Ubuntu

Ubuntu 20.04 LTS - Unattended Samba upgrade broke our setup

Asked by MathieuO

Hello Ubuntu members,

We are using Ubuntu 20.04 LTS on some servers, including a Samba Active Directory DC and a Samba File Server using winbind authentication.

On Nov 12th, an unattended upgrade (related to USN-5142-1) upgraded our Samba 4.11.6 to 4.13.14 on these servers and that sent us into lots of troubles.

1/ vfs_full_audit options changed ( https://bugs.launchpad.net/ubuntu/+source/samba/fins+bug/1950803 )
Some audit options were not valid anymore and audit started to log everything .. our /var exploded in no time.
This got fixed by changing vfs_audit options in smb.conf

2/ AD users with Unix Attribute uidnumber < 1000 were not able to access Samba file shares anymore.
Huge issue as most of our users were out of work for almost a day.. probably related to the "min domain uid" global parameter wich is set to 1000 by default.
In the rush we fixed the issue by changing uidnumber of all of our users to values above 1000.
Weirdly enough, AD users were still able to SSH on the server using winbind authentication and unix uid < 1000.

3/ Issues with CIFS mounts and Printers SMB configurations
before the upgrade, CIFS mounts and printers used their username to authenticate on the Samba File Server.
Since the upgrade, it seems mandatory to indicate the domain name (add option domain=MYDOMAIN for mount.cifs and set username to MYDOMAIN\user for printers)
This domain prefix used to be implicit thanks to the "winbind use default domain = yes" option.

If anybody knows how to fix this we'd be really interested !

4/ AD built-in "Administrator" account can no longer access the Samba file server. This account is mapped to "root" on the File Server.
   The error message is related to some invalid data token, just like users that were denied in 2/.
   This account does not have Unix Attributes but it always worked that way. i'm not sure wether I should add it. I don't like changing built-in accounts.

At this time we're still investigating and your help would be very welcome !

All in all I have to say this was a pretty traumatic experience from unattended upgrades, we're now doing our best to get back on track with our setup.

Thanks for reading.

References
https://ubuntu.com/security/notices/USN-5142-1

########## UPGRADE LOG #####################

Start-Date: 2021-11-12 06:57:44
Commandline: /usr/bin/unattended-upgrade
Upgrade: libldb2:amd64 (2:2.0.10-0ubuntu0.20.04.3, 2:2.2.3-0ubuntu0.20.04.2), libwbclient0:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1),
python3-ldb:amd64 (2:2.0.10-0ubuntu0.20.04.3, 2:2.2.3-0ubuntu0.20.04.2), samba:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), samba-dsdb-modules:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), python3-tdb:amd64 (1.4.2-3build1, 1.4.3-0ubuntu0.20.04.1), libtalloc2:amd64 (2.3.0-3ubuntu1, 2.3.1-0ubuntu0.20.04.1), samba-libs:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), winbind:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), python3-samba:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), samba-common:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), samba-vfs-modules:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), libsmbclient:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), smbclient:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), samba-common-bin:amd64 (2:4.11.6+dfsg-0ubuntu1.10, 2:4.13.14+dfsg-0ubuntu0.20.04.1), libtdb1:amd64 (1.4.2-3build1, 1.4.3-0ubuntu0.20.04.1), python3-talloc:amd64 (2.3.0-3ubuntu1, 2.3.1-0ubuntu0.20.04.1), libtevent0:amd64 (0.10.1-4, 0.10.2-0ubuntu0.20.04.1)
End-Date: 2021-11-12 06:57:58

Start-Date: 2021-11-12 06:58:03
Commandline: /usr/bin/unattended-upgrade
Upgrade: ldb-tools:amd64 (2:2.0.10-0ubuntu0.20.04.3, 2:2.2.3-0ubuntu0.20.04.2)
End-Date: 2021-11-12 06:58:03

Start-Date: 2021-11-12 06:58:07
Commandline: /usr/bin/unattended-upgrade
Upgrade: tdb-tools:amd64 (1.4.2-3build1, 1.4.3-0ubuntu0.20.04.1)
End-Date: 2021-11-12 06:58:08

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

Samba Active Directory Domain Controllers
The ntvfs File Server Back End Has Been Disabled
To fix the problem, migrate the file server back end on your DC to the supported s3fs back end.
https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes
https://wiki.samba.org/index.php/Migrating_the_ntvfs_File_Server_Back_End_to_s3fs
Hope this may help in some way.

Revision history for this message
MathieuO (erems) said : 		#2

Hello,
thank you for the reply but I don't think this is related since that change occured a while ago (Samba 4.5).
Regards.

Revision history for this message
Bernard Stafford (bernard010) said : 		#3

https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.20.04.2
Available diffs 2:4.11.6 to 2:4.13.14
libpam-windbind-dbgsym debug symbols for libpam-winbind link.
At the bottom of the page is windbind-dbgsym debug symbols for winbind link.

Can you help with this problem?

Provide an answer of your own, or ask MathieuO for more information if necessary.

To post a message you must log in.