Bug 2078914

Summary: /etc/samba/smbusers erroneously applies unix group memberships to user account entries
Product: Red Hat Enterprise Linux 8 Reporter: Pavel Filipensky <pfilipen>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED NOTABUG QA Contact: Denis Karpelevich <dkarpele>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: aboscatt, asn, bstinson, didier.moens, dkarpele, gdeschner, jarrpa, jwboyer
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2059151 Environment:
Last Closed: 2022-04-26 14:28:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2059151    
Bug Blocks: 2074891, 2078915    

Description Pavel Filipensky 2022-04-26 13:34:47 UTC 
+++ This bug was initially created as a clone of Bug #2059151 +++

for 8.6 ztsream

Description of problem:

Since a recent Samba upgrade (4.14 / 4.15 ?), unix group membership rules are erroneously applied to /etc/samba/smbuser unix user accounts (i.e. entries without the '@' prefix).


Version-Release number of selected component (if applicable):

Tested with latest samba-4.15.5-3.el8.x86_64


How reproducible:

Always


Steps to Reproduce:
1. /etc/samba/smbusers entry : "root = administrator admin"
2. start a Samba session with a Samba user account belonging to the Unix group "admin"


Actual results:

User access is refused


Expected results:

User should be granted access


Additional info:

1. user "didier" is member of the unix group "admin". The user is mapped to the 'root'-account, which does not have a valid Samba account ; hence access is denied.

[2022/02/28 09:53:40.769579,  3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:202(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [SAMBA]\[didier]@[CP0043] with the new password interface
[2022/02/28 09:53:40.769593,  3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:205(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SAMBA]\[root]@[CP0043]
[2022/02/28 09:53:40.770828,  3, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'root' in passdb.
[2022/02/28 09:53:40.770854,  2, pid=4179984, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [didier] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

2. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#USERNAMEMAP states : "The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group."

The @-prefix is not present, nevertheless group membership rules are applied.


3. Mitigation : 
3a. accounts which are not a member of unix group "admin" are granted access ;
3b. commenting out the "root = administrator admin" smbusers entry grants access to members of unix group "admin".



4. Summary :
It seems (unwanted) group membership rules are applied *without* the "@" prefix.

--- Additional comment from Pavel Filipensky on 2022-04-06 08:24:05 UTC ---

Fix is in progress. Bug was created in samba upstream:
https://bugzilla.samba.org/show_bug.cgi?id=15041

--- Additional comment from Pavel Filipensky on 2022-04-13 08:57:43 UTC ---

Patch for samba-4.15 and samba-4.16 ready. Plan is to fix it in RHEL 8.7 and 9.1 and then to create zstream bugs for 8.6 and 9.0.