[Pkg-samba-maint] Bug#1002059: regression: 2:4.9.5+dfsg-5+deb10u2 breaks SID to UID conversion
McIntyre, Vincent (S&A, Marsfield)
Vincent.Mcintyre at csiro.au
Tue Dec 21 06:23:17 GMT 2021
Package: samba
Version: 2:4.9.5+dfsg-5+deb10u2
Severity: important
I have a config that is not that common (below)
but it was mostly working until this update came out.
It's taken a while for this to be brought to my attention
and other tasks have intervened.
Working version was 2:4.9.5+dfsg-5+deb10u1
The user-visible impact was that shares they could connect to
before the upgrade, they could no longer connect to.
Reverting to the previous version restored access.
Immediately after upgrading this appeared in 'journalctl -u smbd'
Dec 01 03:59:25 myserv systemd[1]: smbd.service: Main process exited, code=killed, status=15/TERM
Dec 01 03:59:25 myserv systemd[1]: smbd.service: Succeeded.
Dec 01 03:59:25 myserv systemd[1]: Stopped Samba SMB Daemon.
Dec 01 03:59:25 myserv systemd[1]: Starting Samba SMB Daemon...
Dec 01 03:59:25 myserv smbd[31189]: [2021/12/01 03:59:25.822636, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Dec 01 03:59:25 myserv smbd[31189]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Dec 01 03:59:25 myserv systemd[1]: Started Samba SMB Daemon.
Dec 01 04:07:03 myserv smbd[17175]: [2021/12/01 04:07:03.989409, 0] ../source3/auth/auth_util.c:1897(check_account)
Dec 01 04:07:03 myserv smbd[17175]: check_account: Failed to convert SID <redacted> to a UID (dom_user[<DOM>\<user>])
Dec 01 04:07:04 myserv smbd[17177]: [2021/12/01 04:07:04.014896, 0] ../source3/auth/auth_util.c:1897(check_account)
Dec 01 04:07:04 myserv smbd[17177]: check_account: Failed to convert SID <redacted> to a UID (dom_user[<DOM>\<user>])
Dec 01 04:07:04 myserv smbd[17178]: [2021/12/01 04:07:04.037845, 0] ../source3/auth/auth_util.c:1897(check_account)
and so on.
This will probably have to go to the samba list,
but my main question is if you have any clues about
what was changed in the update that could cause such breakage?
Vince
Some basic tests
# wbinfo --own-domain returns correct domain
# wbinfo -n <user> returns correct SID
# wbinfo -R <rid> returns correct username
# wbinfo -s <sid> returns correct <domain>\<user>
Things that do not work
# wbinfo -r <domain>\\<user> failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user <domain>\<user>
# wbinfo -G <unix gid> failed to call wbcGidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert gid <gid> to sid
# wbinfo --user-domgroups <sid> failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND
Could not get user's domain groups for user SID <sid>
-- Package-specific info:
* /etc/samba/smb.conf present, see below
* /var/lib/samba/dhcp.conf present, see below
-- System Information:
Debian Release: 10.11
APT prefers oldstable
APT policy: (990, 'oldstable'), (500, 'oldstable-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-12-amd64 (SMP w/20 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.19.7
ii libbsd0 0.9.1-2+deb10u1
ii libc6 2.28-10
ii libldb1 2:1.5.1+really1.4.6-3+deb10u1
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpopt0 1.16-12
ii libpython2.7 2.7.16-2+deb10u1
ii libtalloc2 2.1.14-2
ii libtdb1 1.3.16-2+b1
ii libtevent0 0.9.37-1
ii lsb-base 10.2019051400
ii procps 2:3.3.15-2
ii python 2.7.16-1
ii python-dnspython 1.16.0-1+deb10u1
ii python-samba 2:4.9.5+dfsg-5+deb10u2
ii python2.7 2.7.16-2+deb10u1
ii samba-common 2:4.9.5+dfsg-5+deb10u2
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u2
ii samba-libs 2:4.9.5+dfsg-5+deb10u2
ii tdb-tools 1.3.16-2+b1
Versions of packages samba recommends:
pn attr <none>
ii logrotate 3.14.0-4
ii samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u2
pn samba-vfs-modules <none>
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
ii ntp 1:4.2.8p12+dfsg-4
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.9.5+dfsg-5+deb10u2
-- no debconf information
smb.conf ----------------------------------------------------------------
[global]
workgroup = <DOMAIN>
# "global.conf" should be the first include in the list
# for the global parameters to be set.
include = /etc/samba/global.conf
include = /etc/samba/winbind.conf
# These have their own [section] headers within them.
include = /etc/samba/shares.conf
include = /etc/samba/printers.conf
global.conf --------------------------------------------------------------
workgroup = <DOMAIN>
realm = <dns domain>
server string = Local %h UNIX Server (Samba %v)
wins server = <ip address> \
<ip address> \
<ip address>
dns proxy = no
name resolve order = host wins
hosts allow = 127.0.0.1 <server ip> \
<CIDR subnet address> \
<CIDR subnet address> \
<CIDR subnet address>
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
security = domain
server role = auto
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = no
domain logons = no
ntlm auth = no
# We use cups-lpd
print command = /usr/bin/lpr -h -r -P%p %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
lpq cache time = 20
printing = cups
printcap name = cups
domain master = no
preferred master = no
local master = yes
os level = 4
time server = no
deadtime = 10
server min protocol = SMB2_10
client min protocol = SMB2_10
client max protocol = SMB3_11
browseable = yes
case sensitive = no
preserve case = yes
strict sync = no
sync always = no
locking = yes
strict locking = no
blocking locks = no
kernel oplocks = yes
create mask = 0600
directory mask = 0700
shares.conf ---------------------------------------------------------
[someshare]
path = /path/to/someplace
browseable = yes
guest ok = no
read only = no
valid users = <comma-separated,list,of,users>
create mask = 0664
force create mode = 0664
directory mask = 2775
force directory mode = 2775
[othershare]
comment = files for something else
path = /path/to/that/otherplace
browseable = yes
guest ok = no
read only = no
valid users = <comma-separated,list,of,users>
read list = <comma-separated,list,of,users>
write list = <comma-separated,list,of,users>
force group = <some unix group>
create mask = 0664
force create mode = 0664
directory mask = 2775
force directory mode = 2775
printers.conf -------------------------------------------------------
; everything commented out
winbind.conf --------------------------------------------------------
; great care is taken to ensure linux & windows usernames and UIDs match.
; I don't care if this config does not work with UIDs outside this range.
idmap config <domain> : backend = rid
idmap config <domain> : range = 65536 - 1999999
winbind cache time = 86400
idmap cache time = 86400
idmap negative cache time = 1
winbind:ignore domains = <THISDOM>, <THATDOM>
More information about the Pkg-samba-maint
mailing list