Ubuntu
samba package

User authentication is broken with 2:4.15.13+dfsg-0ubuntu0.20.04.1 package

Bug #2009858 reported by Andrew Berry
274
This bug affects 4 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Undecided
Unassigned
Focal
Confirmed
Critical
Unassigned

Bug Description

Upgrading from samba 2:4.13.17~dfsg-0ubuntu1.20.04.5 to 2:4.15.13+dfsg-0ubuntu0.20.04.1 breaks user authentication. Neither a macOS or a Windows client can connect.

From the mac, I see

[2023/03/09 10:20:43.242196, 1] ../../source3/auth/token_util.c:1171(create_token_from_username)
  lookup_name_smbconf for <redacted> failed

From Windows, I see:

[2023/03/09 10:21:49.274935, 1] ../../source3/smbd/service.c:364(create_connection_session_info)
  create_connection_session_info: user '<redacted>' (from session setup) not permitted to access this share (imazing)
[2023/03/09 10:21:49.275020, 1] ../../source3/smbd/service.c:545(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Rolling back to 2:4.13.17~dfsg-0ubuntu1.20.04.5 fixes both issues.

There also appears to be a dependency bug. If I run apt-mark hold samba and then upgrade, samba is broken on startup with:

Mar 09 10:31:36 samba systemd[1]: Failed to start Samba SMB Daemon.
Mar 09 10:31:59 samba systemd[1]: Starting Samba SMB Daemon...
Mar 09 10:31:59 samba smbd[1180]: /usr/sbin/smbd: /lib/x86_64-linux-gnu/libldb.so.2: version `LDB_2.2.3' not found (required by /lib/x86_64-linux-gnu/libsamba-passdb.so.0)
Mar 09 10:31:59 samba smbd[1180]: /usr/sbin/smbd: /lib/x86_64-linux-gnu/libldb.so.2: version `LDB_2.2.3' not found (required by /usr/lib/x86_64-linux-gnu/samba/libsamdb-common.so.0)

I had to manually mark a hold on libldb2 as well.

Here's the relevant config. I've pruned the shares to just the two listed above, but in practice no shares work.

The username map handles mapping Microsoft account email addresses to unix usernames for automatic authentication from Windows hosts.

[global]
   log level = 1
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)
   max log size = 10000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

   inherit permissions = yes

   username map = /etc/samba/username_map

   unix extensions = no

   vfs objects = catia fruit streams_xattr acl_xattr
   fruit:nfs_aces = no
   fruit:model = MacSamba
   fruit:resource = xattr
   fruit:encoding = native
   fruit:metadata = stream

[media]
  comment = media
  browseable = yes
  valid users = <redacted>
  force user = media
  writeable = yes
  path = /main/media
  create mask = 0774
  directory mask = 0775

[imazing]
  browseable = yes
  valid users = <redacted>
  guest ok = no
  force user = media
  writeable = yes
  path = /backups/imazing
  create mask = 0774
  directory mask = 0775

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
Pavel Selivanov (muiriled) wrote :

+1, samba is broken after recent update, can't connect to my 20.04 server from 22.10 Ubuntu guests.

Revision history for this message
Francis Brosnan (francis-aspl) wrote :
Download full text (3.4 KiB)

Hello,

In our case, after upgrading, all shares are able to connect (though it is
done using anonymous user) but it fails to list with NT_STATUS_ACCESS_DENIED:

root@xxx:~# smbclient //192.xx.xx.211/Compartida -U xxx -p
Password for [WORKGROUP\xxx]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

Tracing log debug it just reports the following:

2023/03/10 14:05:40.589326, 5, pid=2892249, effective(1000, 1000), real(1000, 0)] ../../source3/smbd/open.c:4621(open_directory)
  open_directory: Could not open fd for [.]: NT_STATUS_ACCESS_DENIED
[2023/03/10 14:05:40.589368, 10, pid=2892249, effective(1000, 1000), real(1000, 0)] ../../source3/smbd/open.c:6128(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2023/03/10 14:05:40.589488, 10, pid=2892249, effective(1000, 1000), real(1000, 0)] ../../source3/smbd/open.c:6316(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED

However, it does have permissions. Doing an inspection with strace, you can see
it can traverse directory needed, and open it, but it fails in a /proc/self
open operation:

>> strace -p <smbd process pid>
...
...
getegid() = 0
setgroups(8, [1000, 4, 24, 27, 30, 46, 116, 65534]) = 0
setresgid(-1, 1000, -1) = 0
getegid() = 1000
setresuid(1000, 1000, -1) = 0
geteuid() = 1000
chdir("/home/administrador/Compartida") = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/home/administrador/Compartida", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/home/administrador/Compartida", 4096) = 31
getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 13
fstat(13, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 44
fstat(44, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/proc/self/fd/13", O_RDONLY|O_DIRECTORY) = -1 EACCES (Permiso denegado)
close(13) = 0
fcntl(26, F_SETLK, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=36528, l_len=1}) = 0
fcntl(26, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=36528, l_len=1}) = 0
close(44) = 0
...
...

