DescriptionPavel Filipensky
2022-04-13 09:39:39 UTC
+++ This bug was initially created as a clone of Bug #2059151 +++
Description of problem:
Since a recent Samba upgrade (4.14 / 4.15 ?), unix group membership rules are erroneously applied to /etc/samba/smbuser unix user accounts (i.e. entries without the '@' prefix).
Version-Release number of selected component (if applicable):
Tested with latest samba-4.15.5-3.el8.x86_64
How reproducible:
Always
Steps to Reproduce:
1. /etc/samba/smbusers entry : "root = administrator admin"
2. start a Samba session with a Samba user account belonging to the Unix group "admin"
Actual results:
User access is refused
Expected results:
User should be granted access
Additional info:
1. user "didier" is member of the unix group "admin". The user is mapped to the 'root'-account, which does not have a valid Samba account ; hence access is denied.
[2022/02/28 09:53:40.769579, 3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:202(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [SAMBA]\[didier]@[CP0043] with the new password interface
[2022/02/28 09:53:40.769593, 3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:205(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [SAMBA]\[root]@[CP0043]
[2022/02/28 09:53:40.770828, 3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'root' in passdb.
[2022/02/28 09:53:40.770854, 2, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [didier] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
2. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#USERNAMEMAP states : "The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group."
The @-prefix is not present, nevertheless group membership rules are applied.
3. Mitigation :
3a. accounts which are not a member of unix group "admin" are granted access ;
3b. commenting out the "root = administrator admin" smbusers entry grants access to members of unix group "admin".
4. Summary :
It seems (unwanted) group membership rules are applied *without* the "@" prefix.
--- Additional comment from Pavel Filipensky on 2022-04-06 08:24:05 UTC ---
Fix is in progress. Bug was created in samba upstream:
https://bugzilla.samba.org/show_bug.cgi?id=15041
--- Additional comment from Pavel Filipensky on 2022-04-13 08:57:43 UTC ---
Patch for samba-4.15 and samba-4.16 ready. Plan is to fix it in RHEL 8.7 and 9.1 and then to create zstream bugs for 8.6 and 9.0.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:8317