I think I've found the problem:
Quoting from the last patch:
From: Ralph Boehme <s...@samba.org>
Date: Fri, 8 Oct 2021 12:33:16 +0200
Subject: [PATCH 138/284] CVE-2020-25717: s3:auth: remove fallbacks in
smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
-- end quote ---
So I've configured the smb.conf with:
username map script = /export/sbin/remove_domain.pl
to strip the domain from the username
This is a very basic perl script ( DONT USE THIS )
#!/usr/bin/perl -w
$username=$ARGV[0];
chomp $username;
if ($username =~ /^LABTA\\([a-zA-Z0-9\-]+)$/ ){
$username = $1;
print "$username\n";
}
With this configuration the 4.7.6+dfsg~ubuntu-0ubuntu2.26 starts to work.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25717
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954342
Title:
Client authentication error "Failed to convert SID ... to a PID"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