Here is our package list:

ii python3-samba 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64 Python 3 bindings for Samba
ii samba 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.13+dfsg-0ubuntu0.20.04.1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64 Samba Directory Services Da...

Read more...

Revision history for this message
Francis Brosnan (francis-aspl) wrote :

Hello,

Just confirm downgrading to previous release (samba+libldb2+libwbclient) works as expected:

>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/python3-samba_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba-common_4.13.17~dfsg-0ubuntu1.20.04.5_all.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba-common-bin_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba-dsdb-modules_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba-libs_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/samba-vfs-modules_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/25524416/+files/libwbclient0_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb
>> wget http://launchpadlibrarian.net/613607162/libldb2_2.2.3-0ubuntu0.20.04.3_amd64.deb

>> dpkg -i samba* python3-samba_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb libwbclient0_4.13.17~dfsg-0ubuntu1.20.04.5_amd64.deb libldb2_2.2.3-0ubuntu0.20.04.3_amd64.deb

>> systemctl stop nmbd.service
>> systemctl start nmbd.service

>> systemctl stop smbd.service
>> systemctl start smbd.service

After that, we can connect and list as usual:

>> smbclient //192.xx.xx.211/Compartida -U dcxxxx -p
Password for [WORKGROUP\dcxxx]:
Try "help" to get a list of possible commands.
smb: \> ls
  . D 0 Fri Mar 10 14:34:33 2023
  .. D 0 Fri Mar 10 13:19:04 2023
  proxxxx.txt A 457411 Thu Mar 9 13:27:28 2023
  prueba D 0 Fri Mar 10 14:19:21 2023
  ICxxxsv A 8528 Mon Dec 19 17:32:35 2022
  BxxxXT A 620009 Thu Mar 9 13:26:18 2023
  pgxxx D 0 Mon Dec 5 09:24:24 2022
  pxxx3 D 0 Fri Mar 10 14:34:33 2023
  pxxxx N 0 Fri Mar 10 13:18:58 2023

  91732248 blocks of size 1024. 13195008 blocks available
smb: \>

Lena Voytek (lvoytek)
tags: added: regression-update
Changed in samba (Ubuntu Focal):
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

I am unable to reproduce this, I can successfully connect to a Ubuntu 20.04 LTS VM with 4.15.13 from both Ubuntu 22.04 LTS with 4.15.13, and with Windows 11.

If anyone has any more information on the issue, please add it to this bug so I can reproduce it.

information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@francis-aspl: what are the permissions on the /home/administrador/Compartida directory?

Revision history for this message
Francis Brosnan (francis-aspl) wrote (last edit ):
Download full text (3.3 KiB)

Hello Marc,

Permissions are right, see:

root@xx-xxx:~# su - administrador
administrador@xx-xxx:~$ cd /home/administrador/Compartida
administrador@xx-xxx:~/Compartida$ ls -la -tr -d /home/administrador/Compartida /home/administrador /home /
drwxr-xr-x 20 root root 4096 jul 13 2021 /
drwxr-xr-x 5 root root 4096 jun 9 2022 /home
drwxr-x--- 7 administrador administrador 4096 mar 10 13:19 /home/administrador
drwxr-xr-x 3 administrador administrador 4096 mar 10 16:00 /home/administrador/Compartida

..also without name resolution:

administrador@xx-xxx:~/Compartida$ ls -la -tr -d -n /home/administrador/Compartida /home/administrador /home /
drwxr-xr-x 20 0 0 4096 jul 13 2021 /
drwxr-xr-x 5 0 0 4096 jun 9 2022 /home
drwxr-x--- 7 1000 1000 4096 mar 10 13:19 /home/administrador
drwxr-xr-x 3 1000 1000 4096 mar 10 16:00 /home/administrador/Compartida

You can traverse without problems using "administrador" user (uid 1000).

