Bug 1853272

Summary: The 'require_membership_of' documentation in pam_winbind manpage is incorrect [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Akshay Sakure <asakure>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.8CC: asn, dkarpele, gdeschner, iboukris, jarrpa, jreznik, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.10.16-8.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 11:18:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akshay Sakure 2020-07-02 10:20:12 UTC 
Description of problem:
After upgrading to samba-4.10.4-11.el7_8 the parameter 'require_membership_of' no longer works for DOMAIN\groupname or DOMAIN\username, ONLY SID value works.


Version-Release number of selected component (if applicable):
---
samba-client-libs-4.10.4-11.el7_8.x86_64                    Mon Jun 15 11:52:50 2020
samba-common-4.10.4-11.el7_8.noarch                         Mon Jun 15 11:52:48 2020
samba-common-libs-4.10.4-11.el7_8.x86_64                    Mon Jun 15 11:52:50 2020
samba-common-tools-4.10.4-11.el7_8.x86_64                   Mon Jun 15 11:52:51 2020
samba-libs-4.10.4-11.el7_8.x86_64                           Mon Jun 15 11:52:50 2020
samba-winbind-4.10.4-11.el7_8.x86_64                        Mon Jun 15 11:52:51 2020
samba-winbind-clients-4.10.4-11.el7_8.x86_64                Mon Jun 15 11:52:52 2020
samba-winbind-modules-4.10.4-11.el7_8.x86_64                Mon Jun 15 11:52:51 2020
---


How reproducible:
Always


Steps to Reproduce:
1. Upgrade samba packages to latest version -> 4.10.4-11.el7_8

2. Make use of parameter 'require_membership_of' either in /etc/pam.d/password-auth file with pam_winbind.so module or in /etc/security/pam_winbind.conf file:
---
require_membership_of = DOMAIN\groupname
---

3. Try to login as AD user belonging to mentioned group and it fails with an error:
---
pam_winbind(sshd:auth): could not lookup name: groupname
pam_winbind(sshd:auth): cannot convert group groupname to sid, check if group groupname is valid group.
---


Actual results:
AD user login fails with an error:
---
pam_winbind(sshd:auth): could not lookup name: groupname
pam_winbind(sshd:auth): cannot convert group groupname to sid, check if group groupname is valid group.
---


Expected results:
Members of group mentioned in 'require_membership_of' should be able to login.


Additional info:

ONLY SID works but DOMAIN\groupname or DOMAIN\username doesn't work. 

Ideally, this should work as per the pam_winbind.conf/pam_winbind man-page and BZ https://bugzilla.redhat.com/show_bug.cgi?id=1828924
Earlier version of samba used to work with even short username/groupnames.
Comment 4 Andreas Schneider 2020-07-08 10:49:37 UTC 
We will update the pam_winbind.conf manpage with:


       require_membership_of=[SID or NAME]

           If this option is set, pam_winbind will only succeed if the user is a member of the given
           SID or NAME. A SID can be either a group-SID, an alias-SID or even an user-SID. It is also
           possible to give a NAME instead of the SID. That name must have the form: MYDOMAIN\mygroup
           or MYDOMAIN\myuser (where '\' character corresponds to the value of 'winbind separator'
           parameter).. pam_winbind will, in that case, lookup the SID internally. Note that NAME may
           not contain any spaces. It is thus recommended to only use SIDs. You can verify the list
           of SIDs a user is a member of with 'wbinfo --user-sids=SID'.
Comment 11 Andreas Schneider 2020-09-10 11:24:29 UTC 
We should fix the documentation of the manpages for pam_winbind(8) and pam_winbind.conf(5) for 'require_membership_of' that customer are able to configure their systems correctly and avoid more support cases because of incorrect manpages.
Comment 19 errata-xmlrpc 2020-12-15 11:18:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5439