Bug 11044 - Samba 4.2 using Kerberos (not AD) fails to authenticate
Summary: Samba 4.2 using Kerberos (not AD) fails to authenticate
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.0rc3
Hardware: All All
: P1 regression (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 10077
  Show dependency treegraph
 
Reported: 2015-01-09 22:33 UTC by Michael Zeis
Modified: 2021-02-11 14:08 UTC (History)
6 users (show)

See Also:


Attachments
Patch for passwd_to_SamInfo3 (4.07 KB, patch)
2015-01-09 22:33 UTC, Michael Zeis
no flags Details
Patch for master - includes test. (11.76 KB, patch)
2015-01-13 22:17 UTC, Jeremy Allison
no flags Details
Cherry-pick from master for 4.2. (12.43 KB, patch)
2015-01-14 18:11 UTC, Jeremy Allison
vl: review+
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Zeis 2015-01-09 22:33:41 UTC
Created attachment 10610 [details]
Patch for passwd_to_SamInfo3

Going from 4.1 to 4.2rc3 it appears that in the new 4.2 function passwd_to_SamInfo3() the code to handle the "Unix Users" domain is missing.   Similar code is found in samu_to_SamInfo3() and looks to be necessary in passwd_to_SamInfo3 as well.

For example I see the error messages in the samba log when trying to authenticate using Kerberos/OpenLdap (not AD):

[2015/01/08 12:10:06.667139, 10, pid=21045, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1088(legacy_gid_to_sid)
  LEGACY: gid 548597 -> sid S-1-22-2-548597
[2015/01/08 12:10:06.667256,  1, pid=21045, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:628(passwd_to_SamInfo3)
  The primary group domain sid(S-1-5-21-1497163937-2947169817-3520470860-513) does not match the domain sid(S-1-22-1) for mtester(S-1-22-1-521)
[2015/01/08 12:10:06.667297,  1, pid=21045, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:254(make_session_info_krb5)
  make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2015/01/08 12:10:06.667352,  1, pid=21045, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID)
[2015/01/08 12:10:06.667460, 10, pid=21045, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2690(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:130

I created a patch to passwd_to_SamInfo3 and now the authentication works again, as it used to prior to 4.2:

[2015/01/08 15:37:19.382202, 10, pid=5603, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:633(passwd_to_SamInfo3)
  Unix User found in passwd. Rid marked as special and sid (S-1-22-1-521) saved as extra sid
Comment 1 Jeremy Allison 2015-01-10 01:01:16 UTC
Oh, nice catch. First glance that looks correct for master and 4.2.0. Let me investigate some more..
Comment 2 Andrew Bartlett 2015-01-11 09:52:22 UTC
My biggest concern is not fixing this, but ensuring it doesn't happen again by having a robust testsuite that catches that.
Comment 3 Jeremy Allison 2015-01-13 19:32:56 UTC
Oh, this is a blocker for 4.2.0 :-(.

Given the following share:

[utest]
        path = /tmp
        force user = gdm

where gdm doesn't exist in the tdb password database but is a UNIX user.

Connect as user jra, who does exist in the tdb passdb.

We get:

/usr/local/samba/bin/smbclient //127.0.0.1/utest -Ujra%PASSWORD
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.0pre1-GIT-42aee0e]
tree connect failed: NT_STATUS_INVALID_SID

This breaks a large number of file server cases.

Reassgning to jra as this is a file server-only bug :-(.
Comment 4 Jeremy Allison 2015-01-13 19:36:09 UTC
I think I can see how we can test this in autobuild...
Comment 5 Jeremy Allison 2015-01-13 20:09:46 UTC
Sorry Andrew, forgot to re-add you in cc: list.

I'll post patches + tests to the samba-technical list for master shortly.
Comment 6 Jeremy Allison 2015-01-13 22:17:53 UTC
Created attachment 10618 [details]
Patch for master - includes test.

This is based on the original fix from Michael Zeis <mzeis.quantum@gmail.com>, but factors the code out into a utility function rather than using cut-and-paste, plus adds a test for the bug.

Will post to the mailing list and get into master first, then back-port for 4.2.0.
Comment 7 Andreas Schneider 2015-01-14 15:51:38 UTC
Jeremy, I think this needs to be backported 4.1 too!
Comment 8 Jeremy Allison 2015-01-14 18:11:53 UTC
Created attachment 10621 [details]
Cherry-pick from master for 4.2.

Includes master commit refs.
Comment 9 Jeremy Allison 2015-01-14 19:01:30 UTC
(In reply to Andreas Schneider from comment #7)

No, I can't reproduce the problem in 4.1 - access to the [utest] share works fine.

This looks like a 4.2.0 problem only.
Comment 10 Andreas Schneider 2015-01-15 10:08:42 UTC
Jeremy, take a look at https://lists.samba.org/archive/samba/2013-January/171091.html and I have a but at Red Hat with the same log output.

To reproduce this use smb.conf:

[global]
   kerberos method = system keytab
   realm = MYDOMAIN.COM
   security = ads
Comment 11 Jeremy Allison 2015-01-15 16:45:21 UTC
(In reply to Andreas Schneider from comment #10)

Sure, I'll take a look, but in the meantime can you +1 the 4.2 patch so we can get this into the v4-2-test tree.

Thanks !
Comment 12 Volker Lendecke 2015-01-15 16:54:34 UTC
Comment on attachment 10621 [details]
Cherry-pick from master for 4.2.

+1'ing this with a caveat: Jeremy, please assign to Karolin only after a successful private autobuild. She got pretty frustrated because many autobuilds did not go through recently. I don't have the time right now to do it, sorry.
Comment 13 Michael Adam 2015-01-15 16:57:33 UTC
Comment on attachment 10621 [details]
Cherry-pick from master for 4.2.

ACK
Comment 14 Michael Adam 2015-01-15 17:00:03 UTC
Gosh, Volker was faster than me again. :-)
Comment 15 Andreas Schneider 2015-01-15 17:21:23 UTC
I think I was wrong Jeremy. Ignore me :)
Comment 16 Andreas Schneider 2015-01-15 17:22:06 UTC
Karolin, please add the patch to 4.2. Thanks!
Comment 17 Jeremy Allison 2015-01-15 19:06:34 UTC
(In reply to Volker Lendecke from comment #12)

I already tested a local full make test, and it passes as much as a local make test does for me (the local DC stuff always fucks up for me on local make test).
Comment 18 Jeremy Allison 2015-01-16 19:28:57 UTC
Just to be clear - this patch is ready (and required ! :-) for 4.2.0-final.

Thanks !

Jeremy.
Comment 19 Karolin Seeger 2015-01-16 20:03:05 UTC
(In reply to Jeremy Allison from comment #18)
Sure. Pushed to autobuild-v4-2-test, thx.
Comment 20 Stefan Metzmacher 2015-01-23 07:44:04 UTC
Pushed to autobuild-v4-2-test...
Comment 21 Karolin Seeger 2015-01-24 20:34:26 UTC
Pushed to v4-2-test.
Closing out bug report.

Thanks!