enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #08626
[Bug 1952219] [NEW] AD-joined Samba Server stops working after upgrade to 4.13.14+dfsg-0ubuntu0.20.04.1
Public bug reported:
Ubuntu Release: Ubuntu 20.04.3 LTS
Package: samba 4.13.14+dfsg-0ubuntu0.20.04.1
Expected behavior:
I'm running a 20.04.03 LTS server joined into an AD-Domain via sssd.
Logging in via ssh works like fine.
The server also exports the user homes via samba, so the users can access
their homes e.g. via \\myserver\myusername from their Windows10 desktops
"just like that". The authentication via kerberos works flawlessly,
they do not have to provide a password.
That was the case for the system as long as it was running samba version 4.11.6.
What happens instead?
After a regular nightly system security update, the samba server
stack went from:
libsmbclient 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
libwbclient0 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
python3-samba 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
samba 2:4.11.6+dfsg-0ubuntu1.10 hold ok installed
samba-common 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
samba-common-bin 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
samba-dsdb-modules 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
samba-libs 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
samba-vfs-modules 2:4.11.6+dfsg-0ubuntu1.10 samba install ok installed
to:
libsmbclient 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
libwbclient0 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
python3-samba 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
samba 2:4.13.14+dfsg-0ubuntu0.20.04.1 install ok installed
samba-common 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
samba-common-bin 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
samba-dsdb-modules 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
samba-libs 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
samba-vfs-modules 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba install ok installed
(aktually the following packages got updated:
libicu66 libipa-hbac0 libldb2 libsmbclient libsss-idmap0 libwbclient0 python3-ldb python3-samba python3-sss samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools)
After the update, the export of the user homes is not working anymore.
The Windows10 users are not able to reach it via "\\myserver\myusername".
The share is unavailable.
I can reproduce that behavior, by restoring an older snapshot
of that virtual server. It works fine at first (immediately after the
restore), but then -after an initiated package update- it stops working.
Here is my smb.conf:
-------------------------------------------------------
[global]
interfaces = lo ens160
bind interfaces only = yes
realm = MYDOMA.IN
kerberos method = secrets and keytab
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[Homes]
comment = User Homes
path = /home/mydoma.in/%U
browsable = yes
valid users = %U
force group = "Domain users"
follow symlinks = yes
wide links = no
writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
----------------------------------------------------------
When trying to connect from a Windows10 client, the updated samba server
(4.13.14) logs for that particular IP address show:
[2021/11/25 11:12:52.256505, 1] ../../source3/librpc/crypto/gse_krb5.c:179(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(WORKGROUP) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/11/25 11:12:52.256532, 3] ../../source3/librpc/crypto/gse_krb5.c:570(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:570: Warning! Unable to set mem keytab from secrets!
[2021/11/25 11:12:52.258626, 1] ../../source3/librpc/crypto/gse_krb5.c:179(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(WORKGROUP) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/11/25 11:12:52.258647, 3] ../../source3/librpc/crypto/gse_krb5.c:570(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:570: Warning! Unable to set mem keytab from secrets!
[2021/11/25 11:12:52.259947, 1] ../../source3/auth/auth_generic.c:209(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Unexpected PAC for [myuser@MYDOMAIN] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2021/11/25 11:12:52.259983, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_BAD_TOKEN_TYPE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/11/25 11:12:52.260415, 3] ../../source3/smbd/server_exit.c:220(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1952219
Title:
AD-joined Samba Server stops working after upgrade to
4.13.14+dfsg-0ubuntu0.20.04.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1952219/+subscriptions