The advice from https://www.samba.org/samba/security/CVE-2020-25717.html: > However there are setups which are joined to an active directory > domain just for authentication, but the authorization is handled > without nss_winbind by mapping the domain account to a local user > provided by nss_file, nss_ldap or something similar. NOTE: These > setups won't work anymore without explicitly mapping the users! > > For these setups administrators need to use the 'username map' or > 'username map script' option in order to map domain users explicitly > to local users, e.g. > > user = DOMAIN\user > > Please consult 'man 5 smb.conf' for further details on 'username > map' or 'username map script'. Also note that in the above example '\' > refers to the default value of the 'winbind separator' option. has the side effect that the nt token, which we got from the DC either via netr_LogonSamLogon* for NTLMSSP or the PAC in the kerberos ticket, is discarded and a new nt token is constructed based on the mapped local username via nss modules (e.g. nss_files, nss_ldap). This is not what admins expect as result of a security updated, as things like the primary user sid in the domain won't be added to the token, which will cause problems with existing file permissions. So I created patches which allow the behavior to be controlled by smb.conf options, as a start I added the following to disable it: local nt token from nss:* = no Or you do it for a whole domain called 'DOMAIN': local nt token from nss:DOMAIN = no Or for individual users like this: local nt token from nss:DOMAIN\user = no Lets assume you only have a single domain with a netbios domain name 'SAMBA' and you want all users of that domain to be mapped from 'SAMBA\user' to just 'user', except for the cases where the username is 'root' or 'ubuntu'. Then you could use this options: username map script = /etc/samba/username_map_script.sh local nt token from nss:SAMBA = no The /etc/samba/username_map_script.sh script would have this content: #!/bin/bash ACCOUNTNAME="$1" DOMAINNAME="SAMBA" case "${ACCOUNTNAME}" in ${DOMAINNAME}\\root) # skip ;; ${DOMAINNAME}\\ubuntu) # skip ;; ${DOMAINNAME}\\*) echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//' ;; esac exit 0 This would basically restore the fallback behavior of 'DOMAIN\user' to 'user' in a controlled way and only for a single domain and not any trusted domains. https://gitlab.com/samba-team/samba/-/merge_requests/2251 has the initial patch for new options.
https://gitlab.com/samba-team/samba/-/merge_requests/2253 has some more improvements under discussion in order to avoid the username map [script] workaround completely.
This bug was referenced in samba master: bfd093648b4af51d104096c0cb3535e8706671e5 5ea347d3673e35891613c90ca837d1ce4833c1b0 fdbee5e074ebd76d659613b8b7114d70f938c38a 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd 494bf7de6ff3e9abeb3753df0635737b80ce5bb7 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
Created attachment 16996 [details] Patches for v4-15-test
Created attachment 16997 [details] Patches for v4-14-test
Created attachment 16998 [details] Patches for v4-13-test
(In reply to Stefan Metzmacher from comment #0) The advice from https://www.samba.org/samba/security/CVE-2020-25717.html: > However there are setups which are joined to an active directory > domain just for authentication, but the authorization is handled > without nss_winbind by mapping the domain account to a local user > provided by nss_file, nss_ldap or something similar. NOTE: These > setups won't work anymore without explicitly mapping the users! > > For these setups administrators need to use the 'username map' or > 'username map script' option in order to map domain users explicitly > to local users, e.g. > > user = DOMAIN\user > > Please consult 'man 5 smb.conf' for further details on 'username > map' or 'username map script'. Also note that in the above example '\' > refers to the default value of the 'winbind separator' option. has the side effect that the nt token, which we got from the DC either via netr_LogonSamLogon* for NTLMSSP or the PAC in the kerberos ticket, is discarded and a new nt token is constructed based on the mapped local username via nss modules (e.g. nss_files, nss_ldap). This is not what admins expect as result of a security updated, as things like the primary user sid in the domain won't be added to the token, which will cause problems with existing file permissions. Admins typically use this in combination with idmap_nss. The patches on this bug reports (from https://gitlab.com/samba-team/samba/-/merge_requests/2253) should make it possible to revert any 'username map [script]' changes, which were added as reaction to the original CVE-2020-25717 advisory! Please note you still need to keep 'min domain uid' options.
Reassigning to Jule for inclusion in 4.13, 4.14 and 4.15.
Pushed to autobuild-v4-{15,14,13}-test.
This bug was referenced in samba v4-13-test: a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab 302bb70ebc9b47d9f1d46212deac17470e64740d 0a56d233bfdb48bb2222891f7abfe054769b2ef2 a40c007fb5574cc781b60ab948477dcd9dd05aab 32ba258cd753301504bdb4a00624053f08373b95 105c6a15effd118d7cfe9dfa7b1ad4faab9fe224
This bug was referenced in samba v4-15-test: 38ddd41e9c6314ab37d727ff20ca09426a6d7e89 ebe18e23ba62e99295661584ce72942ce214aa4c 3f009a620a32fc02e26f7056b2c53cb940b7bbd4 ae21fe9c01b50232ca3223cca0096f8001786395 5d5e5a1f3558b52776ada0c1fabfa87c0adafd2d 9bcba58e4d42f6107ad8f9fa3faf892f9426a0ec
This bug was referenced in samba v4-14-test: 1bd06f8cb357df0c3f3f25899cda38b6f842c659 8bed2c3f7a970dc8933a5215e2d9ba041c9a8759 f00c993f0c74de38d58766b1050bb13f78b42c9a 9bef6bc6cf027c3b61498b4944388940e23e7a1c ff3798418e8a77492d50dfd32deed4f11f7ba7ce 8ccb26c679ba0b909cbba654d00797f99580679f
Closing out bug report. Thanks!
CVE-2020-25727 is incorrectly referenced in the first patch (that is an Alfresco CVE). It should be CVE-2020-25717.
Created attachment 17013 [details] patch from 4.13 backported to 4.10 I've backported the patch and run the test locally. I'm also running a full CI on gitlab on top of the 2021-11 security patches and v4-10-test.
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): 38ddd41e9c6314ab37d727ff20ca09426a6d7e89 ebe18e23ba62e99295661584ce72942ce214aa4c 3f009a620a32fc02e26f7056b2c53cb940b7bbd4 ae21fe9c01b50232ca3223cca0096f8001786395 5d5e5a1f3558b52776ada0c1fabfa87c0adafd2d 9bcba58e4d42f6107ad8f9fa3faf892f9426a0ec
This bug was referenced in samba v4-13-stable (Release samba-4.13.15): a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab 302bb70ebc9b47d9f1d46212deac17470e64740d 0a56d233bfdb48bb2222891f7abfe054769b2ef2 a40c007fb5574cc781b60ab948477dcd9dd05aab 32ba258cd753301504bdb4a00624053f08373b95 105c6a15effd118d7cfe9dfa7b1ad4faab9fe224
This bug was referenced in samba v4-14-stable (Release samba-4.14.11): 1bd06f8cb357df0c3f3f25899cda38b6f842c659 8bed2c3f7a970dc8933a5215e2d9ba041c9a8759 f00c993f0c74de38d58766b1050bb13f78b42c9a 9bef6bc6cf027c3b61498b4944388940e23e7a1c ff3798418e8a77492d50dfd32deed4f11f7ba7ce 8ccb26c679ba0b909cbba654d00797f99580679f
For Samba versions < 4.13 you also need the fix from bug #14663 or you will end up with SID2XID entries for uid being overwritten by gid. This results in users not being able to log in until you call 'net cache clean'.