Bug 1868917

Summary: Malfunctioning %U substitution in valid users option [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Aleksandr Sharov <asharov>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.8CC: asn, dkarpele, gdeschner, iboukris, jarrpa, jreznik, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.10.16-8.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1869702 (view as bug list) Environment:
Last Closed: 2020-12-15 11:18:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1869702    

Description Aleksandr Sharov 2020-08-14 10:30:26 UTC 
Description of problem:
Clients from AD can't connect to shares if valid users are specified:
valid users = VOZ\%U, CNT\%U

users get error:

[2020/08/06 09: 30: 33.093727, 1] ../../source3/smbd/service.c:359(create_connection_session_info)
   create_connection_session_info: user 'CNT \ krymchanskiy' (from session setup) not permitted to access this share (IPC $)
[2020/08/06 09: 30: 33.093803, 1] ../../source3/smbd/service.c:531(make_connection_snum)
   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Client has upgraded for RHEL6/Samba 3 (where config was working) to RHEL7.8/samba-4.10.4-11.el7_8.x86_64 , and users cannot connect unless valid users line is commented out.

Client claims that no combination below works for him:
1. # valid users = VOZ\%U, CNT\%U
2. # valid users = VOZ\%S, CNT\%S
3. # valid users = %S


Version-Release number of selected component (if applicable):
Samba 4.10.4-11.el7

How reproducible:
-

Steps to Reproduce:
-

Actual results:
Users get NT_STATUS_ACCESS_DENIED error

Expected results:
Users are able to connect to share

Additional info:

Details and debug samba logs can be found in case https://access.redhat.com/support/cases/#/case/02722187
Comment 3 Andreas Schneider 2020-09-10 10:43:58 UTC 
This is a regression in Samba 4.x compared to Samba 3.6 in RHEL6. So we would like to address this regression for the customer as the fix is simple and it comes with upstream tests.
Comment 12 errata-xmlrpc 2020-12-15 11:18:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5439