[Pkg-samba-maint] Bug#623190: 'map untrusted to domain' new default breaks backwards compatibility with clients outside of the server domain

Josip Rodin joy at debbugs.entuzijast.net
Mon Apr 18 08:36:10 UTC 2011 

Package: samba
Version: 2:3.5.6~dfsg-3squeeze2

Hi,

I have several Samba servers running in a domain of their own that was
created so that they can all authenticate users from the same set of LDAP
back-end servers. Whereas, their clients aren't part of that domain, they
don't even know about it. It's supposed to be a reasonably simple use
case...

A new global option "map untrusted to domain" was introduced between lenny
and squeeze, and its newly introduced default of "no" blithely broke the
existing behaviour of the above use case, with the manual page proclaiming
it "legacy".

I found this bug after a bunch of users started screaming at me "our valid
passwords are being rejected by the server", and most of the time I was
seeing exactly zero useful information in the log, even at auth log level
100 - the purported reauth attempts they didn't actually communicate their
username again with the server, the only log was something like:

[2011/04/14 12:44:09.035546,  5] auth/auth.c:467(make_auth_context_subsystem)
  Making default auth method list for security=domain
[2011/04/14 12:44:09.035579,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2011/04/14 12:44:09.035639,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2011/04/14 12:44:09.035666,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2011/04/14 12:44:09.035693,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2011/04/14 12:44:09.035719,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match winbind:ntdomain
[2011/04/14 12:44:09.035747,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match ntdomain
[2011/04/14 12:44:09.035774,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method ntdomain has a valid init
[2011/04/14 12:44:09.035800,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2011/04/14 12:44:09.035833,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module guest did not want to specify a challenge
[2011/04/14 12:44:09.035858,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module sam did not want to specify a challenge
[2011/04/14 12:44:09.035884,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module winbind did not want to specify a challenge
[2011/04/14 12:44:09.035917,  5] auth/auth.c:132(get_ntlm_challenge)
  auth_context challenge created by random
[2011/04/14 12:44:09.035943,  5] auth/auth.c:133(get_ntlm_challenge)
  challenge is: 

Please:

a) make the above messages less obfuscated - apparently the implication
   from the above sequence is that no modules wanted to have anything to do
   with the request, and the client was answered with something that in turn
   made no sense to them - that particular use case should be possible to
   detect and make it explicit that our internal auth process basically
   failed and caused the user a problem

b) provide help for upgraders - add the line to the new default config
   file, note the problem in NEWS.Debian, ...

The damage to me and my users was already done :P but hopefully others
can still be saved from this trouble.

TIA.

-- 
     2. That which causes joy or happiness.

More information about the Pkg-samba-maint mailing list