[Pkg-samba-maint] Bug#1034417: samba: Samba can no longer authenticate users via Kerberos from a standalone KDC

Michael Tokarev mjt at tls.msk.ru
Fri Apr 14 18:59:48 BST 2023


Control: tag -1 + moreinfo

Hello!

14.04.2023 20:49, Daniel Lakeland wrote:
> Package: samba
> Version: Installed: 2:4.17.7+dfsg-1
> Severity: important
> Tags: upstream
> X-Debbugs-Cc: dlakelan at street-artists.org

..
> Please see discussions on the samba mailing list in the thread starting here:
> 
> https://lists.samba.org/archive/samba/2023-April/244842.html

Yeah, I've seen this thread, watched it with great interest.

But I have a question for you, as the reporter of this bug:
What do you expect us the debian samba maintainers to do with it?
I definitely will not change samba in a way not approved by the
upstream. Also, I wont try to find out what the problem is and
how to deal with it as I don't have neither enough experience
in that area nor time nor motivation. If this bugreport stays
here for years, what good will it serve? I can immediately
think about a downside: it will keep my attention constantly
drawn away when I look for bugs to triage, so I'll have less
resources for other bugs I can possible fix.

You've been offered a workaround, too, in some way.

> The situation appears to be that samba moved to using winbindd to do authentication, and this
> combination samba + winbindd can't imagine a scenario in which there is a KDC which is not an AD DC.
> 
> What I want, and has worked for 15 years, and clearly has been done by plenty of other people in the
> past based on google searches, is that a client gets a ticket from the KDC and uses it to authenticate
> to a standalone samba server which is not a part of an AD DC but IS a part of an MIT Kerberos KDC realm.
> 
> It appears that this is an upstream "bug" in which a particular use case simply did not get considered
> when rearchitecting the samba security system, and hence disappeared. However it affects Debian users
> who have been using this technique such as myself, and certainly others.

FWIF, you're the only user in this world who uses this configuration,
it looks like. Because the version where this configuration broke is
quite old, unsupported for a long time, and has many bugs including
easy triggerable security issues.

So I'm not sure for the severity of this bugreport.  I'd move it
to "wontfix" severity..

Thanks,

/mjt



More information about the Pkg-samba-maint mailing list