It is also confirmed with strace a few lines before failing:

setresuid(0, 0, -1) = 0
geteuid() = 0
geteuid() = 0
getegid() = 0
setgroups(8, [1000, 4, 24, 27, 30, 46, 116, 65534]) = 0
setresgid(-1, 1000, -1) = 0
getegid() = 1000
setresuid(1000, 1000, -1) = 0
geteuid() = 1000
chdir("/home/administrador/Compartida") = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/home/administrador/Compartida", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/home/administrador/Compartida", 4096) = 31
getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 13
fstat(13, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 44
fstat(44, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/proc/self/fd/13", O_RDONLY|O_DIRECTORY) = -1 EACCES (Permiso denegado)
close(13) = 0
fcntl(26, F_SETLK, {l_type=F_WRLCK, l_whence=SEEK_SET, l_start=36528, l_len=1}) = 0
fcntl(26, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=36528, l_len=1}) = 0
close(44)

See how two openat succeeded before failure. Call to setuid also confirm running user for those openat calls:

getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 13
...
getcwd("/home/administrador/Compartida", 4096) = 31
openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH|O_DIRECTORY) = 44
...

For some reason, it calls to self open fd/13 and fails with permission denied:

openat(AT_FDCWD, "/proc/self/fd/13", O_RDONLY|O_DIRECTORY) = -1 EACCES (Permiso denegado)

...however, it is not clear if that failure is connected with top level failure NT_STATUS_ACCESS_DENIED).

What I can confirm is that no other error appears during strace sess...

Read more...

Revision history for this message
engaging374 (engaging374) wrote (last edit ):

Hi, this issue also effects domain join.

tested with focal:
Ubuntu 20.04.6 LTS

net ads join member -U <user> osName=Ubuntu osVer=`lsb_release -rs` -S <DC>.<DOMAIN>
Password for [<DOMAIN>\<USER>]:
Failed to join domain: failed to find DC for domain member - A domain controller for this domain was not found.

When I downgrade the packages:
upgrade samba-common:all 2:4.15.13+dfsg-0ubuntu0.20.04.1 2:4.13.17~dfsg-0ubuntu1.20.04.5
upgrade samba-common-bin:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 2:4.13.17~dfsg-0ubuntu1.20.04.5
upgrade libwbclient0:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 2:4.13.17~dfsg-0ubuntu1.20.04.5
upgrade libldb2:amd64 2:2.4.4-0ubuntu0.20.04.1 2:2.2.3-0ubuntu0.20.04.3

The join is running again:
net ads join member -U <user> osName=Ubuntu osVer=`lsb_release -rs` -S <DC>.<DOMAIN>
Password for [<DOMAIN>\<USER>]:
Joined '<Server>' to dns domain '<domain>'

Edit:
Deployed a new VM (before patch) and pinned samba-* (apt-mark hold samba-*). Updated the system (with pinned package) and domain join is OK.

apt-mark showhold:
samba-common
samba-common-bin
samba-dev
samba-dsdb-modules
samba-libs
samba-testsuite
samba-vfs-modules

In my case:
This packages gets hold back, if I try to apt upgrade after I pinned samba-*:
fwupd libfwupd2 libfwupdplugin5 libipa-hbac0 libldb2 libsmbclient libsss-idmap0 libwbclient0 linux-generic-hwe-20.04 linux-headers-generic-hwe-20.04 linux-image-generic-hwe-20.04 python3-ldb python3-samba python3-sss samba-common samba-common-bin samba-dsdb-modules samba-libs sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Perhaps there's an AppArmor policy or similar blocking these accesses? Try dmesg | grep DENIED or grep DENIED /var/log/audit/audit.log or something similar?

Thanks

Revision history for this message
Francis Brosnan (francis-aspl) wrote :

Just confirm it not apparmor related. In our installation, policy is in complain mode. See:

root@xxx-xxxxxx:~# aa-status
apparmor module is loaded.
63 profiles are loaded.
43 profiles are in enforce mode.
   /snap/snapd/17029/usr/lib/snapd/snap-confine
   /snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17336/usr/lib/snapd/snap-confine
   /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17576/usr/lib/snapd/snap-confine
   /snap/snapd/17576/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17883/usr/lib/snapd/snap-confine
   /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17950/usr/lib/snapd/snap-confine
   /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18357/usr/lib/snapd/snap-confine
   /snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18596/usr/lib/snapd/snap-confine
   /snap/snapd/18596/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
20 profiles are in complain mode.
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
6 processes have profiles defined.
0 processes are in enforce mode.
6 processes are in complain mode.
   /usr/sbin/nmbd (2967123) nmbd
   /usr/sbin/smbd (2508135) smbd
   /usr/sbin/smbd (2967228) smbd
   /usr/sbin/smbd (2967230) smbd
   /usr/sbin/smbd (2967231) smbd
   /usr/sbin/smbd (2967232) smbd
0 processes are unconfined but have a profile defined.

Also, at /var/log/audit/audit.log no "denied" notification was reported. All allowed.

In any case, we tried Disabling or uninstalling AppArmor but did not make any difference. Downgrading did.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.