[Pkg-samba-maint] Bug#1002059: Regression: 2:4.13.13+dfsg-1~deb11u2 restuls in "Failed to find authenticated user" vs "Finding user" using "security=ADS" and "server role = member server"
Jeffrey Hundstad
jeffrey.hundstad at mnsu.edu
Fri Jan 28 22:19:34 GMT 2022
Package: samba
Version: 2:4.13.13+dfsg-1~deb11u2
Followup-For: Bug #1002059
X-Debbugs-Cc: team at security.debian.org
A security update https://security-tracker.debian.org/tracker/CVE-2020-25717 first reported
on 30 Nov 2021 - https://www.debian.org/security/2021/dsa-5015
Before this my config on buster worked, and after the update there is a regressions
that required me to revert the update.
I've since simplied my /etc/samba/smb.conf and replicated the regression on:
- bulleseye,
- bookworm, and
- sid (2022-01-28 3:00 PM).
The smb.conf file is:
---start---
# Global parameters
[global]
realm = CAMPUS.MNSU.EDU
security = ADS
server role = member server
server string = 'LOCALTEST'
workgroup = CAMPUS
log level = 9
[homes]
---end---
I use this system to allow Windows machines to connect to shares on THIS SERVER to connect
to shares using their A/D passwords. This has been working for years. Since the update
the shares will not mount from the remote Windows (or Linux) clients. A revert of the
Samba packages does allow for continued operations.
Apt lines for bulleseye, for my testing of a good system were:
deb http://snapshot.debian.org/archive/debian/20211101T024700Z/ bullseye main
deb http://snapshot.debian.org/archive/debian-security/20211130T230247Z/ bullseye/updates main
When doing a comparision of the log files at the time of a failed vs successful mount this
is the change (below). I do have complete log files for these, but there is a lot of
semi-private data in those logs, and I'd like to keep that off the public forum.
Working | Broken
[2022/01/28 15:02:11.190023, 5] ../../source3/lib/username.c:127(Get_Pwnam_inter| [2022/01/28 15:07:10.735394, 5] ../../source3/lib/username.c:127(Get_Pwnam_inte
Trying _Get_Pwnam(), username as given is CAMPUS\aq5097xt | Trying _Get_Pwnam(), username as given is CAMPUS\aq5097xt
[2022/01/28 15:02:11.190041, 5] ../../source3/lib/username.c:140(Get_Pwnam_inter| [2022/01/28 15:07:10.735412, 5] ../../source3/lib/username.c:140(Get_Pwnam_inte
Trying _Get_Pwnam(), username as uppercase is CAMPUS\AQ5097XT | Trying _Get_Pwnam(), username as uppercase is CAMPUS\AQ5097XT
[2022/01/28 15:02:11.190058, 5] ../../source3/lib/username.c:152(Get_Pwnam_inter| [2022/01/28 15:07:10.735428, 5] ../../source3/lib/username.c:152(Get_Pwnam_inte
Checking combinations of 0 uppercase letters in campus\aq5097xt | Checking combinations of 0 uppercase letters in campus\aq5097xt
[2022/01/28 15:02:11.190066, 5] ../../source3/lib/username.c:158(Get_Pwnam_inter| [2022/01/28 15:07:10.735435, 5] ../../source3/lib/username.c:158(Get_Pwnam_inte
Get_Pwnam_internals didn't find user [CAMPUS\aq5097xt]! | Get_Pwnam_internals didn't find user [CAMPUS\aq5097xt]!
