On to, 30 joulu 2021, Konstantin M. Khankin via FreeIPA-users wrote:
>Hello!
>
>I have several SMB shares served by Samba using Kerberos accounts managed
>by FreeIPA. I have no AD integrations and no AD itself. Windows clients are
>configured using this
><https://www.freeipa.org/page/Windows_authentication_against_FreeIPA>
>guide, linux clients use ipa-client and "smbclient -k". Servers and linux
>clients use CentOS 7.

This method is not supported, as stated multiple times on this very
least for the past several years.

>
>Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from
>4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from
>4.10.16-*15*.el7_9)
>packages and authentication broke, no clients can connect to shares
>anymore. Here are logs from linux client:
>
>$ klist
>Ticket cache: KEYRING:persistent:1696200001:1696200001
>Default principal: me@MYDOMAIN.LOC
>
>Valid starting       Expires              Service principal
>12/30/2021 18:04:03  12/31/2021 18:03:46
> cifs/samba.server.mydomain.loc@MYDOMAIN.LOC
>12/30/2021 18:04:02  12/31/2021 18:03:46
> nfs/samba.server.mydomain.loc@MYDOMAIN.LOC
>12/30/2021 18:03:49  12/31/2021 18:03:46  krbtgt/MYDOMAIN.LOC@MYDOMAIN.LOC
>
>$ smbclient -k -L //samba.server.mydomain.loc
>session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>
>Server logs:
>
>*log.smbd:*
>[2021/12/30 19:03:23.597495,  2]
>../../source3/lib/smbldap.c:847(smbldap_open_connection)
>  smbldap_open_connection: connection opened
>[2021/12/30 19:03:23.695598,  3]
>../../source3/lib/smbldap.c:1069(smbldap_connect_system)
>  ldap_connect_system: successful connection to the LDAP server
>[2021/12/30 19:03:23.737401,  1] ipa_sam.c:4896(pdb_init_ipasam)
>  pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>mydomain.loc
>[2021/12/30 19:03:23.737597,  3] ../../lib/util/access.c:365(allow_access)
>  Allowed connection from 192.168.10.1 (192.168.10.1)
>
>*log.192.168.10.1:*
>...
>[2021/12/30 19:05:22.458992,  3]
>../../source3/smbd/negprot.c:776(reply_negprot)
>  Selected protocol SMB 2.???
>[2021/12/30 19:05:22.459495,  3]
>../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
>  Selected protocol SMB3_11
>[2021/12/30 19:05:22.524677,  3]
>../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
>  gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
>failed: The operation or option is not available or unsupported: No such
>file or directory
>[2021/12/30 19:05:22.524750,  1]
>../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>  gensec_generate_session_info_pac: Unable to find PAC in ticket from
>me@MYDOMAIN.LOC, failing to allow access
>[2021/12/30 19:05:22.524784,  3]
>../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
>  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
>status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at
>../../source3/smbd/smb2_sesssetup.c:146
>[2021/12/30 19:05:22.525565,  3]
>../../source3/smbd/server_exit.c:236(exit_server_common)
>  Server exit (NT_STATUS_END_OF_FILE)
>
>Googling, source-digging and "log level = 5" were not helpful. However, I
>find changelogs somewhat interesting:
>
>$ rpm -q --changelog ipa-server | head
>* Thu Dec 16 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.10
>- Roll in CentOS Branding
>
>* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> -
>4.6.8-5.el7_9.10
>- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT setup
>against a RHEL 7.9 IPA server
>  - Fix cert_request for KDC cert
>- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not
>always rely on the SID and PAC in Kerberos tickets*
>  - SMB: switch IPA domain controller role
>
>$ rpm -q --changelog samba | head
>* Mon Nov 15 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-17
>- related: #2019673 - *Add missing checks for IPA DC server role*
>
>* Mon Nov 08 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-16
>- resolves: #2019661 - Fix CVE-2016-2124
>- resolves: #2019673 - Fix CVE-2020-25717
>- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl*
>
>I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe
>someone knows if I need to do something after upgrading these packages?

You need to make sure IPA has issued proper SIDs to all your users.
This can be achieved with 'ipa-adtrust-install --add-sids' ran on IPA
server owning Trust Controller role. Once SID is present in the user's
entry, its presence will force IPA KDC to issue PAC as a part of a TGT
and it will be copied to a service ticket requested by a client which
presented this TGT, unless the target service object in IPA forbids that
(only NFS so far).

IPA update on RHEL 7.9 does not have additional logic which went into
security updates IPA on RHEL 8.4+ and Fedora to issue SIDs at install
time (and additional tools to make up for missing SIDs). It also does
not have the code to enforce some of new buffers in PACs as backporting
them was not feasible.

Regarding what this is all about, I have a blog in works about it but
now is holidays' time. Below I'd give you few references to read to get a
glimpse of what we dealt with:

---------------------------------------------------------
On November 9th 2021 Microsoft did their traditional monthly security
update. Four issues among the published security fixes were in the area
of Active Directory and were attributed to Samba Team and its members:

  - CVE-2021-42291: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Active Directory permissions updates,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291

  - CVE-2021-42287: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Authentication updates,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287

  - CVE-2021-42282: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Verification of uniqueness for user
    principal name, service principal name, and the service principal
    name alias,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42282

  - CVE-2021-42278: Active Directory Domain Services Elevation of
    Privilege Vulnerability, Active Directory Security Accounts Manager
    hardening changes,
    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42278

A coordinated security release of Samba 4.15.2 by the Samba Team fixes
eight security issues, some of them around the same theme as Microsoft's
ones:

  - CVE-2016-2124:  SMB1 client connections can be downgraded to
    plaintext authentication,
    https://www.samba.org/samba/security/CVE-2016-2124.html (Something
    left from the Badlock bugs)

  - CVE-2020-25717: A user on the domain can become root on domain
    members, https://www.samba.org/samba/security/CVE-2020-25717.html,
    (PLEASE READ! There are important behaviour changes described)

  - CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
    tickets issued by an RODC,
    https://www.samba.org/samba/security/CVE-2020-25718.html

  - CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
    Kerberos
    tickets,https://www.samba.org/samba/security/CVE-2020-25719.html

  - CVE-2020-25721: Kerberos acceptors need easy access to stable AD
    identifiers (eg objectSid),
    https://www.samba.org/samba/security/CVE-2020-25721.html

  - CVE-2020-25722: Samba AD DC did not do sufficient access and
    conformance checking of data stored,
    https://www.samba.org/samba/security/CVE-2020-25722.html

  - CVE-2021-3738:  Use after free in Samba AD DC RPC server,
    https://www.samba.org/samba/security/CVE-2021-3738.html

  - CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability,
    https://www.samba.org/samba/security/CVE-2021-23192.html

The scope of changes is enormous. Just on the Samba side there are 220
patches between 4.15.2 and the previous minor release, 4.15.1. However,
Samba 4.15.1 release was a preparation -- it also merged some 3000
patches, establishing a ground for testing Kerberos protocol behavior.
These tests helped to reduce behavior differences between Samba AD and
Windows-based Active Directory deployments and made the security release
possible at all.

---------------------------------------------------------


Anyway, the scenario you are running is not supported by FreeIPA team.

>
>Rolling back samba packages is unwanted given that Samba sources mention
>this is unsafe.
>
>Thanks!
>
>--
>Konstantin Khankin




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland