RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2036595 - authentication with kerberos realm not working after update to samba-4.10.16-17
Summary: authentication with kerberos realm not working after update to samba-4.10.16-17
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Denis Karpelevich
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-03 10:33 UTC by Francois Marabelle
Modified: 2022-08-15 12:46 UTC (History)
13 users (show)

Fixed In Version: samba-4.10.16-18.el7_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-31 16:55:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-106747 0 None None None 2022-01-03 10:37:01 UTC
Red Hat Issue Tracker SSSD-4250 0 None None None 2022-01-12 11:23:57 UTC
Samba Project 14922 0 None None None 2022-01-12 10:26:05 UTC

Description Francois Marabelle 2022-01-03 10:33:11 UTC 
Description of problem:

Authentication with kerberos not working after update from samba-4.10.16-15 to 
samba-4.10.16-17

Version-Release number of selected component (if applicable):
samba-4.10.16-17

How reproducible:
Always

Steps to Reproduce:
1. try to authenticate to samba share from windows 
2. login fail
3.

Actual results:
authentication refused


Expected results:
login accepted


Additional info:

samba log with samba-4.10.16-15 for a user "fm":

2021/12/23 08:57:57.046599,  3] ../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
  gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory
[2021/12/23 08:57:57.055079,  3] ../../auth/gensec/gensec_util.c:55(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for fm.FR, resorting to local user lookup
[2021/12/23 08:57:57.055130,  3] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [fm.FR]
[2021/12/23 08:57:57.055221,  3] ../../source3/auth/user_krb5.c:107(get_user_from_kerberos_info)
  Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2021/12/23 08:57:57.055279,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user LSCE.IPSL.FR\fm
[2021/12/23 08:57:57.055312,  5] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is lsce.ipsl.fr\fm
[2021/12/23 08:57:57.072956,  5] ../../source3/lib/username.c:128(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is LSCE.IPSL.FR\fm
[2021/12/23 08:57:57.074698,  5] ../../source3/lib/username.c:141(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is LSCE.IPSL.FR\FM
[2021/12/23 08:57:57.076280,  5] ../../source3/lib/username.c:153(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in lsce.ipsl.fr\fm
[2021/12/23 08:57:57.076331,  5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [LSCE.IPSL.FR\fm]!
[2021/12/23 08:57:57.076360,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user fm
[2021/12/23 08:57:57.076385,  5] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is fm
[2021/12/23 08:57:57.091679,  5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [fm]!


samba log with samba-4.10.16-17 for a user "fm":

[2021/12/22 16:17:04.870964,  3] ../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
  gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory
[2021/12/22 16:17:04.871089,  3] ../../auth/gensec/gensec_util.c:74(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for fm.FR, resorting to local user lookup
[2021/12/22 16:17:04.871113,  3] ../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [fm.FR]
[2021/12/22 16:17:04.871130,  3] ../../source3/auth/user_krb5.c:67(get_user_from_kerberos_info)
  Ticket for foreign realm fm.FR
[2021/12/22 16:17:04.871162,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user LSCE.IPSL.FR\fm
[2021/12/22 16:17:04.871188,  5] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is lsce.ipsl.fr\fm
[2021/12/22 16:17:04.888309,  5] ../../source3/lib/username.c:128(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is LSCE.IPSL.FR\fm
[2021/12/22 16:17:04.890020,  5] ../../source3/lib/username.c:141(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is LSCE.IPSL.FR\FM
[2021/12/22 16:17:04.891636,  5] ../../source3/lib/username.c:153(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in lsce.ipsl.fr\fm
[2021/12/22 16:17:04.891675,  5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [LSCE.IPSL.FR\fm]!
[2021/12/22 16:17:04.891702,  3] ../../source3/auth/user_krb5.c:124(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username LSCE.IPSL.FR\fm is invalid on this system
[2021/12/22 16:17:04.891719,  3] ../../source3/auth/auth_generic.c:223(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
Comment 3 Alexander Bokovoy 2022-01-03 10:50:42 UTC 
This looks similar to other bugs where winbindd is not running. Using Samba in AD environment without winbindd is not supported since 2018.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=2033405 for details and advises how to correct your setup.
Comment 4 Francois Marabelle 2022-01-06 08:29:03 UTC 
Thanks for your quick answer.
I'm not familiar with samba stuff, so a question:
you refer to a configuration which seems to use an AD, and i use only ldap + mit kerberos. This works perfectly until now with a simple configuration:

[global]
   kerberos method = system keytab
   realm = MYREALM   
   guest account = nobody
   map to guest = bad user


I installed windbind + sssd, and i got the  same error

Does this means what I'm doing  is not possible anymore?
Comment 5 Alexander Bokovoy 2022-01-06 10:18:58 UTC 
Correct. With the fixes for CVE-2020-25717 Samba consolidated all configurations requiring Kerberos to be:

- domain member of Active Directory or IPA
- domain controller AD
- trust controller IPA

All these configurations have particular setup steps. Anything outside those are not supported and with CVE-2020-25717 protection are rejected by Samba.

In particular, your configuration is not valid and you need to correctly join your system to continue using Kerberos setup.
Comment 6 Alexander Bokovoy 2022-01-06 10:47:36 UTC 
There is a number of fixes that restore some of the related functionality, as mentioned in https://www.samba.org/samba/security/CVE-2020-25717.html

We haven't yet checked them for backports but these fixes are part of the rebase in CentOS 8 Stream and CentOS 9 stream already. If that helps to validate they fix your scenario, please try and report back here.
Comment 7 A. Karl Kornel 2022-01-06 21:37:12 UTC 
Hi Alexander, good afternoon!

I am also seeing the same issue as Francois, and I expect that I am using a very similar configuration.  But I have done some test patching, and I think I am able to give you the confirmation that you are looking for.  I believe that the patch in [Samba bug 14922](https://bugzilla.samba.org/show_bug.cgi?id=14922) fixes the problem.  I am right now running a Samba server in production that includes the fix ("Patches for v4-13-test", patched on top of samba 4.10.16-17).  The patched Samba server has been running since last night, and users are connected.

The rest of this post is just detail.  First, I wanted to give our current Samba configuration, and the reason why we have it set up the way we do.  Then I'll explain more how I found the fix myself, added the patch to the samba package, and deployed it to production (last night).

The global part of our smb.conf looks like this (with some things, like interface configuration, removed to save space):

[global]
    workgroup = STANFORD
    realm = stanford.edu
    security = user
    encrypt passwords = yes
    server string = SCG SMB Gateway
    password server = krb5auth1.stanford.edu, krb5auth2.stanford.edu, krb5auth3.stanford.edu
    kerberos method = dedicated keytab
    dedicated keytab file = /etc/krb5.keytab
    passdb backend = tdbsam

(Let me know if you need our full smb.conf!)

We are using our institutional Kerberos to handle user authentication, but then we are using 'local' users and groups.  I put "local" in quotes because our systems are actually pulling user information from LDAP (via SSSD).

This kind of setup is not that unusual in academic and research institutions.  Francois, for example, is from the French Laboratoire des Sciences du Climat et de l'Environnement, which studies climate and climate change.  I'm from the Stanford Research Computing Center, where we use Samba gateways to provide convenient access to some storage.  The person who originally reported this regression to the Samba team is Sebastien Chapiron, from the French Agence nationale de la sécurité des systèmes d'information, France's national cybersecurity agency.

These are likely environments that don't use Active Directory, and cater to users of systems that are probably not even joined to an AD domain.  I know that is true for Stanford; we do have an Active Directory domain, but not many systems (especially non-Windows systems) use it.  (By the way, our Kerberos realm name is actually `stanford.edu`, not `STANFORD.EDU`; Stanford started using Kerberos before the convention to uppercase realm names.).

Once we got reports of people being unable to authenticate to Samba, one of my coworkers (Taymoor Arif) was able to confirm that the issue was introduced by samba-4.10.16-17 (we were on samba-4.10.16-15).  My coworker Kilian Cavalotti theorized that it was due to CVE-2020-25717.  I found the same [security announcement](https://www.samba.org/samba/security/CVE-2020-25717.html) that you mentioned, and I noted the last addition—the one at the end of the announcement—which referred to standalone setups with MIT Kerberos and [Samba bug](https://bugzilla.samba.org/show_bug.cgi?id=14922).

Yesterday evening, I rolled out a patched samba package to one of our SCG Samba servers.  Here are the basic steps I used to build the packages:

1. I grabbed the source package for samba-4.10.16-17.el7.x86_64, and unpacked it to `~/rpmbuild`.
2. I added the patch from [Patches for v4-13-test](https://bugzilla.samba.org/attachment.cgi?id=17047) to the `~/rpmbuild/SOURCES` directory, then updated `~/rpmbuild/SPECS/samba.spec` to include that patch (after "samba-4.10-redhat.patch", but before "libldb-require-version-1.5.4.patch").  I also changed the spec file to set "main_release" to "17.1".
3. I built the packages using `rpmbuild -ba ~/rpmbuild/SOURCES/samba.spec`.
4. I installed the newly-built packages onto one of our Samba servers, using yum.

