CVE to be corrected, and it appears that other changes in the kerberos PAC handling code may make restoration of the expected 4.7 behavior interesting.
I believe this is related to these other bugs that are similar:
https:/
https:/
Received this explanation:
CVE-2020-25717 is about samba performing a fallback from "DOMAIN\account" to
simply "account" and ignoring the domain part. This would allow users to take
advantage of the fallback to escalate privileges.
The only way to fix the issue is to remove the fallback, hence winbind is now
required after the security update is applied. While this was a soft requirement
in 4.8 and later versions, fixing the security issue changed it to a hard
requirement as the fallback is no longer available. While the soft requirement
was introduced in 4.8, if we want to fix the security issue in 4.7 in Bionic, we
unfortunately had to require winbind also.