Bug 15469 - 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set
Summary: 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-04 11:53 UTC by Andreas Schneider
Modified: 2024-04-02 08:57 UTC (History)
2 users (show)

See Also:


Attachments
patch for 4.19 (11.79 KB, patch)
2023-12-05 08:33 UTC, Andreas Schneider
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2023-09-04 11:53:09 UTC
If you have samba as a domain member with:

[global]
  allow trusted domains = no

[share]
  force user = localunixuser


Then smbd rejects any user connecting as the local unix user as it is considered not a trusted domain which is incorrect.

Patch will follow.
Comment 1 Samba QA Contact 2023-12-01 08:07:04 UTC
This bug was referenced in samba master:

ad0c0dd071401d98f0b7f595efbdf5312a165ab4
00034d022896f879bf91bb78eb9e2972162c99ce
Comment 2 Andreas Schneider 2023-12-05 08:33:43 UTC
Created attachment 18193 [details]
patch for 4.19
Comment 3 Ralph Böhme 2023-12-05 09:52:37 UTC
Reassigning to Jule for inclusion in 4.19.
Comment 4 Jule Anger 2023-12-05 10:05:52 UTC
Pushed to autobuild-v4-19-test.
Comment 5 Samba QA Contact 2023-12-05 11:05:05 UTC
This bug was referenced in samba v4-19-test:

b3ac235ba966c93744a457bd7014ec6f0503f1e5
62c90dfa32e7918e898c321dd81617c2e6da58ff
Comment 6 Jule Anger 2023-12-05 11:21:19 UTC
Closing out bug report.

Thanks!
Comment 7 Samba QA Contact 2024-01-08 14:39:40 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.4):

b3ac235ba966c93744a457bd7014ec6f0503f1e5
62c90dfa32e7918e898c321dd81617c2e6da58ff
Comment 8 glorang 2024-04-01 13:32:35 UTC
After updating one of our systems from Debian Buster (Samba 4.9.5) to Debian Bullseye (Samba 4.13.13) it looks like we are being hit by this issue.

Are there any plans of backporting this patch to 4.13 of 4.17 (backports / Debian stable) ?

Should I log this in Debian's bug tracker instead ?

For search index reference, this is the error you get from smbclient in this case:

$ smbclient -k //server.domain.com/Share
tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED

Thanks,
Comment 9 Rowland Penny 2024-04-02 08:57:44 UTC
(In reply to glorang from comment #8)
I doubt very much if this will get directly fixed in 4.17.x by Samba. Samba provides support for the last three versions, which means, at this time, 4.20.x will get all fixes, 4.19.x will get maintenance fixes and 4.18.x will only get security fixes.

Debian may decide to backport this fix, I suggest you ask them.