[Pkg-samba-maint] Bug#1001053: Configuration with non SMB (MIT-kerberos) broken after 4.13.13+dfsg-1~deb11u2 security patch
Jostein Fossheim
nightowl at vigilantes.no
Fri Dec 3 08:51:02 GMT 2021
Package: samba
Version: 4.13.13+dfsg-1~deb11u2
Hello,
My organisation are running an custom bulit LDAP/MIT-kerberos realm
(the KDCs are not runnning MIT-kerberos through Samba, just standalone
installations). For years have configured this KDCs to be used for two
important Debian (now running Bullseye) based file-servers. We are
both serving NFSv4 and Windows SMB clients. I resently upgraded the
servers with the lastest debian-security update with samba
(2:4.13.13+dfsg-1~deb11u2), and suddently all windows-clients reported
access denied while connecting to the samba servers.
I assume our troubles are related to this security issue:
https://www.samba.org/samba/security/CVE-2020-25719.html
Which is reffered to in the debian package:
https://tracker.debian.org/news/1279235/accepted-samba-241313dfsg-1deb11u2-source-into-proposed-updates-stable-new-proposed-updates/
I asume the problems is caused by our KDCs not issuing PACs while
issuing tickets.
Any advice on how to handle this issue? Either disable PAC-check on
the servers, do some configuration that stil will allow connections,
or configure our KDCs to inclued PACs in their tickers.
I am able to uinstall the secuirty patch on the servers for now, so at
least our users can maintain their workflow, but I realize this is a
short time soulution.
The servers' smb.conf:
[global]
workgroup = EXAMPLE.COM
server string = NAS server (samba)
server role = standalone server
security = user
realm = EXAMPLE.COM
encrypt passwords = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
password server = example-kdc-server.example.com
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
map to guest = bad user
Log-file from the server:
[2021/12/03 08:47:46.876654, 2]
../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal
OID) failed: Miscellaneous failure (see text): Ticket have not
authorization data of type 128
[2021/12/03 08:47:46.876663, 3]
../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC for
example_user at EXAMPLE.COM, resorting to local user lookup
[2021/12/03 08:47:46.876670, 3]
../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [example_user at EXAMPLE.COM]
[2021/12/03 08:47:46.876684, 5]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user EXAMPLE.COM\example_user
[2021/12/03 08:47:46.876690, 5]
../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.896429, 5]
../../source3/lib/username.c:127(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.904156, 5]
../../source3/lib/username.c:140(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912256, 5]
../../source3/lib/username.c:152(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912297, 5]
../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [EXAMPLE.COM\example_user]!
[2021/12/03 08:47:46.912312, 3]
../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username EXAMPLE.COM\example_user is
invalid on this system
[2021/12/03 08:47:46.912330, 3]
../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
Output from smbclient (with samba samba=2:4.13.13+dfsg-1~deb11u2)
smbclient -d 5 -k -L //example-file-server
sitename_fetch: No stored sitename for realm 'example_user at EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
session request ok
negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
example_user at EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: {Access Denied} A process has requested access to
an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED
Output from smbclient (with samba samba=2:4.13.5+dfsg-2)
smbclient -d 5 -k -L //example-file-server
sitename_fetch: No stored sitename for realm 'EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
session request ok
negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
example_user at EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
session setup ok
signed SMB2 message
tconx ok
Sharename Type Comment
--------- ---- -------
Bind RPC Pipe: host example-file-server auth_type 0, auth_level 1
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 568
share1 Disk 1TB (Jbod/disc grinder)
usbpool Disk USBs
share2 Disk 16TB (Raid5 in 5x4TB disks)
health-logs Disk Disk health logs
IPC$ IPC IPC Service (NAS server (samba))
SMB1 disabled -- no workgroup available
More information about the Pkg-samba-maint
mailing list