[Bug 1956635] [NEW] samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind

Kellen Renshaw Thu, 06 Jan 2022 16:30:57 -0800

Public bug reported:

The patches for CVE-2020-25717 appear to have introduced a functional
regression in the Samba packages 2:4.7.6+dfsg~ubuntu-0ubuntu2.26 and
greater.


After update (both to .26 and .27), the smbd service fails to authenticate 
users with the following message:
[2021/12/16 21:57:51.633034, 0] 
../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain 
member: NT_STATUS_NO_LOGON_SERVERS

Rolling back to 2:4.7.6+dfsg~ubuntu-0ubuntu2.24 or earlier restores
functionality.

Inspecting the CVE patches, I noticed that the patches assume that
winbind is required for *all* AD related modes. This is true in Samba
4.8+, but not on the 4.7 series. This causes failures in environments
using something other than winbind, in the case I am looking at, SSSD.

I believe the most direct culprit is in the "CVE-2020-25717-26.patch" file in 
the packaging. Specifically, the following bit of patch:
                switch (wbc_err) {
-                       case WBC_ERR_WINBIND_NOT_AVAILABLE:
                        case WBC_ERR_SUCCESS:
                                break;
+                       case WBC_ERR_WINBIND_NOT_AVAILABLE:
+                               status = NT_STATUS_NO_LOGON_SERVERS;
+                               DBG_ERR("winbindd not running - "
+                                       "but required as domain member: %s\n",
+                                       nt_errstr(status));
+                               goto done;

This is the error message encountered. The patch turns the condition of
"no running winbind" into an error, when it wasn't one before. I am
unsure if this is a hard requirement for the CVE to be corrected, and it
appears that other changes in the kerberos PAC handling code may make
restoration of the expected 4.7 behavior interesting.

I believe this is related to these other bugs that are similar:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954877
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1956635

Title:
  samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using
  winbind

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1956635/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1956635] [NEW] samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.26+ regression when not using winbind

Reply via email to