SUSE Support

Here When You Need Us

Samba issues after CVE-2020-25717 fixes

This document (000020533) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP3 (Samba >= 4.13.13+git.528.140935f8d6a-3.12.1)
SUSE Linux Enterprise Server 15 SP2 (Samba >= 4.11.14+git.313.d4e302805e1-4.32.1)
SUSE Linux Enterprise Server 12 SP5 (Samba >= 4.10.18+git.339.c912385a5e1-3.41.1)

Situation

The vulnerability present in CVE-2020-25717 may have been used as a "mis-feature" in certain deployments. Using such "mis-feature" as part of a design is not something SUSE can support, thus changing Samba configuration is needed to keep access to the Samba shares.


Deployment with Samba AD-member mode providing only file/print services
where winbind only provides authentication

In this deployment winbind only provides authentication to file/print services, it is neither present in Name Service Switch (NSS) configuration file /etc/nsswitch.conf nor in PAM configuration. The deployment requires local Linux user accounts to map AD user's SID to UID/GID. This deployment corresponds to the following configuration in YaST (yast samba-client).

image.png

YaST would create the following winbind related configuration for Samba (visible via testparm -sv): 
idmap backend = tdb
idmap cache time = 604800
idmap config * : backend = tdb
idmap gid = 
idmap negative cache time = 120
idmap uid = 
username map = 
username map script = 
winbind separator = \
winbind use default domain = No

In the past Samba did attempt to find a user "DOMAIN\user" before falling back to trying to find the user "user". Thus if the "DOMAIN\user" lookup could be made to fail, then a privilege escalation was possible. The fix removes this fallback as it was dangerous. But this currently removed fallback functionality was used to "map" an AD user to a local Linux account.

An example of log.smb with Samba before CVE-2020-25717 related fixes: 
[2021/12/31 07:46:49.633458,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user EXAMPLENET\foo
[2021/12/31 07:46:49.633470,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is examplenet\foo
[2021/12/31 07:46:49.633697,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:128(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is EXAMPLENET\foo
[2021/12/31 07:46:49.633825,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:141(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is EXAMPLENET\FOO
[2021/12/31 07:46:49.633947,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:153(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in examplenet\foo
[2021/12/31 07:46:49.633971,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [EXAMPLENET\foo]!
[2021/12/31 07:46:49.633982,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user foo
[2021/12/31 07:46:49.633992,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is foo
[2021/12/31 07:46:49.634016,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [foo]!
...
[2021/12/31 07:46:49.634297, 10, pid=12533, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:322(create_local_nt_token_from_info3)
  Create local NT token for foo
[2021/12/31 07:46:49.634354, 10, pid=12533, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:283(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[IDMAP/SID2XID/S-1-5-21-2185718108-4266305927-1067147705-1110] and timeout=[Thu Jan  1 01:00:00 AM 1970 CET] (-1640933209 seconds in the past)
...
[2021/12/31 07:46:49.654534, 10, pid=12533, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/token_util.c:874(debug_unix_user_token)
  UNIX token of user 1001
  Primary group is 100 and contains 0 supplementary groups
[2021/12/31 07:46:49.655445,  5, pid=12533, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:182(auth3_generate_session_info_pac)
  ../../source3/auth/auth_generic.c:182OK: user: foo domain: EXAMPLENET client: 192.168.124.35
[2021/12/31 07:46:49.655513,  4, pid=12533, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,krb5] user [EXAMPLENET]\[foo] [S-1-5-21-2185718108-4266305927-1067147705-1110] at [Fri, 31 Dec 2021 07:46:49.655502 CET] Remote host [ipv4:192.168.124.35:49626] local host [ipv4:192.168.124.35:445]
  {"timestamp": "2021-12-31T07:46:49.655602+0100", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:192.168.124.35:445", "remoteAddress": "ipv4:192.168.124.35:49626", "serviceDescription": "SMB2", "authType": "krb5", "domain": "EXAMPLENET", "account": "foo", "sid": "S-1-5-21-2185718108-4266305927-1067147705-1110", "sessionId": "2ecd47f6-8eae-4dbf-8923-d3b71d7c667f", "logonServer": "W2K19", "transportProtection": "SMB", "accountFlags": "0x00000010"}}

An example of log.smb after CVE-2020-25717 fixed (eg. samba-4.13.13+git.528.140935f8d6a-3.12.1 on SLES 15 SP3): 
[2021/12/31 07:49:25.049908,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user EXAMPLENET\foo
[2021/12/31 07:49:25.049929,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is examplenet\foo
[2021/12/31 07:49:25.050300,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:128(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is EXAMPLENET\foo
[2021/12/31 07:49:25.050538,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:141(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is EXAMPLENET\FOO
[2021/12/31 07:49:25.050818,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:153(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in examplenet\foo
[2021/12/31 07:49:25.050881,  5, pid=14551, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [EXAMPLENET\foo]!
[2021/12/31 07:49:25.050907,  3, pid=14551, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:1902(check_account)
  Failed to find authenticated user EXAMPLENET\foo via getpwnam(), denying access.
[2021/12/31 07:49:25.050939, 10, pid=14551, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
  make_server_info_wbcAuthUserInfo failed: NT_STATUS_NO_SUCH_USER
[2021/12/31 07:49:25.051004,  3, pid=14551, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3863(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/12/31 07:49:25.051038, 10, pid=14551, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3755(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: mid [1] idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:3911

 

Resolution

Deployment with Samba AD-member mode providing only file/print services
where winbind only provides authentication

To mimic currently removed user lookup fallback could be done via idmap_nss identify mapping (idmap) backend for Winbind which always does user lookup stripped of domain. 
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config EXAMPLENET : backend = nss
idmap config EXAMPLENET : range = 1000-9999

The above configuration instructs Samba to do user lookups for identity mapping via Name Service Switch (NSS), which, as we presume here, is configured to 'compat' or 'files', that is to query local password and group databases.

Please note that if you use local accounts with UID lower than '1000', you have to change 'min domain uid' in /etc/samba/smb.conf because its default value is '1000' and all UIDs lower than '1000' would be filtered out.


 

Cause

November 04 2021 fixes in Samba package related to CVE-2020-25717 introduced code changes which impact previously working deployments; these deployments could be configured intentionally in now understood bad design or by a coincidence.

 

Additional Information

  • https://www.samba.org/samba/security/CVE-2020-25717.html
  • on SLES 12 SP5 at least samba >= 4.10.18+git.344.93a2ffaacec-3.44.2.x86_64 is needed

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020533
  • Creation Date: 03-Jan-2022
  • Modified Date:15-Mar-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center