[2022/01/28 15:02:11.190075, 5] ../../source3/lib/username.c:181(Get_Pwnam_alloc| [2022/01/28 15:07:10.735444, 3] ../../source3/auth/auth_util.c:1901(check_accou
Finding user aq5097xt | Failed to find authenticated user CAMPUS\aq5097xt via getpwnam(), denying acce
[2022/01/28 15:02:11.190081, 5] ../../source3/lib/username.c:120(Get_Pwnam_inter| [2022/01/28 15:07:10.735453, 5] ../../source3/auth/auth.c:258(auth_check_ntlm_p
Trying _Get_Pwnam(), username as lowercase is aq5097xt | auth_check_ntlm_password: winbind authentication for user [aq5097xt] FAILED wi
[2022/01/28 15:02:11.190098, 5] ../../source3/lib/username.c:158(Get_Pwnam_inter| [2022/01/28 15:07:10.735469, 2] ../../source3/auth/auth.c:344(auth_check_ntlm_p
Get_Pwnam_internals did find user [aq5097xt]! | check_ntlm_password: Authentication for user [aq5097xt] -> [aq5097xt] FAILED
[2022/01/28 15:02:11.190114, 3] ../../source3/auth/auth.c:267(auth_check_ntlm_pa| [2022/01/28 15:07:10.735487, 2] ../../auth/auth_log.c:635(log_authentication_ev
auth_check_ntlm_password: winbind authentication for user [aq5097xt] succeeded | Auth: [SMB2,(null)] user [campus]\[aq5097xt] at [Fri, 28 Jan 2022 15:07:10.735
[2022/01/28 15:02:11.190127, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) | {"timestamp": "2022-01-28T15:07:10.735531-0600", "type": "Authentication", "Au
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 | [2022/01/28 15:07:10.735567, 5] ../../source3/auth/auth_ntlmssp.c:210(auth3_che
[2022/01/28 15:02:11.190135, 4] ../../source3/smbd/uid.c:561(push_conn_ctx) | auth3_check_password_send: Checking NTLMSSP password for campus\aq5097xt faile
push_conn_ctx(0) : conn_ctx_stack_ndx = 1 | [2022/01/28 15:07:10.735587, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
[2022/01/28 15:02:11.190142, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_int| --------------------------------------------------------------------------------
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 | --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190149, 5] ../../libcli/security/security_token.c:52(securi| --------------------------------------------------------------------------------
Security token: (NULL) | --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190156, 5] ../../source3/auth/token_util.c:873(debug_unix_u| --------------------------------------------------------------------------------
UNIX token of user 0 | --------------------------------------------------------------------------------
Primary group is 0 and contains 0 supplementary groups | --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190175, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) | --------------------------------------------------------------------------------
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 | --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190183, 5] ../../source3/auth/auth.c:294(auth_check_ntlm_pa| --------------------------------------------------------------------------------
check_ntlm_password: PAM Account for user [aq5097xt] succeeded | --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190206, 3] ../../auth/auth_log.c:635(log_authentication_eve| --------------------------------------------------------------------------------
Auth: [SMB2,(null)] user [campus]\[aq5097xt] at [Fri, 28 Jan 2022 15:02:11.1901| --------------------------------------------------------------------------------
{"timestamp": "2022-01-28T15:02:11.190268-0600", "type": "Authentication", "Aut| --------------------------------------------------------------------------------
[2022/01/28 15:02:11.190294, 2] ../../source3/auth/auth.c:323(auth_check_ntlm_pa| --------------------------------------------------------------------------------
check_ntlm_password: authentication for user [aq5097xt] -> [aq5097xt] -> [aq50| --------------------------------------------------------------------------------
I have good and broken versions as qemu virts that are test instances.
I'm happy to test any crazy theory. :)
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf present, and attached
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.9
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u2
ii libgnutls30 3.7.1-5
ii libldb2 2:2.2.3-2~deb11u1
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpopt0 1.18-2
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.1-2+b1
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.3-1+b1
ii libtevent0 0.10.2-1
ii libwbclient0 2:4.13.13+dfsg-1~deb11u2
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-samba 2:4.13.13+dfsg-1~deb11u2
ii samba-common 2:4.13.13+dfsg-1~deb11u2
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2
ii samba-libs 2:4.13.13+dfsg-1~deb11u2
ii tdb-tools 1.4.3-1+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-6
ii logrotate 3.18.0-2
ii python3-markdown 3.3.4-1
ii samba-dsdb-modules 2:4.13.13+dfsg-1~deb11u2
ii samba-vfs-modules 2:4.13.13+dfsg-1~deb11u2
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
pn ntp | chrony <none>
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.13.13+dfsg-1~deb11u2
-- no debconf information
-------------- next part --------------
# Global parameters
[global]
realm = CAMPUS.MNSU.EDU
security = ADS
server role = member server
server string = 'LOCALTEST'
workgroup = CAMPUS
log level = 9
[homes]
More information about the Pkg-samba-maint
mailing list