[Pkg-samba-maint] Bug#1002059: regression: 2:4.9.5+dfsg-5+deb10u2 breaks SID to UID conversion
McIntyre, Vincent (S&A, Marsfield)
Vincent.Mcintyre at csiro.au
Tue Feb 8 00:54:18 GMT 2022
One more followup.
I looked into migrating my samba machines to bullseye.
The config I had on buster works but with one change reqired.
On bullseye machines I need to add this to the configuration
username map script = /etc/samba/usermap.sh
The usermap.sh works similarly to the script pasted in this bug:
https://bugzilla.samba.org/show_bug.cgi?id=14901
ie it converts a 'DOMAIN\someuser' string to 'someuser',
depending on whether DOMAIN is an expected value or not.
This is not required on buster, more on that below.
With the usermap script turned off I get this behaviour:
linux$ smbclient //bullseye/someshare
Unable to initialize messaging context
Enter DOMAIN\someuser's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
linux$ smbclient -U someuser //bullseye/someshare
Unable to initialize messaging context
Enter DOMAIN\someuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
linux$ smbclient -U DOMAIN\\someuser //bullseye/someshare
Unable to initialize messaging context
Enter DOMAIN\someuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
cmd> net use y: \\bullseye\someshare /user:someuser <pass>
System error 86 has occurred
The specified network password is not correct.
cmd> net use y: \\bullseye\someshare /user:DOMAIN\someuser <pass>
System error 86 has occurred
The specified network password is not correct.
With the usermap script turned on, the above tests work fine.
The upstream patch that makes the the new log output I saw is here
https://gitlab.com/samba-team/samba/-/commit/0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
Upstream merged it here
https://gitlab.com/samba-team/samba/-/merge_requests/2253/diffs?commit_id=2901af811a9b58a23178a9b5b23101c7e40b2cc4#4e051b3c8fb609985df5c571fff0f3c69ecb396a
However the buster version has this change in it, while bullseye does not.
$ git remote -v
origin https://salsa.debian.org/samba-team/samba.git (fetch)
origin https://salsa.debian.org/samba-team/samba.git (push)
$ git diff buster-security bullseye-security -- source3/auth/auth_util.c
... skip over a bunch of other changes ...
@@ -1881,32 +1898,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain
,
return NT_STATUS_NO_MEMORY;
}
- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
- if (!passwd && !*username_was_mapped) {
- struct dom_sid_buf buf;
- uid_t uid;
- bool ok;
-
- DBG_DEBUG("Failed to find authenticated user %s via "
- "getpwnam(), fallback to sid_to_uid(%s).\n",
- dom_user, dom_sid_str_buf(sid, &buf));
-
- ok = sid_to_uid(sid, &uid);
- if (!ok) {
- DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
- dom_sid_str_buf(sid, &buf), dom_user);
- return NT_STATUS_NO_SUCH_USER;
- }
- passwd = getpwuid_alloc(mem_ctx, uid);
- if (!passwd) {
- DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
- (long long)uid,
- dom_sid_str_buf(sid, &buf),
- dom_user);
- return NT_STATUS_NO_SUCH_USER;
- }
- real_username = talloc_strdup(mem_ctx, passwd->pw_name);
- }
+ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
if (!passwd) {
DEBUG(3, ("Failed to find authenticated user %s via "
"getpwnam(), denying access.\n", dom_user));
I'm not sure why the difference. Neither the upstream_4.13 or
upstream_4.9 branches seem to have the patch (now) but seem to have
other changes that have similar effect.
None of this is intended as a complaint of any kind, just observations
in case someone else hits this problem.
Kind regards
Vince
More information about the Pkg-samba-maint
mailing list