[Pkg-samba-maint] Bug#1002059: regression: 2:4.9.5+dfsg-5+deb10u2 breaks SID to UID conversion

McIntyre, Vincent (S&A, Marsfield) Vincent.Mcintyre at csiro.au
Tue Dec 21 06:23:17 GMT 2021


Package: samba
Version: 2:4.9.5+dfsg-5+deb10u2
Severity: important

I have a config that is not that common (below)
but it was mostly working until this update came out.
It's taken a while for this to be brought to my attention
and other tasks have intervened.

Working version was 2:4.9.5+dfsg-5+deb10u1

The user-visible impact was that shares they could connect to
before the upgrade, they could no longer connect to.
Reverting to the previous version restored access.

Immediately after upgrading this appeared in 'journalctl -u smbd'

Dec 01 03:59:25 myserv systemd[1]: smbd.service: Main process exited, code=killed, status=15/TERM
Dec 01 03:59:25 myserv systemd[1]: smbd.service: Succeeded.
Dec 01 03:59:25 myserv systemd[1]: Stopped Samba SMB Daemon.
Dec 01 03:59:25 myserv systemd[1]: Starting Samba SMB Daemon...
Dec 01 03:59:25 myserv smbd[31189]: [2021/12/01 03:59:25.822636,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Dec 01 03:59:25 myserv smbd[31189]:   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Dec 01 03:59:25 myserv systemd[1]: Started Samba SMB Daemon.
Dec 01 04:07:03 myserv smbd[17175]: [2021/12/01 04:07:03.989409,  0] ../source3/auth/auth_util.c:1897(check_account)
Dec 01 04:07:03 myserv smbd[17175]:   check_account: Failed to convert SID <redacted>  to a UID (dom_user[<DOM>\<user>])
Dec 01 04:07:04 myserv smbd[17177]: [2021/12/01 04:07:04.014896,  0] ../source3/auth/auth_util.c:1897(check_account)
Dec 01 04:07:04 myserv smbd[17177]:   check_account: Failed to convert SID <redacted> to a UID (dom_user[<DOM>\<user>])
Dec 01 04:07:04 myserv smbd[17178]: [2021/12/01 04:07:04.037845,  0] ../source3/auth/auth_util.c:1897(check_account)

and so on.

This will probably have to go to the samba list,
but my main question is if you have any clues about
what was changed in the update that could cause such breakage?

Vince

Some basic tests

# wbinfo --own-domain   returns correct domain
# wbinfo -n <user>      returns correct SID
# wbinfo -R <rid>       returns correct username
# wbinfo -s <sid>       returns correct <domain>\<user>

Things that do not work
# wbinfo -r <domain>\\<user>     failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
                                 Could not get groups for user <domain>\<user>

# wbinfo -G <unix gid>           failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
                                 Could not convert gid <gid> to sid
# wbinfo --user-domgroups <sid>  failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND
                                 Could not get user's domain groups for user SID <sid>



-- Package-specific info:
* /etc/samba/smb.conf present, see below
* /var/lib/samba/dhcp.conf present, see below

-- System Information:
Debian Release: 10.11
  APT prefers oldstable
  APT policy: (990, 'oldstable'), (500, 'oldstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-12-amd64 (SMP w/20 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser           3.118
ii  dpkg              1.19.7
ii  libbsd0           0.9.1-2+deb10u1
ii  libc6             2.28-10
ii  libldb1           2:1.5.1+really1.4.6-3+deb10u1
ii  libpam-modules    1.3.1-5
ii  libpam-runtime    1.3.1-5
ii  libpopt0          1.16-12
ii  libpython2.7      2.7.16-2+deb10u1
ii  libtalloc2        2.1.14-2
ii  libtdb1           1.3.16-2+b1
ii  libtevent0        0.9.37-1
ii  lsb-base          10.2019051400
ii  procps            2:3.3.15-2
ii  python            2.7.16-1
ii  python-dnspython  1.16.0-1+deb10u1
ii  python-samba      2:4.9.5+dfsg-5+deb10u2
ii  python2.7         2.7.16-2+deb10u1
ii  samba-common      2:4.9.5+dfsg-5+deb10u2
ii  samba-common-bin  2:4.9.5+dfsg-5+deb10u2
ii  samba-libs        2:4.9.5+dfsg-5+deb10u2
ii  tdb-tools         1.3.16-2+b1

