14913 – update to 4.13.14 broke accessing a share with samba and sssd, winbindd seems to be required now

Bug 14913 - update to 4.13.14 broke accessing a share with samba and sssd, winbindd seems to be required now

Summary: update to 4.13.14 broke accessing a share with samba and sssd, winbindd seems...

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.13.14
Hardware:	x86 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-19 05:39 UTC by Koen Dierckx
Modified:	2022-01-06 17:16 UTC (History)
CC List:	1 user (show)

See Also:	14901 CVE-2020-25717

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Koen Dierckx 2021-11-19 05:39:20 UTC

Overview:
OS: Ubuntu 20.04 with all patches applied
Samba + sssd + kerberos (no winbindd)

After upgrading samba to 4.13.14 shares are not accessible anymore.
Downgrading to 4.11.6 fixes it again.

Compared logs from a working and not working setup. 


4.11.6 - WORKING
[2021/11/18 11:45:52.413922,  3] ../../auth/kerberos/kerberos_pac.c:411(kerberos_decode_pac)
  Found account name from PAC: DIERCKXK [Koen Dierckx]
[2021/11/18 11:45:52.413936,  3] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [DIERCKXK@VITO.LOCAL]
[2021/11/18 11:45:52.413964,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user VITO\DIERCKXK

4.13.14 - BROKEN
[2021/11/18 11:40:45.076365,  0] ../../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2021/11/18 11:40:45.076458,  3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:146

Comment 1 Andrew Bartlett 2021-11-22 05:20:09 UTC

The best suggestion I can make is to run winbindd, but not configure it in nsswitch.comf,  Presumably you have been using idmap_sss already, so it should work

Make sure to get the patches from bug 14901.

The other workarounds will not be as good and involve the username map feature.

However the root (pardon the pun) issue that the AD username isn't a very trustworthy thing will remain unless a pure sid-based lookup is done.

Comment 2 Alexander Bokovoy 2021-11-22 11:55:52 UTC

Samba Team announced that domain member setups must use winbindd in 4.8.0: https://www.samba.org/samba/history/samba-4.8.0.html in 2018.

This means, as Andrew pointed out, that winbindd must be run but it is not necessary to be configured to provide identities for the system, SSSD can do that as well.

For more details on how Samba and SSSD interoperate and why winbindd is required, please look at the Red Hat's Knowledge Article I wrote together with Thorsten Scherf: https://access.redhat.com/articles/4355391, it is accessible without any subscription or account requirement.