[Pkg-samba-maint] Bug#1002059: Bug#1002059: Regression: 2:4.13.13+dfsg-1~deb11u2 restuls in "Failed to find authenticated user" vs "Finding user" using "security=ADS" and "server role = member server"
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 31 07:54:23 GMT 2022
Plese configure your member server conform its needs.
Your smb.conf is incomplete.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Your completely missing (or you removed it.)
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd
Which is obligated to set in a member server.
>> auth_check_ntlm_password: winbind authentication for user
If you using NTLM auth, you need set/force it to NTLMv2.
# When enabled, needed on the member and all AD-DC's
ntlm auth = mschapv2-and-ntlmv2-only
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Pkg-samba-maint
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl at alioth-lists.d
ebian.net] Namens Jeffrey Hundstad
> Verzonden: vrijdag 28 januari 2022 23:20
> Aan: Debian Bug Tracking System
> Onderwerp: [Pkg-samba-maint] Bug#1002059: Regression:
> 2:4.13.13+dfsg-1~deb11u2 restuls in "Failed to find
> authenticated user" vs "Finding user" using "security=ADS"
> and "server role = member server"
>
> Package: samba
> Version: 2:4.13.13+dfsg-1~deb11u2
> Followup-For: Bug #1002059
> X-Debbugs-Cc: team at security.debian.org
>
> A security update
> https://security-tracker.debian.org/tracker/CVE-2020-25717
> first reported
> on 30 Nov 2021 - https://www.debian.org/security/2021/dsa-5015
>
> Before this my config on buster worked, and after the update
> there is a regressions
> that required me to revert the update.
>
> I've since simplied my /etc/samba/smb.conf and replicated the
> regression on:
> - bulleseye,
> - bookworm, and
> - sid (2022-01-28 3:00 PM).
>
> The smb.conf file is:
> ---start---
> # Global parameters
> [global]
> realm = CAMPUS.MNSU.EDU
> security = ADS
> server role = member server
> server string = 'LOCALTEST'
> workgroup = CAMPUS
> log level = 9
>
> [homes]
>
> ---end---
>
> I use this system to allow Windows machines to connect to
> shares on THIS SERVER to connect
> to shares using their A/D passwords. This has been working
> for years. Since the update
> the shares will not mount from the remote Windows (or Linux)
> clients. A revert of the
> Samba packages does allow for continued operations.
>
> Apt lines for bulleseye, for my testing of a good system were:
> deb
> http://snapshot.debian.org/archive/debian/20211101T024700Z/
> bullseye main
> deb
> http://snapshot.debian.org/archive/debian-security/20211130T23
0247Z/ bullseye/updates main
>
> When doing a comparision of the log files at the time of a
> failed vs successful mount this
> is the change (below). I do have complete log files for
> these, but there is a lot of
> semi-private data in those logs, and I'd like to keep that
> off the public forum.
>
> Working
> | Broken
>
> [2022/01/28 15:02:11.190023, 5]
> ../../source3/lib/username.c:127(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735394, 5]
> ../../source3/lib/username.c:127(Get_Pwnam_inte
> Trying _Get_Pwnam(), username as given is CAMPUS\aq5097xt
> | Trying _Get_Pwnam(), username as
> given is CAMPUS\aq5097xt
> [2022/01/28 15:02:11.190041, 5]
> ../../source3/lib/username.c:140(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735412, 5]
> ../../source3/lib/username.c:140(Get_Pwnam_inte
> Trying _Get_Pwnam(), username as uppercase is
> CAMPUS\AQ5097XT | Trying _Get_Pwnam(),
> username as uppercase is CAMPUS\AQ5097XT
> [2022/01/28 15:02:11.190058, 5]
> ../../source3/lib/username.c:152(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735428, 5]
> ../../source3/lib/username.c:152(Get_Pwnam_inte
> Checking combinations of 0 uppercase letters in
> campus\aq5097xt | Checking combinations of
> 0 uppercase letters in campus\aq5097xt
> [2022/01/28 15:02:11.190066, 5]
> ../../source3/lib/username.c:158(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735435, 5]
> ../../source3/lib/username.c:158(Get_Pwnam_inte
> Get_Pwnam_internals didn't find user [CAMPUS\aq5097xt]!
> | Get_Pwnam_internals didn't find
> user [CAMPUS\aq5097xt]!
> [2022/01/28 15:02:11.190075, 5]
> ../../source3/lib/username.c:181(Get_Pwnam_alloc|
> [2022/01/28 15:07:10.735444, 3]
> ../../source3/auth/auth_util.c:1901(check_accou
> Finding user aq5097xt
> | Failed to find authenticated user
> CAMPUS\aq5097xt via getpwnam(), denying acce
> [2022/01/28 15:02:11.190081, 5]
> ../../source3/lib/username.c:120(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735453, 5]
> ../../source3/auth/auth.c:258(auth_check_ntlm_p
> Trying _Get_Pwnam(), username as lowercase is aq5097xt
> | auth_check_ntlm_password: winbind
> authentication for user [aq5097xt] FAILED wi
> [2022/01/28 15:02:11.190098, 5]
> ../../source3/lib/username.c:158(Get_Pwnam_inter|
> [2022/01/28 15:07:10.735469, 2]
> ../../source3/auth/auth.c:344(auth_check_ntlm_p
> Get_Pwnam_internals did find user [aq5097xt]!