I hope all of this information explains why we have Samba configured the way that we do, and gives you the confirmation needed to backport the MIT Kerberos fix into 7.  If you need any more information from me, please let me know!
Comment 8 Francois Marabelle 2022-01-07 11:59:07 UTC 
Hello everybody

Thanks for your help and support. 
At the moment, following the link provided by Alexander, I just use the workaround given using "username map script". It works fine for me.
This help to wait for a backport.
I confirm that the way we use samba is certainly basic, but we escape from the AD suff, and it's very useful.
Comment 9 Alexander Bokovoy 2022-01-07 12:24:58 UTC 
Francois, Karl,

thank you for all the feedback. I am still on vacation (back on Monday) as well as Andreas and few other our colleagues who maintain Samba packages in RHEL.

Next week we'll look into backports but it will sure take some time to get through normal RHEL processes for updates.

I want to note, though, that there is ongoing work upstream to make sure use of Kerberos is tightened when Active Directory-like environments are in use. This might affect a plain Kerberos environment as well and there is also an effort in MIT Kerberos upstream to make corresponding changes for plain KDC environments as well. It may or may not affect your uses but it will certainly continue tightening name-based authorization to avoid issues similar to the CVEs in Active Directory implementations we reported in several last years and which were fixed in Microsoft's Active Directory implementation and in Samba in a coordinated November 2021 update. The work on improving in this area is ongoing.

To recap, below references from my upcoming blog about it:

---------------------------------------------------------
On November 9th 2021 Microsoft did their traditional monthly security
update. Four issues among the published security fixes were in the area
of Active Directory and were attributed to Samba Team and its members:

  - CVE-2021-42291: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Active Directory permissions updates,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291

  - CVE-2021-42287: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Authentication updates,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287

  - CVE-2021-42282: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Verification of uniqueness for user
    principal name, service principal name, and the service principal
    name alias,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42282

  - CVE-2021-42278: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Active Directory Security Accounts Manager
    hardening changes,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42278

A coordinated security release of Samba 4.15.2 by the Samba Team fixes
eight security issues, some of them around the same theme as Microsoft's
ones:

  - CVE-2016-2124:  SMB1 client connections can be downgraded to
    plaintext authentication,
    https://www.samba.org/samba/security/CVE-2016-2124.html (Something
    left from the Badlock bugs)

  - CVE-2020-25717: A user on the domain can become root on domain
    members, https://www.samba.org/samba/security/CVE-2020-25717.html,
    (PLEASE READ! There are important behaviour changes described)

  - CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
    tickets issued by an RODC,
    https://www.samba.org/samba/security/CVE-2020-25718.html

  - CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
    Kerberos
    tickets,https://www.samba.org/samba/security/CVE-2020-25719.html

  - CVE-2020-25721: Kerberos acceptors need easy access to stable AD
    identifiers (eg objectSid),
    https://www.samba.org/samba/security/CVE-2020-25721.html

  - CVE-2020-25722: Samba AD DC did not do sufficient access and
    conformance checking of data stored,
    https://www.samba.org/samba/security/CVE-2020-25722.html

  - CVE-2021-3738:  Use after free in Samba AD DC RPC server,
    https://www.samba.org/samba/security/CVE-2021-3738.html

  - CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability,
    https://www.samba.org/samba/security/CVE-2021-23192.html

The scope of changes is enormous. Just on the Samba side there are 220
patches between 4.15.2 and the previous minor release, 4.15.1. However,
Samba 4.15.1 release was a preparation -- it also merged some 3000
patches, establishing a ground for testing Kerberos protocol behavior.
These tests helped to reduce behavior differences between Samba AD and
Windows-based Active Directory deployments and made the security release
possible at all.

---------------------------------------------------------
Comment 10 Monty R Walls 2022-01-19 15:50:14 UTC 
I'm also see the same issue and have a support ticket in.
RHEL 7.9 with basically the same setup as Stanford.  I resolved it temporarily by rolling back to the previous minor version.  All ready use a user mapping script to map principals to uids.
Comment 11 Alexander Bokovoy 2022-01-19 16:36:41 UTC 
Public update: 

we are working on RHEL 7.9.z update that will incorporate the fixes to regressions as outlined in the CVE-2020-25717 document on Samba website (links are in comment #9).

As with any updates to RHEL, no exact dates can be communicated.
Comment 18 errata-xmlrpc 2022-01-31 16:55:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Critical: samba security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0328
Note You need to log in before you can comment on or make changes to this bug.