Bug 14913 - update to 4.13.14 broke accessing a share with samba and sssd, winbindd seems to be required now
Summary: update to 4.13.14 broke accessing a share with samba and sssd, winbindd seems...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.14
Hardware: x86 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-19 05:39 UTC by Koen Dierckx
Modified: 2021-11-22 11:55 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Koen Dierckx 2021-11-19 05:39:20 UTC
Overview:
OS: Ubuntu 20.04 with all patches applied
Samba + sssd + kerberos (no winbindd)

After upgrading samba to 4.13.14 shares are not accessible anymore.
Downgrading to 4.11.6 fixes it again.

Compared logs from a working and not working setup. 


4.11.6 - WORKING
[2021/11/18 11:45:52.413922,  3] ../../auth/kerberos/kerberos_pac.c:411(kerberos_decode_pac)
  Found account name from PAC: DIERCKXK [Koen Dierckx]
[2021/11/18 11:45:52.413936,  3] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [DIERCKXK@VITO.LOCAL]
[2021/11/18 11:45:52.413964,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user VITO\DIERCKXK

4.13.14 - BROKEN
[2021/11/18 11:40:45.076365,  0] ../../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2021/11/18 11:40:45.076458,  3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:146
Comment 1 Andrew Bartlett 2021-11-22 05:20:09 UTC
The best suggestion I can make is to run winbindd, but not configure it in nsswitch.comf,  Presumably you have been using idmap_sss already, so it should work

Make sure to get the patches from bug 14901.

The other workarounds will not be as good and involve the username map feature.

However the root (pardon the pun) issue that the AD username isn't a very trustworthy thing will remain unless a pure sid-based lookup is done.
Comment 2 Alexander Bokovoy 2021-11-22 11:55:52 UTC
Samba Team announced that domain member setups must use winbindd in 4.8.0: https://www.samba.org/samba/history/samba-4.8.0.html in 2018.

This means, as Andrew pointed out, that winbindd must be run but it is not necessary to be configured to provide identities for the system, SSSD can do that as well.

For more details on how Samba and SSSD interoperate and why winbindd is required, please look at the Red Hat's Knowledge Article I wrote together with Thorsten Scherf: https://access.redhat.com/articles/4355391, it is accessible without any subscription or account requirement.