> | check_ntlm_password:
> Authentication for user [aq5097xt] -> [aq5097xt] FAILED
> [2022/01/28 15:02:11.190114, 3]
> ../../source3/auth/auth.c:267(auth_check_ntlm_pa|
> [2022/01/28 15:07:10.735487, 2]
> ../../auth/auth_log.c:635(log_authentication_ev
> auth_check_ntlm_password: winbind authentication for user
> [aq5097xt] succeeded | Auth: [SMB2,(null)] user
> [campus]\[aq5097xt] at [Fri, 28 Jan 2022 15:07:10.735
> [2022/01/28 15:02:11.190127, 4]
> ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) |
> {"timestamp": "2022-01-28T15:07:10.735531-0600", "type":
> "Authentication", "Au
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> | [2022/01/28 15:07:10.735567, 5]
> ../../source3/auth/auth_ntlmssp.c:210(auth3_che
> [2022/01/28 15:02:11.190135, 4]
> ../../source3/smbd/uid.c:561(push_conn_ctx) |
> auth3_check_password_send: Checking NTLMSSP password for
> campus\aq5097xt faile
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> | [2022/01/28 15:07:10.735587, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
> [2022/01/28 15:02:11.190142, 4]
> ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_int|
> --------------------------------------------------------------
> ------------------
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> |
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190149, 5]
> ../../libcli/security/security_token.c:52(securi|
> --------------------------------------------------------------
> ------------------
> Security token: (NULL)
> |
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190156, 5]
> ../../source3/auth/token_util.c:873(debug_unix_u|
> --------------------------------------------------------------
> ------------------
> UNIX token of user 0
> |
> --------------------------------------------------------------
> ------------------
> Primary group is 0 and contains 0 supplementary groups
> |
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190175, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) |
> --------------------------------------------------------------
> ------------------
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> |
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190183, 5]
> ../../source3/auth/auth.c:294(auth_check_ntlm_pa|
> --------------------------------------------------------------
> ------------------
> check_ntlm_password: PAM Account for user [aq5097xt]
> succeeded |
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190206, 3]
> ../../auth/auth_log.c:635(log_authentication_eve|
> --------------------------------------------------------------
> ------------------
> Auth: [SMB2,(null)] user [campus]\[aq5097xt] at [Fri, 28
> Jan 2022 15:02:11.1901|
> --------------------------------------------------------------
> ------------------
> {"timestamp": "2022-01-28T15:02:11.190268-0600", "type":
> "Authentication", "Aut|
> --------------------------------------------------------------
> ------------------
> [2022/01/28 15:02:11.190294, 2]
> ../../source3/auth/auth.c:323(auth_check_ntlm_pa|
> --------------------------------------------------------------
> ------------------
> check_ntlm_password: authentication for user [aq5097xt]
> -> [aq5097xt] -> [aq50|
> --------------------------------------------------------------
> ------------------
>
> I have good and broken versions as qemu virts that are test instances.
> I'm happy to test any crazy theory. :)
>
>
> -- Package-specific info:
> * /etc/samba/smb.conf present, and attached
> * /var/lib/samba/dhcp.conf present, and attached
>
> -- System Information:
> Debian Release: 11.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500,
> 'stable-security'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
> (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages samba depends on:
> ii adduser 3.118
> ii dpkg 1.20.9
> ii init-system-helpers 1.60
> ii libbsd0 0.11.3-1
> ii libc6 2.31-13+deb11u2
> ii libgnutls30 3.7.1-5
> ii libldb2 2:2.2.3-2~deb11u1
> ii libpam-modules 1.4.0-9+deb11u1
> ii libpam-runtime 1.4.0-9+deb11u1
> ii libpopt0 1.18-2
> ii libpython3.9 3.9.2-1
> ii libtalloc2 2.3.1-2+b1
> ii libtasn1-6 4.16.0-2
> ii libtdb1 1.4.3-1+b1
> ii libtevent0 0.10.2-1
> ii libwbclient0 2:4.13.13+dfsg-1~deb11u2
> ii lsb-base 11.1.0
> ii procps 2:3.3.17-5
> ii python3 3.9.2-3
> ii python3-dnspython 2.0.0-1
> ii python3-samba 2:4.13.13+dfsg-1~deb11u2
> ii samba-common 2:4.13.13+dfsg-1~deb11u2
> ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2
> ii samba-libs 2:4.13.13+dfsg-1~deb11u2
> ii tdb-tools 1.4.3-1+b1
>
> Versions of packages samba recommends:
> ii attr 1:2.4.48-6
> ii logrotate 3.18.0-2
> ii python3-markdown 3.3.4-1
> ii samba-dsdb-modules 2:4.13.13+dfsg-1~deb11u2
> ii samba-vfs-modules 2:4.13.13+dfsg-1~deb11u2
>
> Versions of packages samba suggests:
> pn bind9 <none>
> pn bind9utils <none>
> pn ctdb <none>
> pn ldb-tools <none>
> pn ntp | chrony <none>
> pn smbldap-tools <none>
> pn ufw <none>
> ii winbind 2:4.13.13+dfsg-1~deb11u2
>
> -- no debconf information
> _______________________________________________
> Pkg-samba-maint mailing list
> Pkg-samba-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
amba-maint
>
More information about the Pkg-samba-maint
mailing list