enterprise-support team mailing list archive

Thread
Date

[Bug 1956635] [NEW] samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Kellen Renshaw <1956635@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Jan 2022 00:22:08 -0000
Reply-to: Bug 1956635 <1956635@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

The patches for CVE-2020-25717 appear to have introduced a functional
regression in the Samba packages 2:4.7.6+dfsg~ubuntu-0ubuntu2.26 and
greater.

After update (both to .26 and .27), the smbd service fails to authenticate users with the following message:
[2021/12/16 21:57:51.633034, 0] ../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS

Rolling back to 2:4.7.6+dfsg~ubuntu-0ubuntu2.24 or earlier restores
functionality.

Inspecting the CVE patches, I noticed that the patches assume that
winbind is required for *all* AD related modes. This is true in Samba
4.8+, but not on the 4.7 series. This causes failures in environments
using something other than winbind, in the case I am looking at, SSSD.

I believe the most direct culprit is in the "CVE-2020-25717-26.patch" file in the packaging. Specifically, the following bit of patch:
 		switch (wbc_err) {
-			case WBC_ERR_WINBIND_NOT_AVAILABLE:
 			case WBC_ERR_SUCCESS:
 				break;
+			case WBC_ERR_WINBIND_NOT_AVAILABLE:
+				status = NT_STATUS_NO_LOGON_SERVERS;
+				DBG_ERR("winbindd not running - "
+					"but required as domain member: %s\n",
+					nt_errstr(status));
+				goto done;

This is the error message encountered. The patch turns the condition of
"no running winbind" into an error, when it wasn't one before. I am
unsure if this is a hard requirement for the CVE to be corrected, and it
appears that other changes in the kerberos PAC handling code may make
restoration of the expected 4.7 behavior interesting.

I believe this is related to these other bugs that are similar:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954877
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: sts

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1956635

Title:
  samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using
  winbind

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1956635/+subscriptions

Follow ups

[Bug 1956635] Re: samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind
From: Kellen Renshaw, 2022-01-11