Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#1001053: Configuration with non SMB (MIT-kerberos) broken after 4.13.13+dfsg-1~deb11u2 security patch

892 views
Skip to first unread message

Jostein Fossheim

unread,
Dec 3, 2021, 4:00:03 AM12/3/21
to
Package: samba
Version: 4.13.13+dfsg-1~deb11u2


Hello,

My organisation are running an custom bulit LDAP/MIT-kerberos realm
(the KDCs are not runnning MIT-kerberos through Samba, just standalone
installations). For years have configured this KDCs to be used for two
important Debian (now running Bullseye) based file-servers. We are
both serving NFSv4 and Windows SMB clients. I resently upgraded the
servers with the lastest debian-security update with samba
(2:4.13.13+dfsg-1~deb11u2), and suddently all windows-clients reported
access denied while connecting to the samba servers.

I assume our troubles are related to this security issue:

https://www.samba.org/samba/security/CVE-2020-25719.html

Which is reffered to in the debian package:

https://tracker.debian.org/news/1279235/accepted-samba-241313dfsg-1deb11u2-source-into-proposed-updates-stable-new-proposed-updates/



I asume the problems is caused by our KDCs not issuing PACs while
issuing tickets.

Any advice on how to handle this issue? Either disable PAC-check on
the servers, do some configuration that stil will allow connections,
or configure our KDCs to inclued PACs in their tickers.

I am able to uinstall the secuirty patch on the servers for now, so at
least our users can maintain their workflow, but I realize this is a
short time soulution.







The servers' smb.conf:


[global]
workgroup = EXAMPLE.COM
server string = NAS server (samba)

server role = standalone server
security = user
realm = EXAMPLE.COM
encrypt passwords = yes

kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

password server = example-kdc-server.example.com

dns proxy = no

log file = /var/log/samba/log.%m
max log size = 1000

syslog = 0
panic action = /usr/share/samba/panic-action %d

map to guest = bad user





Log-file from the server:


[2021/12/03 08:47:46.876654, 2]
../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal
OID) failed: Miscellaneous failure (see text): Ticket have not
authorization data of type 128
[2021/12/03 08:47:46.876663, 3]
../../auth/gensec/gensec_util.c:73(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC for
exampl...@EXAMPLE.COM, resorting to local user lookup
[2021/12/03 08:47:46.876670, 3]
../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [exampl...@EXAMPLE.COM]
[2021/12/03 08:47:46.876684, 5]
../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user EXAMPLE.COM\example_user
[2021/12/03 08:47:46.876690, 5]
../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.896429, 5]
../../source3/lib/username.c:127(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.904156, 5]
../../source3/lib/username.c:140(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912256, 5]
../../source3/lib/username.c:152(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in EXAMPLE.COM\example_user
[2021/12/03 08:47:46.912297, 5]
../../source3/lib/username.c:158(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [EXAMPLE.COM\example_user]!
[2021/12/03 08:47:46.912312, 3]
../../source3/auth/user_krb5.c:123(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username EXAMPLE.COM\example_user is
invalid on this system
[2021/12/03 08:47:46.912330, 3]
../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)






Output from smbclient (with samba samba=2:4.13.13+dfsg-1~deb11u2)

smbclient -d 5 -k -L //example-file-server


sitename_fetch: No stored sitename for realm 'exampl...@EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
session request ok
negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
exampl...@EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: {Access Denied} A process has requested access to
an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED






Output from smbclient (with samba samba=2:4.13.5+dfsg-2)

smbclient -d 5 -k -L //example-file-server




sitename_fetch: No stored sitename for realm 'EXAMPLE.COM'
name example-file-server#20 found.
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
session request ok
negotiated dialect[SMB3_11] against server[example-file-server]
cli_session_setup_spnego_send: Connect to example-file-server as
exampl...@EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
session setup ok
signed SMB2 message
tconx ok

Sharename Type Comment
--------- ---- -------
Bind RPC Pipe: host example-file-server auth_type 0, auth_level 1
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host example-file-server
rpc_read_send: data_to_read: 568
share1 Disk 1TB (Jbod/disc grinder)
usbpool Disk USBs
share2 Disk 16TB (Raid5 in 5x4TB disks)
health-logs Disk Disk health logs
IPC$ IPC IPC Service (NAS server (samba))
SMB1 disabled -- no workgroup available

Jostein Fossheim

unread,
Dec 3, 2021, 6:50:03 AM12/3/21
to
https://gitlab.com/samba-team/samba/-/merge_requests/2272

Thibault Roulet

unread,
Feb 16, 2022, 8:30:03 AM2/16/22
to

Hi all,

I'm not sure if I have the same issue but from impossible for my users to connect the shared folders with samba>4.13.5 from windows desktop.
Password popup is coming back. Everything works fine with samba 4.13.5

I though the last update would fix the issue but nop.


This server is a member of the domain.

Server conf:

[global]

  workgroup = MYDOMAIN
  server string = myserver.corp.com
  realm = MYDOMAIN.corp.com
  security = ADS
  min protocol = SMB2
  client signing = mandatory
  server signing = mandatory
  netbios name = SBFS5

  password server = AD1.MYDOMAIN.corp.com
  wins server = 000.000.15.44



  dedicated keytab file = /etc/krb5.keytab

  kerberos method = secrets and keytab

  hosts allow = 000.000. 000.000. 127. 10.95.

  dns proxy = no
  local master = no
  domain master = no
  log level = 3
  log file = /var/log/samba/log.%I
  max log size = 3000
  template shell = /bin/bash
  winbind use default domain = no

  deadtime = 30

  # winbind settings
  idmap config * : range = 3000 - 8500
  idmap config *: backend = tdb

  idmap config MYDOMAIN: range = 9000 - 9000000
  idmap config MYDOMAIN: backend = ad
  idmap config MYDOMAIN: schema_mode = rfc2307



  panic action = /usr/share/samba/panic-action %d

  passdb backend = tdbsam

  username map = /etc/samba/smbusers
  username map script = /bin/echo
  unix password sync = yes

  domain logons = yes

  load printers = no
  disable spoolss = yes

  usershare allow guests = yes

And by the way, I enabled this dummy "username map script", else, the password popup keeps showing too!

In the logs

  check_account: Failed to find local account with UID 3000 for SID S-1-5-21-77949841-363743269-439555115-142182 (dom_user[MYDOMAIN\myusername])
[2022/02/16 10:58:52.246885,  2] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [myusername] -> [myusername] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
  Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Wed, 16 Feb 2022 10:58:52.246922 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-KQKF394] remote host [ipv4:xxx.xxx.159.189:50840] mapped to [MYDOMAIN]\[myusername]. local host [ipv4:xxx.xxx.241.3:445]  
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER

Thanks in advance for your help.

Peter Keresztes Schmidt

unread,
Mar 4, 2022, 4:10:03 AM3/4/22
to
x-debbugs-cc: te...@security.debian.org

This issue still persists. Since it was introduced by a security update I'd like to CC the security team as well, so they are aware of the problem.
Currently, this forces us to build samba on our own with the patch applied since the workaround suggested by upstream does not work in every case.

Thanks.

Michael Tokarev

unread,
Apr 13, 2022, 4:30:03 PM4/13/22
to
13.04.2022 22:37, Daniel Lakeland wrote:
> My wife has a dual mirrored glusterfs file server that is used for central storage of biology research data. They'd been running old versions of
> Debian, until one of them had a hard drive failure. After replacing hardware and installing the latest Debian release, upgrading the other machine,
> and synchronizing the gluster fileserver, now no-one can access the server because they are experiencing something similar to this bug.

We missed a bugfix from upstream samba 4.13.17, this one:

CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch

which smells like this very bug.

Security team imported all security-related patches up to 4.13.16, but
did not include any bugfixes, and this is one of the bugfixes.

From this patch:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Please take a look..

I prepared an update for samba in bullseye (it has quite some other
issues too, including a serious data corruption issue which bite
me hard). I *hope* it will fix your issue too, as it includes the
above mentioned change. I should try to push it to stable-proposed-updates.

And yes it should hopefully be fixed in 4.16 release too, which is
available in unstable.

Thanks!

/mjt
0 new messages