Versions of packages samba recommends:
pn  attr                <none>
ii  logrotate           3.14.0-4
ii  samba-dsdb-modules  2:4.9.5+dfsg-5+deb10u2
pn  samba-vfs-modules   <none>

Versions of packages samba suggests:
pn  bind9          <none>
pn  bind9utils     <none>
pn  ctdb           <none>
pn  ldb-tools      <none>
ii  ntp            1:4.2.8p12+dfsg-4
pn  smbldap-tools  <none>
pn  ufw            <none>
ii  winbind        2:4.9.5+dfsg-5+deb10u2

-- no debconf information

smb.conf ----------------------------------------------------------------
[global]
    workgroup = <DOMAIN>

    # "global.conf" should be the first include in the list
    # for the global parameters to be set.
    include = /etc/samba/global.conf
    include = /etc/samba/winbind.conf

# These have their own [section] headers within them.
include = /etc/samba/shares.conf

include = /etc/samba/printers.conf

global.conf --------------------------------------------------------------
   workgroup = <DOMAIN>
   realm = <dns domain>

   server string = Local %h UNIX Server (Samba %v)

   wins server = <ip address> \
                 <ip address> \
                 <ip address>
   dns proxy = no

   name resolve order = host wins

   hosts allow = 127.0.0.1 <server ip> \
                  <CIDR subnet address> \
                  <CIDR subnet address> \
                  <CIDR subnet address>

   log file = /var/log/samba/log.%m

   max log size = 1000

   panic action = /usr/share/samba/panic-action %d


   security = domain
   server role = auto

   encrypt passwords = yes

   passdb backend = tdbsam

   obey pam restrictions = no

   unix password sync = no

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = no

   domain logons = no
   ntlm auth = no

# We use cups-lpd
   print command = /usr/bin/lpr -h -r -P%p %s
   lpq   command = /usr/bin/lpq       -P%p
   lprm  command = /usr/bin/lprm      -P%p %j
   lpq cache time = 20

   printing = cups
   printcap name = cups

   domain master = no
   preferred master = no
   local master = yes
   os level = 4

   time server = no

   deadtime = 10

   server min protocol = SMB2_10
   client min protocol = SMB2_10
   client max protocol = SMB3_11

   browseable     = yes

   case sensitive = no
   preserve case  = yes

   strict sync    = no
   sync always    = no

   locking        = yes
   strict locking = no
   blocking locks = no
   kernel oplocks = yes

   create mask    = 0600
   directory mask = 0700

shares.conf ---------------------------------------------------------

[someshare]
    path                 = /path/to/someplace
    browseable           = yes
    guest ok             = no
    read only            = no
    valid users          = <comma-separated,list,of,users>
    create mask          = 0664
    force create mode    = 0664
    directory mask       = 2775
    force directory mode = 2775

[othershare]
    comment              = files for something else
    path                 = /path/to/that/otherplace
    browseable           = yes
    guest ok             = no
    read only            = no
    valid users          = <comma-separated,list,of,users>
    read list            = <comma-separated,list,of,users>
    write list           = <comma-separated,list,of,users>
    force group          = <some unix group>
    create mask          = 0664
    force create mode    = 0664
    directory mask       = 2775
    force directory mode = 2775

printers.conf -------------------------------------------------------

; everything commented out

winbind.conf --------------------------------------------------------

; great care is taken to ensure linux & windows usernames and UIDs match.
; I don't care if this config does not work with UIDs outside this range.

idmap config <domain> : backend = rid
idmap config <domain> : range   = 65536 - 1999999
winbind cache time           = 86400
idmap cache time             = 86400
idmap negative cache time    = 1

winbind:ignore domains = <THISDOM>, <THATDOM>


More information about the Pkg-samba-maint mailing list