View Issue Details

IDProjectCategoryView StatusLast Update
0016350CentOS-6sambapublic2019-10-09 11:56
Reportergwinkless 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version6.10 
Target VersionFixed in Version 
Summary0016350: samba packages 3.6.23-52.el6_10 breaks AD groups integration
DescriptionHave servers set up to authenticate users with kerberos integrating with AD, users can no longer log in when update to 3.6.23-52.
Steps To Reproduce1. Join server to AD in the recommended way (see many howtos online).

2. Add active directory groups to sshd_config AllowGroups line

3. Add

   account [default=ignore success=1] pam_succeed_if.so user ingroup ad_group_name

to /etc/pam.d/sshd

With previous version of samba packages, this works: users can log in via ssh with active directory authentication information.

After upgrading to 3.6.23-52.el6_10 we get

Aug 21 14:12:33 servername sshd[19066]: User ad.user.name from <machinename> not allowed because none of user's groups are listed in AllowGroups

in /var/log/secure

If you add "domain users" to AllowGroups you then get

Aug 21 17:26:03 servername sshd[10622]: pam_succeed_if(sshd:account): requirement "user ingroup ad_group_name" not met by user "ad.user.name"

in /var/log/secure - this shows that the authentication is working, but the group membership test is broken.

Using the AD groups in /etc/sudoers also exhibits the same problem.
Additional InformationThis breaks across multiple servers and all work again once samba update is rolled back.
TagsNo tags attached.

Activities

pegazior

pegazior

2019-10-09 11:56

reporter   ~0035388

Hi Centos Team,

is there any chance to get update for this version of samba - 2019-08-22 09:25 is submit date and still nothing?
Why do YOU keep broken packages in repositories??

Issue History

Date Modified Username Field Change
2019-08-22 09:25 gwinkless New Issue
2019-10-09 11:56 pegazior Note Added: 0035388